Ransomware attacks are becoming more destructive, pushing back against incident response (IR) by wiping log files, launching denial of service attacks and even in some cases setting out to destroy data to belittle victims.
This is the finding of security company VMWare Carbon Black’s 2021 Cybersecurity Outlook: Attackers vs. Defenders survey of UK IT professionals, which highlights how the most economically dangerous malware ever invented continues its unpleasant evolution.
Normally, surveys like this offer the sort of headlines most professionals could probably guess for themselves – ransomware is getting worse, extracting bigger ransomware from a wider range of victims. But behind these predictable trends often lie less obvious snippets that that give us important clues about where ransomware is going in the coming months. History suggests that IT professionals and business owners should always treat this sort of data as an early warning of trouble ahead.
Top of this list is the growing tendency of ransomware attackers to target counter IR systems, particularly security tools that might be used to reveal the extent of an attack to defenders (mentioned by 33% of respondents), ahead of denial-of-service (26%), often deployed as a way of distracting defenders while an attack is in progress. Other techniques included destroying log files (15%), used during both detection and forensic post-incident response, monitoring email channels (9%) to track how defenders react to an attack, and outright destructive attacks (7%), presumably a way of intimidating defenders into paying up. All told, two thirds of respondents said they’d been on the receiving end of at least one of these techniques.
Ransomware Attacks Are Increasingly Opportunistic
It goes without saying that ransomware already targets backup systems and steals data as part of a new tactic, double extortion, in which attackers threaten to release sensitive data unless the ransom is paid quickly. Another easy-to-miss trend not mentioned in the survey is the speed with which ransomware attacks now jump on certain kinds of software vulnerabilities, often within hours of those becoming public.
A perfect example of this phenomenon is the recent wave of attacks on on-premises Microsoft Exchange servers targeting the so-called ProxyLogon vulnerability first revealed on 2 March. Initially, the attacks were by nation state attackers, but ransomware doesn’t take long to spot an opportunity to use what is a serious issue which allows backdoor access to any unpatched server. By 11 March, a ransomware type called DearCry started infecting vulnerable servers, including some in the UK. Microsoft fixed the ProxyLogon vulnerability with an out-of-band patch, but it typically takes weeks or months for everyone to apply this. However understandable that might be, in cybersecurity terms that is simply too slow.
How To Prevent Ransomware Attacks
There’s no simple fix for ransomware beyond the way its existence reinforces the need for continued human analysis and surveillance. Smaller companies will increasingly need to invest in managed services to support them in countering a threat that is now too complex for in-house security teams. Larger organisations have more options but even here the tendency to see security as something that can be left to automation could be dented by reality. At the very least, organisations need multiple layers of protection and the assurance of processes to assess their level of exposure and risk. As attacks evolve so defenders must evolve with them in a battle where containment might represent the best victory on offer. What can defenders do to protect themselves?
Authentication
The first anti-ransomware defence is prevention. That means, first, locking down all user accounts, including privileged ones, using strong authentication. This advice is borne out by the fact that many ransomware attacks start with credential abuse of some kind, including not only of user accounts but things like Remote Desktop Protocol (RDP). What authentication means is that even if an employee is successfully phished, the attackers will still have to overcome the authentication system. In the case of token-based authentication, successful phishing has never been achieved in a documented attack.
Test backups
The second defence is to ensure the organisation has a good backup policy, including offline backups. This will make getting services back online a much easier process, however, this comes with some caveats. First, backup will not be enough on its own if reinstatement takes days or weeks to implement. Organisations must test their backup process before an attack to get a realistic idea of how long this will take.
Minimise data exposure
Today’s ransomware attackers don’t just encrypt data, they steal it too. In fact, this has always been the case to some extent, but the tactic has become a primary motive for many attacks. This raises disturbing issues for victims. Even if an organisation can reinstate its servers after an attack, how can they retrieve stolen data? The answer, sadly, is they can’t. That data is gone forever and can never be ‘unstolen’. That makes it essential to minimise the amount of data any one attack can gain access to. Some organisations go as far as to severely limit how much data any PC can see, limiting local storage. Many SMEs will baulk at this but arguably ransomware attacks make this approach a necessity.
Penetration tests
Carrying out a penetration test offers a good baseline assessment, which will spot obvious weaknesses. Better still, invest in a ‘red teaming exercise’ in which an organisation’s entire security is tested, including the behaviour of employees and physical security. The limitation of a pen test is that it only gives a snapshot of vulnerabilities, which makes it essential to carry out follow ups.
Paying ransoms
The Sophos State of Ransomware Report 2021 found around a third of those successfully attacked paid a ransom, but only 8% of them got all their data back. The average data recovery was only 65%, which raises the question of whether taking the easy option is an easy option at all. Ransoms might also lead to victims being marked as a ‘soft’ target with funds, thereby encouraging future attacks. Will cyber-insurance cover it? Unlikely, plus there is speculation that providers might leave the market at some point in the face of rising costs.
Incident response
When a ransom note appears on multiple PC screens this means attackers have almost certainly been inside the network for days or weeks. This makes it essential to have a response plan to turn to. Failing that, SMEs must be prepared to turn to a managed service provider (MSP) with expertise in dealing with ransomware attacks. This won’t come cheap, but it can be the only hope in an emergency. Victims can also turn to the National Cyber Security Centre (NCSC) for advice, one of whose jobs is to support UK organisations experiencing these kinds of attacks.
Third-Party Certification
Depending on the size of your organisation and the level of access you may have to cybersecurity expertise, your leadership team may be looking for comfort that all necessary measures are in place. Independent, third-party certification would be one way to achieve this. From the Government-sponsored Cyber Essentials and Cyber Essentials Plus schemes to UKAS-accredited ISO 27001 certification, these all provide varying degrees of reassurance for those with the responsibility to ensure an organisation has properly protected itself from attack.
The Importance of Staff Training
Even with experts in place and third parties providing independent assessment of your cybersecurity efforts, the biggest threat to most organisations is not necessarily what you might expect. As this whitepaper explains, hackers are not the greatest threat to your security. Ensuring staff are properly trained around what threats to look out for and how to respond to them is critical if you are going to stand a chance of avoiding becoming a victim. These Cyber Security For Beginners and Phishing Awareness e-learning courses are ideal ways to ensure that your staff do not become your greatest weakness.