Ransomware is Malware that commonly uses encryption to hold a victim’s data for ransom. An organization’s data in encrypted so that they cannot access. Ransom is then demanded to unencrypt and make it available again. Ransomware is usually designed to spread across a network and target database and file servers.
An attacker can gains access to the environment through a targeted attack, via email spam or phishing or an existing vulnerability they discover. Once access is established, the malware encrypts data using a key pair generated by the attacker. Once specific goals are met the ransomware prompts the user for a ransom to be paid to decrypt the files. If the ransom is paid then the attacker would promise to deliver the private key to the organization so they can decrypt their data. Unfortunately even if the ransom is paid, some organizations never hear from their attacker again and they are not provided the key.
How it Happens?
Ransomware often starts through a phishing email that contains an infected or malicious attachment. Other attacks can start by someone downloading a file that was infected or unknowingly allowing an application to be installed by a website. Another possible entry point is through a vulnerability in a particular application or OS. In many cases these vulnerabilities are identified with patches provided by the software vendor. WannaCry was an example of a ransomware attack that took advantage of a vulnerability in the Windows OS. The vulnerability was identified with a patch provided before the attack, but infected computers had not applied the patch or were running a version of the Windows OS that was out of support.
How to Protect Yourself?
Patching
The best and easiest defense is to make sure that all laptops, servers and network devices are kept up to date with the latest patches and firmware. In many cases, vulnerabilities are identified by the vendor or other Whitehat hackers and reported to the vendor so they can correct the problem. This usually happens before the vulnerability can be exploited.
Patching has become straightforward with several ways to automate including:
- OS Settings – Automatic download and installation of patches can be configured within the OS though sometimes reboots are not automatic and require attention.
- Azure Update Management – Used to manage operating system updates for Windows and Linux VMs in Azure or Physical or virtual machines in on-premises environments.
- AWS Systems Manager Patch Manager – Similar to Azure Update Management, AWS Patch Manager allows for cloud and on-prem patch application and updates.
- WSUS/SCCM – Microsoft offerings provided to automate and report on patching of Windows machines.
- Third party patching tools – Some 3rd party patch automation tools exist that improve on or simplify the features within SCCM.
Network Segmentation
Many malware packages including Ransomware spread to new machines from infected machines on the same network. If an organizations network is completely open then 1 infected machine can be used to infect everything. Segmentation improves security by dividing a network into segments to control how traffic flows across the network. This segmentation limits traffic to where it needs to go and can limit the damage and spread of malware. A related best practice is to isolate access from third parties via dedicated access portals.
Security
Make sure to keep current on recommendations for updates to protocols and best practices. Organizations should also consider encrypting their data. This will ensure that even if there is a data breach, the attacker is not able to use the data as part of a ransom threat. That said, Ransomware can re-encrypt data so this is not a protection against a Ransomware encryption attack.
Another area to review is the organizations authentication practices. If an attack is started due to a password obtained through a 3rd party breach then it is very easy for an attacker to place malware anywhere that the breached account has access. With 2 factor (or multi-factor) authentication this becomes much less likely as the attacker would also need to be in possession of the account owners’ phone or have access to their secondary email account.
Training
Educate the user community on what Phishing looks like and proper etiquette for content from unknown sources. The best defense is to make sure that staff are not clicking on unsafe attachments, browsing to unknown website, or downloading unsafe content.
Backups
Every organization should have a backup process in place though most have focused on recovering from equipment failure. Many backup processes simply make sure that the data is backed up onto a device other than the one being protected. With ransomware this is not enough as many impacted organizations discover that their backups are also encrypted and useless for a recovery effort. For proper protection organizations must incorporate multiple copies of data, use different storage media and keep at least 1 copy offline or otherwise inaccessible by the source network. Cloud backup solutions can also achieve this using multi-factor authentication and network segmentation in addition to minimum retention range checks which ensure at least one recovery point in case of attack.
You can read more about Ransomware Attack here.
Teknita has the Cyber Security experts to support all your technology initiatives.
We are always happy to hear from you.
Click here to connect with our experts!
0 Comments