Current State of Ransomware
Ransomware is an issue affecting organizations in all market verticals. Globally, there is a lack of qualified cybersecurity practitioners, and attackers realize this lack results in systems that are not hardened. Rather than attempting “traditional”
attacks, organized crime groups will implant attack code into victim organizations and indiscriminately encrypt systems and data. The decryption key or keys are then held for ransom. If an organization wants its data back, it must either find a way
to reverse the encryption process, restore systems from backup or pay the extortion demands.
Due to the prevalence of ransomware attacks, organizations all over the world have increased their backup readiness posture. In many instances, this allows well-prepared organizations to avoid paying ransom. In response, forward-thinking attack groups
have shifted tactics. In addition to standard ransomware encryption attacks, these groups are now stealing data and threatening the victim organization with public release of the data if the ransom demands are not met. Because of this, we are seeing
a renewed focus on data protection at rest and in transit.
Defending Against Ransomware Attacks
Defending against this new level of ransomware attack requires a new level of focus on your backup program. Practitioners should consider:
- Data-only backups: Since ransomware and other Trojan applications (such as backdoors and rootkit launchers) can be hidden within good applications, many organizations take a data-only backup approach. This eliminates the risk of inadvertently
backing up and restoring weaponized content. When restoring from backups, data-only backups can be used with confidence the restoration will not reintroduce malicious content.
- Rapid operating system and application re-install: The data-only backup approach requires organizations to reinstall their operating systems and applications with each restoration. This should always be done from trusted media to
avoid the reintroduction of malicious code. An added benefit to this approach is organizations no longer need worry about configuration drift that may be reintroduced when restoring from aging backups.
This is a shift from a more traditional “back it all up” approach. Most organizations are discovering that with modern IT automation tools the re-provisioning of any system can be done easily and at scale. In the event
of a mass system reset – a common occurrence in ransomware events – this process can be faster than backup-only-based restoration.
- Dedicated service accounts: Ransomware attacks typically use lateral movement to infect and attack as many systems as possible. Therefore, it is imperative that every effort be taken to minimize the chances of lateral movement. This
includes the use of dedicated service accounts for as many tasks as practical, including separate backup creation and restoration service accounts. As an added precaution, these service accounts should be configured to not allow interactive login.
Additionally, Windows Active Directory login hours should be used to prevent unauthorized use of the backup creation service account outside backup creation times. If backup restoration account is created, it should be left disabled until it is
used.
- Offline backups: Ransomware attacks are almost always automated and opportunistic. They will indiscriminately attack any system, including available backup systems and volumes. For decades, it has been a best practice to have offline
backups. However, the risk of backups becoming encrypted has reinforced this need.
- Routine tests: Organizations must conduct drills to learn what their actual restoration times are. After each drill, an after-action report should be done to determine how to improve restoration times. Note that once best-case restoration
times are within service-level agreements (SLAs), adverse conditions should be simulated. While not common, the backup servers themselves may be affected by the ransomware attack. The reloading and re-indexing of your backup libraries can take
more time than anticipated.
Minimizing Data Theft Extortion
Organizations are rethinking their data lifecycle to minimize the effects of newer data theft extortion methods. Some practices to consider are:
- Enforce data destruction: Data that is no longer needed should be removed from all systems. Attackers cannot steal nonexistent data.
- Monitor for theft via multiple methods: While technologies like data loss prevention (DLP) can help, they are not strictly required. Monitoring file shares, databases and other sources of data at rest is possible with OS- and application-native
auditing capabilities. Log aggregation systems or SIEMs can have alert thresholds set for unexpected sweeping access. This monitoring will also help detect internal rogue employees or contractors.
- Protect data in transit: Use of network microsegmentation and secure protocols can dramatically reduce the risk of attackers intercepting data while it traverses the internal network.
- Test your visibility: Organizations often overestimate their ability to monitor and detect malicious traffic. If practical, test your ability to detect unexpected traffic with tools that can simulate attacker traffic patterns in a
safe and repeatable manner.
Modern Ransomware Defense Tactics
Good backups aren’t enough to counter the latest version of ransomware. To improve your chances of recovering without paying a ransom, consider:
- Aggressively testing backups and backup restoration. It often takes longer than some organizations realize.
- Leveraging modern automation technologies. Tools like Windows Autopilot maximize the capabilities of your staff.
- Monitoring for data theft to avoid the newer extortion threats.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.