Last month, we reported that Vectra, a leader in network threat detection and response (NDR), disclosed that cybercriminals’ most effective weapon in a ransomware attack is the network itself, which enables the malicious encryption of shared files on network servers, especially files stored in Infrastructure-as-a-Service (IaaS) cloud providers.
According to the Vectra 2019 Spotlight Report on Ransomware, recent ransomware attacks cast a wider net to ensnare cloud, data centre and enterprise infrastructures.
Chris Morales, Head of Security Analytics at Vectra, said today’s targeted ransomware attacks are an efficient, premeditated criminal threat with a rapid close and no middleman.
For our Editor’s Question, we asked industry experts what best practice approach organisations should take to prevent ransomware attacks.
Here’s what they had to say:
Phil Richards, CSO at Ivanti
Ransomware is an ongoing threat to businesses in all industries with new variants appearing all the time. Sodinokibi is a new variant of ransomware that has the significant capability to cripple a business. If businesses want to avoid a WannaCry-like disaster, then ransomware prevention must be at the forefront of their minds.
The main thing businesses must remember when dealing with ransomware prevention is the techniques used by cybercriminals are often the same as they have always been, but are now more sophisticated versions of old attacks. Therefore, the same principles apply to prevention. Companies must start from the bottom when it comes to cybersecurity, beginning with the basics.
There are four key areas companies should focus on when striving towards ransomware prevention: patching, employee training, backup and privileged access management. Patching software vulnerabilities should always be the first line of defence, with critical patches prioritised and updates for key programmes and apps, such as Adobe Flash, Java, Microsoft and web browsers, kept current.
One of the most common ways businesses become infected with ransomware is by taking advantage of employee error, specifically when employees fall for phishing emails or infected links. Obviously, education is the place to start but it is often not enough. Training also needs to be implemented to ensure that employees are always on their toes and don’t have a hand in the downfall of an organisation.
Backing up your files is always a strong defence against ransomware but businesses also need to be comfortable about the file restoration process. It may seem like an easy thing, but when several systems are down, restoring files can take time and businesses need to set and manage expectations.
Finally, privilege management must also be addressed. Businesses need to strike the delicate balance between minimising the number of accounts with certain access and privileges, and not affecting employee productivity. This form of defence is especially prominent in today’s workplace, where employees are becoming increasingly mobile, often connecting their devices, and by default a business’s drives, to unsecure or unprotected WiFi hotspots.
With Sodinokibi and other new strains of ransomware, another defence capability needs to be added to a business’s security arsenal: an assessment of the security of its vendors. This new strain of ransomware extends criminal capability to lock corporate files by infecting vendors that have access to those files, like Managed Service Providers. This means that even if companies do everything right, its files can still be locked if its vendors are missing key patches. A business will need to assess the patching program of its vendors as well as assessing its own patching.
Focusing on effective ransomware prevention can save businesses from lost data and high costs in the future. Prevention doesn’t need to be over-complicated; patch vulnerabilities, train staff, reduce privileges, backup data and assess vendors. These are simple but critical approaches to security that can go a long way towards protecting the business.
Kate Mollett, Regional Manager for Africa at Veeam
With the average number of breached data records topping 25,000 per country, it is not a matter of ‘if’ but ‘when’ a business will get compromised. Stealing sensitive data has become big business and this is where the importance of an effective data management strategy is critical.
From backing up to the availability of data following a crisis, decision-makers need to continually evaluate their strategies to ensure they mitigate any potential risks when it comes to data breaches.
Considering that the average cost in time to resolve a malicious insider attack is 51 days, can a business really afford not to take protecting its data seriously? On the positive side, the introduction of legislation such as the General Data Protection Regulation (GDPR) in Europe and the Protection of Personal Information Act (POPIA) in South Africa, has meant local organisations are more aware of the implications and taking data breaches more seriously.
This is not only in terms of the business impact but also the reputational damage and loss of consumer confidence as a result. Depending on the nature of the breach, fines associated with compliance and regulatory standards can be significant. Companies are very focused on securing their business, becoming more open with how they approach technology solutions and partnering with other organisations. But as they expand their digital horizons, so too does the potential threat landscape.
If ransomware is introduced, the only choices are conscious loss of data or restoring from a backup. An offsite copy of customer data at a local cloud provider, using different user credentials adds another layer to the Backup-as-a-Service (BaaS) and Disaster Recovery-as-a-Service (DRaaS) solution. This also complements the offsite copy strategy, delivering many benefits. Some cloud providers have enabled Veeam’s Insider Protection Recycle Bin which assists with internal and external threats.
