The Cost of Ransomware
Emerging ransomware strains evolved from “just” encrypting your data to sometimes running additional code on compromised machines in addition. Then it goes about collecting as many user/passwords combinations as possible, connecting with their command-and-control servers (C&C), and sitting idle in a dark corner while waiting for instructions.
With the estimated 2021 cost of ransomware for the global economy estimated at $20 billion and the frequency of ransomware attacks reaching one every 11 seconds (not including the even more frequent personal attacks), taking proactive measures to keep ransomware at bay is no longer a luxury, it is a critical necessity.
With the average dwell time of ransomware evaluated at a mere 5 days (far shorter than for any other type of attack), prevention, and rapid detection are essential for protecting any organization.
Cymulate’s recent ransomware survey results show that the most effective strategy to fend off ransomware attacks is to adopt advanced offensive testing practices ranging from continuous security validation techniques such as Breach and Attack Simulation (BAS) or Continuous Automated Red Teaming (CART) and including Attack-Based Vulnerability Management (ABVM) and Attack Surface Management (ASM). These offensive testing approaches not only shine a line on the security gaps most likely to be targeted by ransomware attackers, ideally, they also provide detailed mitigation recommendations that streamline the security posture hardening process. When applying an extended security posture management approach to maximize the use of these continuous validation techniques, the measurement of variance from established baselines can be quantified using accurate metrics.
With or without incorporating offensive testing into your cyber tool stack, there are several other pre-emptive measures that can be taken to fend off ransomware attacks or to minimize the impact of those that manage to worm their way into your environment.
Proactive Measures to Preempt Ransomware
Internet and Remote Access to the Organization’s Network
- Reduce the attack surface as much as possible by keeping the number of ports and servers in check, limiting access to those with privileged access, and blocking the remainder through firewall and ACL rules.
Enable access to authorized employees and third-party suppliers exclusively through VPN with encryption and with strong identification procedures with MFA. - When available, impose access through the OWA or similar service for remote access to servers and endpoints – including remote servicing, preferably through a Jump Box and with constant monitoring.
- Consider using geolocation to block traffic, either from specific countries, tagged as a likely source of malicious activity or from all areas not related to your activity.
- Update all servers and connected security equipment as soon as an update is made available. Cyber-attackers take advantage of the time window between the publication of a vulnerability and the patching to launch attacks on users with lax update policies.
Network Configuration
- Unless you own valid addresses to set up the internal network, rely on RFC1918-B to define the corporate network addresses not directly accessible from the Internet.
- Segment the internal network to limit access to servers and sensitive information and hamper the lateral movement of potential intruders.
Note: Configuring VLAN is not segmenting. Communication between VLAN without security-based restrictive access policies configuration enables free information flow between VLAN configured for admin and network maintenance purposes. - Implement Zero Trust network segmentation wherever possible.
- Restrict access to network management (both servers and communication equipment) to a minimal core team working on dedicated computers disconnected from the Internet. Restrict permissions exclusively to network management.
- Monitor access to the network management segment, with access exclusively through Jump Box with MFA, secured identification.
- Avoid direct traffic between workstations and limit communication with servers to licensed services. Enforce firewall settings on all endpoints and limit the number of ports and addresses to a minimum.
- When remote access to endpoints is required for assistance or maintenance, limit such access exclusively to the Helpdesk. Prevent remote access directly between endpoints.
Software, OS, and Hardware
- Maintain exhaustive documentation and inventory of all hardware and software in use, including active and past versions, and active SaaS and other third-party services.
- Monitor security update publications from all manufacturers, publishers, and service providers of the hardware, software, and services listed in the inventory and implement security updates as soon as they’re published.
- For endpoints with access privileges to sensitive data, define and enforce policies limiting access to whitelisted applications.
- Install and configure EDR and AV on all endpoints and servers. Monitor and handle all detected suspicious activity.
- Configure endpoints and servers to prevent connection to and file transfer from external media. Enforce both sandboxing files before transfer or uploads and the use of email filtering for attachments.
- Enable and enforce accessing all Office documents in Protected View and disable the activation of Macros, and also disable JavaScript in PDFs.
Identification
- Enforce MFA identification to all users with high privileged access attempting to access the network or its services.
- Limit granting admin privilege to a strict need-to-know basis.
Logs and SIEM
- Transfer endpoints’ logs to the collecting server in as short a time as possible. That server will host the organization’s SIEM with all configurations defining privilege access and inter and intercommunications parameters and detect suspicious activity at entry points and along attackers’ escalation paths.
Proactive Measures to Limit Ransomware
Backups
- Keep a minimum of 2 comprehensive backups of the organization’s critical systems on two separate supports stored in 2 distinct locations other than the organization’s and at least one of them disconnected from the Internet.
- If storing a backup on the cloud, ensure file encryption before uploading.
- Keep all backups up to date.
- Practice restoring from backup.
Data Loss Prevention
- Define privilege access following Just-In-Time Privileged Access Management (JIT PAM) procedure for all sensitive data to limit access to protected data exclusively for the duration required in addition to limiting it to the authorized users.
- Scan emails sent from systems with access to sensitive data to ensure they do not contain unauthorized content. This can be made easier by tagging sensitive content with markers, like keywords or hashes.
- Monitor the volume and frequency of data transmission by your users over email and other organizational messaging tools. If the average user sends 5 megabytes of data on average per day, a user sending 500 megabytes should trigger an alert.
- Add permissions-aware security and encryption on each file by wrapping them with DRM tools.
- Use a CASB to regulate traffic from cloud access points and enforce encryption policies for all data transmitted to external recipients.
As the risk of being targeted by ransomware attackers is likely to remain alarmingly high for the near future, implementing pre-emptive measures as well as continuous security validation with the extended security posture management methodology is becoming a pivotal necessity.
As shown in Cymulate’s Ransomware survey, preparation makes the difference between an annoying occurrence and a catastrophic breach.