Ransomware attacks increasingly target incident response

This is the cybersecurity outlook for 2021 from the security company VMWare Carbon Black: Findings from an attacker and defender survey of UK IT professionals that highlights how the most economically dangerous malware in history continues its unpleasant evolution.

Usually, surveys like this provide the kind of headlines that most professionals might have guessed for themselves-ransomware is getting worse, and larger ransomware is extracted from a wider range of victims. But behind these predictable trends are often not so obvious fragments that provide us with important clues about the direction of ransomware development in the coming months. History shows that IT professionals and business owners should always treat this type of data as an early warning of future problems.

The most important thing is that ransomware attackers are increasingly inclined to target anti-IR systems before denial of service, especially security tools that may be used to reveal the extent of the attack to defenders (mentioned by 33% of respondents) (26%) , Usually used to distract the defender while the offense is in progress. Other techniques include the destruction of log files (15%), use during detection and post-incident forensic response, monitoring of email channels (9%) to track the defender’s response to the attack, and complete destructive attacks (7%), probably It is a way to intimidate defenders to pay the price. All in all, two-thirds of respondents said they have received at least one of these technologies.

Ransomware attacks are becoming more opportunistic

There is no doubt that ransomware has targeted the backup system and steals data. This is part of a new dual ransom strategy in which the attacker threatens to release sensitive data unless the ransom is paid quickly. Another easily overlooked trend not mentioned in the survey is the speed with which ransomware attacks are now attacking certain types of software vulnerabilities, usually within a few hours after these vulnerabilities are made public.

A perfect example of this phenomenon is the recent wave of attacks on the local Microsoft Exchange server against the so-called ProxyLogon vulnerability that was first disclosed on March 2. Initially, these attacks were initiated by nation-state attackers, but the ransomware soon discovered an opportunity to exploit a serious problem that allowed backdoors to access any unpatched server. By March 11, a ransomware called DearCry began to infect vulnerable servers, including some in the UK. Microsoft fixed the ProxyLogon vulnerability with an out-of-band patch, but it usually takes weeks or months for everyone to apply this vulnerability. Regardless of this may be understandable, in terms of network security, this is too slow.

How to prevent ransomware attacks

Except that the existence of ransomware has strengthened the need for continuous manual analysis and monitoring, there is no other simple way to solve the problem of ransomware. Smaller companies will increasingly need to invest in managed services to support them in dealing with threats that are now too complex for internal security teams. Larger organizations have more options, but even here, the trend of viewing security as something that can be left to automation may be affected by reality. At the very least, organizations need multiple layers of protection and process assurance to assess their exposure and risk levels. As the attack develops, the defender must develop with them in a battle, in which containment may represent the best victory. What can defenders do to protect themselves?

verify

The first anti-ransomware defense is prevention. This means that, first, use strong authentication to lock all user accounts, including privileged accounts. Many ransomware attacks begin with some form of credential abuse, including not only user accounts, but also remote desktop protocol (RDP) and other things, which proves this recommendation. Identity verification means that even if an employee is successfully phished, the attacker must still overcome the identity verification system. In the case of token-based authentication, no successful phishing has ever been achieved in the recorded attacks.

Test backup

The second line of defense is to ensure that the organization has a good backup strategy, including offline backups. This will make it an easier process to bring the service back online, but it will bring some caveats. First, if recovery takes days or weeks to be implemented, backup alone is not enough. Organizations must test their backup process before attacking to understand how long it will take.

Minimize data exposure

Today's ransomware attackers not only encrypt data, they also steal data. In fact, this has always been the case to some extent, but tactics have become the main motivation for many attacks. This creates disturbing problems for the victims. Even if organizations can recover their servers after being attacked, how can they retrieve the stolen data? Sadly, the answer is that they can't. These data are gone forever and can never be "stolen". This makes it crucial to minimize the amount of data that can be accessed by any attack. Some organizations even strictly limit the amount of data that any PC can see, thereby limiting local storage. Many small and medium-sized enterprises will be discouraged, but it can be said that ransomware attacks make this method necessary.

Penetration test

Conducting a penetration test provides a good baseline assessment, which will reveal obvious weaknesses. Even better, invest in "red team exercises" in which the entire safety of the organization is tested, including employee behavior and personal safety. The limitation of penetration testing is that it can only provide a snapshot of the vulnerability, so follow-up is necessary.

Pay the ransom

Sophos’ 2021 State of Ransomware Report found that approximately one-third of successful attackers paid a ransom, but only 8% retrieved all data. The average data recovery rate is only 65%, which raises the question of whether the simple option is a simple option. The ransom may also result in the victim being marked as a "soft" target for funding, thereby encouraging future attacks. Will online insurance cover? Unlikely, there are also speculations that suppliers may leave the market at some point when costs rise.

Incident response

When the ransom note appears on multiple PC screens, it means that the attacker has almost certainly been in the network for days or weeks. This makes it vital to develop a response plan. If this is not possible, SMEs must be prepared to turn to a managed service provider (MSP) with expertise in handling ransomware attacks. It won’t be cheap, but it may be the only hope in an emergency. Victims can also seek advice from the National Cyber Security Center (NCSC), one of its jobs is to support British organizations that have suffered such attacks.

third-party certification

Depending on the size of your organization and the level of access to cybersecurity expertise you may have, your leadership team may be looking for comfort that all necessary measures are in place. Independent third-party certification will be one way to achieve this goal. From the government-funded Cyber?? Essentials and Cyber?? Essentials Plus programs to the UKAS accredited ISO 27001 certification, these all provide varying degrees of assurance to those responsible for ensuring that organizations properly protect themselves from attacks.

The importance of employee training

Even if experts and third parties provide independent assessments of your cybersecurity work, the greatest threat to most organizations may not be what you expect. As this white paper explains, hackers are not the biggest threat to your security. If you want to have the opportunity to avoid becoming a victim, it is important to ensure that employees are properly trained on the threats that need to be aware of and how to respond to them. These e-learning courses on cyber security and phishing awareness for beginners are the ideal way to ensure that your employees do not become your greatest weakness.

Back to all articles