We introduced the concept of a recycle bin for customers sending offsite cloud backups to cloud providers using Veeam Cloud Connect. This deleted backup protection or insider protection allows the cloud provider to enable the deleted backups protection option for specific tenants and looks to add another level of data security for cloud-based backups in the case of a malicious user gaining access to the backup and replication console or in the case of accidental deletion by an administrator.
Organisations must be more involved in the solutions that bring cloud data management into the business and further ensure that ransomware strategies include an educational aspect.
One key piece of advice that we have been sharing with the industry for years is the Veeam 3-2-1 rule. It states that you need to have three copies of your data, stored on two different media types, with one being offsite. This can address multiple failure scenarios and does not require any specific technology.
Haider Pasha, Regional Chief Security Officer (CSO), Emerging Markets, Palo Alto Networks
To tackle this question, we first need to keep in mind that ransomware is malware and there are different types of malware and various ways in which it can propagate and enter the customer’s environment. The most common point of entry is on the endpoint but there are other weak points. For example, malware can infect web servers residing in data centres that are not properly patched and protected. We often see that machines facing the Internet are vulnerable.
We also need to focus on the fact that malware is more lethal when combined with other forms of attack such as social engineering. This has been the case with some of the larger cybersecurity heists. It works like this: the attacker sends an attachment such as a fake invoice to an unsuspecting admin worker who also receives a follow-up call from the attacker asking them to open the attachment. The link contains hidden malware that will infect the organisation’s systems and run in the background. Organisations must be aware of the nature of the threat so that they can equip themselves to better prevent ransomware and other malware attacks.
In terms of preventing malware – and by extension ransomware – attacks, there are various aspects of system security that organisations can take control of. Firstly, as an organisation you should ensure that your systems are properly updated and patched. Unnecessary software and plugins should be disabled to limit potential vulnerabilities and avoid the spread of malvertising. As an organisation you also need to keep an eagle eye on email and ideally your cybersecurity systems should warn you when receiving email from an external source.
To counter the human engineering method, we recommend that you avoid taking cold calls from people: be aware of who’s calling and be especially suspicious if a person who you don’t know asks you to open a link – that should be an immediate red-flag – and the email should be sent to your IT or security department.
Let’s not forget that ransomware, along with other malware, can spread through simple web browsing. Most antivirus software and end point systems know when you attempt to visit to a malicious website and will report it as compromised, but it is still something to be aware of at the organisational level.
On the networking side, your organisation should have good quality firewalls and anti-malware and anti-ransomware systems that can detect any threats rapidly and prevent them from spreading. Your staff should also have a basic knowledge of security and the way the main threats operate to avoid simple mistakes such as clicking on malicious links.
Another important point to consider is authentication. Your organisation should have robust authentication methods in place such as strong passwords and verification questions. In fact, a zero-trust approach is best. Moreover, the right level of authentication solutions should be in place in the network, the cloud and at the end point to prevent the installation and spread of ransomware and other malware.
Rob Kelsall, Global VP – Sales Engineering at Resolve
Very little has changed over the past 10 years when it comes to ransomware prevention – the fact is that the latest threats are still using the same old tricks. For example, MegaCortex, a new ransomware strain identified in May, is a self-executing menace that is packaged up in a new signature but causes havoc using old techniques to exploit vulnerabilities and infiltrate networks.
As the basis of ransomware has remained the same, so has the advice given on ransomware prevention. Even with a brand new malware strain, the bottom line is that we are dealing with a piece of unauthorised software that companies don’t want to infiltrate their systems.
When it comes to ransomware, prevention is always better than cure. Once a system becomes infected, there is typically no public decryption available. This is why it is so crucial to be on top form when it comes to security in order to control the spread of the problem – something that can be achieved with automation.
Many aspects of security can be automated, allowing protective and preventative steps to be taken before an employee is even aware of an issue. For example, patch management can be automated to keep systems and software updated and free of vulnerabilities.
Patching is a never-ending cycle with many steps that go well beyond simply deploying the patch. Automating this entire process, from pre-patching checks to post-patching validation and updates to governance systems, can free up IT and security professionals to spend more time on bigger and more complex issues, improving the efficiency and effectiveness of security and wider IT processes.
Of course, it is unlikely that ransomware prevention efforts will ever be 100% effective and therefore it is crucial to have an effective incident response plan in place should the worst happen. Automating incident response can allow employees to work smarter, faster and more efficiently, even with limited resources.
Automated incident response can take many of the false alarms or easily resolved incidents off the hands of employees, so only real and serious security alerts are passed on to be assessed by a skilled employee, allowing them to focus on the most critical issues immediately.
The key to saving your business from ransomware is of course prevention, but you must also have systems in place should your methods of prevention fail. While ransomware prevention can seem like a daunting prospect, many aspects, such as patch management and incident response, can be automated to allow employees to spend their time on more knowledge-based or serious tasks.