Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in
exchange for decryption.
Ransomware as a Service (RaaS) and Malware as a Service (MaaS) have changed the threat actor paradigm, allowing potentially anyone to become a threat actor. The attacks usually happen in the following phases: first gaining access to the network, then exfiltrating as much sensitive corporate data as possible, and finally encrypting all the drives. After that, threat actors usually threaten to leak it unless a ransom is paid. Victims are often forced to shut down their system completely, in the worst cases having to rebuild their whole infrastructure from the ground up.
Unfortunately, many companies end up with no other choice than to pay the ransom, recover their data, and hopefully take it as an expensive wake up call, urging internally for that problem to be addressed. But others end up getting hacked again and having to pay the ransom twice. It brings to mind the saying “Fool me once, shame on you, fool me twice, shame on me.” We want to impart our best practices and preventative measures to ensure you don’t get fooled twice, and that you can feel confident about your company’s security posture.
What should I do after a ransomware attack?
1. Understand what happened
Perform a full post-incident investigation, using an objective 3rd party company if needed, to understand how the company was breached in the first place and more crucially, which areas need improvement to prevent breaches from happening again. Remember, time is not on your side here. Based on the result of your investigation, make changes as needed.
2. Review your security posture
The U.S. Dept of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA) provides a list of precautions to protect against these threats, that we could summarize as follows:
a. Keep your environment up to date
Update all your systems, from back-end servers to desktop computers, laptops as well as mobile devices with the latest patches. The same applies to your applications, as outdated software is one of the main surfaces of attack, exploiting known issues and/or vulnerabilities. Ensure policies are updated to include security updates.
b. Backup regularly
Regularly backup (at least daily) all your Mission Critical servers and data, preferably to an external physical medium (e.g., tape) and store them in a safe, to ensure your servers and data cannot be deleted accidentally or even intentionally without gaining physical access to it. If possible, have multiple copies in different locations, for redundancy. Finally, you want to test these backups every now and then to ensure data can be retrieved correctly, we know of so many companies that had to use a backup in a critical situation only to realize these were corrupted and so nothing was retrievable! You surely do not want that.
c. Secure your network
Instruct users against opening unknown URLs or documents from unsolicited emails.
Configure the firewall to limit inbound and outbound traffic to only a limited set of trusted IP addresses.
d. Use secure networks when away
While outside of the office, make sure you use only secure connections when available. In a public place, this means using your home wireless operator/carrier (4G/5G, LTE) connection instead of Open public Wi-fi networks, for example, using your mobile phone as an Access Point for your other devices like a laptop. In private places like home, preferably use wire connection (Ethernet) if available or at least make sure your Wi-Fi Access Point (AP) is using the latest Wi-Fi Protected Accessed 3 (WPA3) encryption; other encryption methods are now considered outdated and unsecured. On top of that, use VPN-like software and/or containerized solutions only to allow users to connect from outside of the office back to the corporate network to access data and documents.
e. Improve password security
Make sure you have a policy in place to require your users to change their password often, with an acceptable length and complexity, and that they cannot reuse ever or at least after a certain number of changes. Also enable Multi-Factor Authentication (MFA) to validate a user’s identity when connecting to corporate resources (e.g., mail, applications, etc.)
f. Only minimum permissions
Ensure only the minimum required permissions are granted to your users, especially those who are also members of an IT team, in which case it is recommended to use a separate admin account, or even better, a temporary account when those privileges need to be elevated to perform specific administrative tasks.
Use dedicated software to scan all incoming/outgoing email traffic to filter spam, executable files, and phishing emails from reaching your end-users, as well as flagging anything that comes from a non-trusted source/domain.
3. Disaster Recovery (DR) plan
Better to be safe than sorry. Consider how one of these attacks could potentially affect your infrastructure and ultimately your whole business in terms of both reputation and cost, and how you could recover from it as soon as possible. In some cases, customers had to rebuild their whole organization from the ground up; imagine the amount of time, resources, and effort required to do that, not to mention that meanwhile the company was not even able to operate at all, i.e., generate business.
It would have been a lot better to have dedicated a small amount of that time carefully building a backup infrastructure, to be able to recover most (if not all) of your infrastructure in no time. This can start with having offline, cold-standby servers hosting your core Business Critical services, applications, and corporate data to having a complete separate isolated backup site, just in case. And of course, test this mirrored servers/infrastructure from time to time, keep them up to date and documented, to make sure they will be there when you need them, hopefully never ever.
4. Train your employees
You are only as strong as your weakest link, and ultimately your end-users are your first and last line of defense. You might have the best security software and hardware in place, disaster recovery (DR) plan, strong IT policies, and multifactor authentication (MFA) mechanisms, but if your end-users still click on any URL they get in an email from an unknown sender or open any file attached to it, then you are not so safe. You need to brief them on the potential risks and how they most of them can easily be avoid by following simple but effective Best Practices behaviors, as well as whom to report to in case of doubt or issue. Then also test them to ensure they learn the lesson, for example sending them internal “trap” emails to check their reaction and see either they simply click on that bait or instead are cautious and do not, and even report back to IT department that potential security issue. End-users can be one of your best assets if properly aware and trainer on the existing risks, but your worst one if not, so you better add them to the equation!
5. Implement proper cyber defense
Get ready to deal with cyberattacks, if not done yet, you should deploy a Mobile Threat Defense (MTD) solution in your infrastructure. Many of them will mitigate, if not completely prevent, such attacks. Some vendors have demonstrated that using their MTD software, they could have prevented the attacks, and this without any need to download or update, even when running completely offline… and all this using a version from several years ago! These solutions are using state-of-the-art Artificial Intelligence (AI) and Machine-Leaning (ML) technologies to predict, prevent, and protect from these new types of attacks protectively.
Besides all the safety measures you can take from a technical/IT perspective, you might also want to investigate a specific insurance to also cover for that potential risk, like having to pay a ransom if no other option is possible. But careful, this is not a quick and easy way to get out of trouble as this only works if your environment is properly secured and prepared for potential cyberattacks already, and properly and regularly audited before even getting approved to apply for such insurance. Plus, not all attacks are covered by all insurers as some may decide that, for example, a state-sponsored attack can be considered as “act of war” and therefore not covered. Just like any insurance, it is better to have it and never need to use it than to not have it when you desperately need it.
If you are reading this because your company has been affected by ransomware, we recommend the aforementioned best practices – educating your employees about the potential threat and the gravity of the not following best practices right off the bat, conduct a post-incident assessment as well as a forensic assessment, and moving forward, implement changes to improve your security posture, whether that entails consultation or deploying a Mobile Threat Defense (MTD) solution in your infrastructure. While all this information is daunting, the team at ISEC7 can help you and your team understand what the options available to you today.
Regarding consultation, if you have any questions on how to improve your security posture and avoid security breaches, please feel free to contact us and we would be happy to assist.
(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group