How Ransomware Works - 5 Ways to Lower Your Risk

When it comes to ransomware, everyone is looking for a magic bullet – but buyer beware. There is no technology on the market today that can provide a 100% guarantee to protect against a ransomware attack.

The good news is that you can manage the cybersecurity risks that lead to ransomware attacks to reduce the chances of criminals taking over your network. Using these strategies, you can also prepare to respond quickly and lower the financial impacts should the unfortunate event occur.

Five Ways to Manage Ransomware Risks

For the “TL;DR” readers, let’s talk about how to protect and defend against ransomware first. Here are five things that every organization should be doing today.

1. Security Awareness Training
   Security Awareness Training (SAT) is key to preventing ransomware from getting into the network in the first place. Users should be regularly trained as threats change over time. The most common attack vector for ransomware is email, and knowledgeable users make for a good line of defense. The phishing emails are getting better: they know not to click on an ad for a free iPad, but would they click on a link to see cute puppies?

1. Backups
   Regular backups can significantly minimize the impact of a ransomware attack because if the encrypted data is readily available on some other media, recovery can occur quickly and with minimal interruption to operations. This control assists with the impact of ransomware on the availability of data – confidentiality could still be impacted. To minimize that impact, consider encrypting data at rest. Additionally, make sure your backups are not connected in a way that ransomware can get to it. The criminals know you’re trying to back things up and they usually try to encrypt the backups, too.

1. Continuous Network Monitoring
   24x7 continuous network monitoring is one of the best ways to minimize the impact of ransomware. You may not be able to control whether ransomware finds its way onto your network, but you do have control over how quickly it is detected and remediated. If ransomware pings a criminal command-and-control (C2) server, an expert security analyst trained to see it will be able to help you shut it down before encryption. Critical Insight’s MDR is custom-built for this, and you can take a look at some of our SOC success stories here.

1. Follow a Cybersecurity Framework
   A risk assessment or gap analysis against a security framework or standard of practice is a best practice not just for understanding risk around a ransomware attack, but also to develop a go-forward plan for mitigating all kinds of risks. Check out this post on cybersecurity frameworks to learn how to get started.

1. Good Cybersecurity Hygiene
   There is no substitute for a solid cybersecurity architecture and basic hygiene. Things like network segmentation, up-to-date default-deny firewall rules, regular vulnerability scans with verified remediation of high-risk findings, as well as implementing a network monitoring system (IDS/IPS), endpoint detection/protection (AV, EDR), password management, and Multifactor Authentication (MFA) will help reduce the attack surface. All of these things are included in cybersecurity frameworks, so I still suggest starting there. Once the basics are covered, moving toward a Zero Trust model would be a strong next step.

Ransomware Attacks Are on the Rise

Ransomware attacks have become part of the daily cybersecurity news cycle, as threat actors continue to find soft targets across the United States. From 2015 to 2016, attackers have increased their extortion demands because they discovered their victims will pay higher prices to get back their data and systems. In the past year alone, after targeted ransomware attacks, numerous state and local governments have gone offline, schools have been interrupted, and healthcare organizations have had to shut their doors.

The financial impacts of these interruptions have been significant. Recent estimates stemming from the ransomware attack on the City of Baltimore in the spring of 2019 put the cost of the attack at $18.2 million dollars. The City of Atlanta estimates their 2018 ransomware attack costs have surpassed $17 million dollars, or 2.6% of the city’s annual budget.

What Is Ransomware?

The word “ransomware” conjures up images of hackers in hoodies running nmap scans on a laptop covered in anarchy stickers. But that pop culture image is actually part of the problem – the myths about ransomware mean many folks don’t really know what it is, who is spreading it, and how to protect against it.

Historically, ransomware has been largely opportunistic in nature; the threat actors behind these attacks send out a phishing email campaign and see who bites on the bait and detonates the malware. However, this has recently shifted to more deliberate targeting of organizations that have a defined set of attributes:

• Poorly protected, because of the financial realities of their businesses and inability to properly resource IT security
• Critical, as any disruption at all to their operational continuity results in large impacts

This trend has put local government (cities, counties, school districts) and the health sector (notably mid-market and rural hospitals and clinics) in the crosshairs. And in a disturbing twist, the recent ransomware attacks are increasingly coming from state-sponsored actors running money-making operations that simulate organized crime.

How Does a Ransomware Attack Work?

To defend yourself against malware, you have to understand what it is and how it works. Ransomware is an attack on the availability (and sometimes also the confidentiality & integrity) of information systems. It attempts to extort the victim by encrypting their data, essentially rendering it and the system it’s on useless without the decryption key. The attacker holds the data ransom pending a transfer of cryptocurrency, and often (but not always) provides a decryption key once the ransom payment is received.

When considering a highly targeted ransomware attack, for the ransomware to encrypt data that the victim will actually pay a large sum of money to retrieve, the attacker needs context. Simply locking up a random laptop is unlikely to result in any significant amount of money to extort; what they are after is critical data – PII/PHI, trade secrets, financial data, information or applications that are crucial to operations.

Identifying this information can take time, meaning that the damage isn’t necessarily done instantaneously when an employee clicks on a malicious link or attachment. We’ve seen various types of ransomware, and some encrypt faster than others. Looking at it from a criminal’s point of view, ransomware can encrypt immediately, but might not get the most valuable files. It can ping a command and control (C&C ) server, find something a little more valuable (like “recent documents”) and then encrypt – which might take as little as three seconds. Or, it can ping a C&C server, spend a more significant amount of time looking for valuable files to encrypt, and then hold hostage the most valuable files.

The attackers are also smart enough to know that you make backups of this sensitive information, and if you are not protecting those backups from unauthorized access, the attacker will make sure they encrypt the backup copies as well.

If Attacked by Ransomware — Should You Pay the Ransom?

If all of the protective measures fail, and you are faced with losing a lot of encrypted data… you’ll be faced with the question: Do you pay the ransom?

If the protective and defensive tactics failed, you’ll have to figure out whether to pay off those demanding the ransom. Often, for those with coverage for ransomware events, that decision is made by cyber-insurers, and you should notify your insurer as soon as an event occurs.

While on a panel at the Maureen Data Systems Cybersecurity Conference, we asked panelists Eric Humbert of the US Secret Service and Dr. Eric Cole of Secure Anchor to give their opinions on whether to pay ransomware demands. There was consensus among the three of us that while this is a business decision, it is one that should be informed by the reality that payment does not guarantee decryption of the data, and it may place organizations at higher risk for future attacks. Prevention and rapid detection are key.

What to Do If You Decide to Pay the Ransom

If you haven’t conducted an investigation and determined how the event was initiated or have not determined whether additional malware and/or backdoors have been installed, do it immediately after recovery or the bad guys will use the same vulnerabilities they used before, or the backdoors they just installed, to ransom your data a second time. If you haven't plugged the holes they found on the first attack — which they’re counting on — you are going to get hit again. In the case of Baltimore, the city’s emergency services were hit by a ransomware attack in March of 2018, a little over a year before the larger, more impactful, attack occurred in May 2019. The city clearly missed their opportunity to manage the risks.

Since the scourge of ransomware isn’t going away, hopefully this article gives you what you need to prevent, stop, and defend against an attack.