Information security leaders face an enormous threat affecting organizations of every size and in every industry as ransomware is being used to extort capital from companies worldwide.
The bottom line
According to recent research, the average payment following a ransomware attack in 2020 is trending up with triple digit increases year over year. That same research shows that the size of the largest ransomware attacks is growing at a staggering pace. Prior to 2020, the largest known ransom demand was $15 million. In 2020, it was $30 million, and this year there has already reportedly been a $40 million ransom paid.
How a ransomware attack begins
The anatomy of a ransomware attack starts when the attacker gains access to install their payload. Three modes of attack are most common:
- Use stolen credentials to access systems where ransomware can be installed. Credentials could be phished, social engineered or even bought from dark web sources. These could be considered Identity and Access Management (IAM)-based attacks.
- Trick a user to install ransomware onto their device. An example of this attack vector is emailing a link or attachment that the user opens and installs.
- Attack unpatched systems that have a security flaw. For example, Microsoft Exchange servers recently had a vulnerability patched. Microsoft urged exchange customers to apply patches immediately. Unfortunately, some organizations fail to apply patches immediately, leaving these companies with known vulnerabilities which adversaries can easily penetrate (see: launch ransomware attacks).
Land and expand
While some ransomware attacks are limited to one system, the value of an attack increases when it can reach many systems, including those with sensitive data or those critical to the operations of the targeted organization. Attackers who gain control of one system typically seek to move laterally by using credentials obtained by earlier successes penetrating cyber defenses or by leveraging known vulnerabilities, such as “pass the hash.”
A common pattern ransomware gangs follow is to encrypt an organization’s data and concurrently exfiltrate it to their own servers. From there, they contact the organization with their demands for money (often in the form of Bitcoin), some sort of proof that they have the organization’s data, and finally a threat to leave the organization’s data encrypted — in addition to publishing the organization’s data on servers managed by the ransomware organization.
Interestingly, the demanded ransom often doubles if payment is not made by a deadline. However, final payment is often negotiated for an amount below what was originally demanded. To add insult to injury, some payments to ransomware gangs carry a sanctions violation risk.
Top 6 IAM defenses
- Require MFA everywhere – the best way to prevent credential attacks is to require multi-factor authentication (MFA) everywhere. If the organization is not there yet, start with network access points and anything connected to the single sign-on (SSO) system. Then ensure each system requires a second factor and/or device trust. Note: All MFA is not created equal – seek a non-phishable form of MFA wherever possible.
- Deploy a robust IGA system – One method hackers use is creating backdoor accounts on systems they’ve infiltrated. Modern-day Identity Governance and Administration (IGA) systems should pick these up as accounts that were created out of band. Access reviews can serve as a detective process as well to identify over-privileged accounts.
- Deploy a robust PAM system – A privileged account management (PAM) system can be configured to check-in and out access to accounts or use even more advanced defenses for critical admin-level accounts. PAM systems should always require MFA.
- Apply monitoring and alerting – the use of a Security Incident and Event Monitoring (SIEM) system in IAM is a great way to identify potentially nefarious activity. Especially when combined with user behavior analytics (UBA), centralized alerting can help spot an attack in progress and enable the team to take evasive action such as disconnecting affected systems from the network.
- Manage account hygiene – Using basic controls such as strong passwords (15-character minimum length is the best practice) can make a meaningful impact on security. In addition, and where possible, enforcing the use of trusted devices can make a large impact.
- Institute controls to avoid being socially engineered – a common vector for stealing credentials is through social engineering tactics. Using self-service password management requiring a second factor will reduce calls to the support desk. It is also important for support to have a finite and restrictive policy whenever resetting a password for someone over the phone.
Top 6 non-IAM defenses
- Discovery and advanced planning – Having an inventory of assets and entry points is foundational. This will form the basis of efforts to map and mitigate vulnerabilities commonly exploited in ransomware attacks and help incident response teams define the scope of an attack to address legal concerns.
- User education and cyber security awareness – The weakest link in information security is often the uneducated user as they’re often the target of ransomware hackers. Organizations should make year-round efforts to educate users on how spot phishing messages to avoid opening attachments that can let ransomware onto the organization’s network, and to observe IAM leading practices including avoiding re-using passwords across sites.
- Network segmentation – The flat network is a ransomware gang’s dream. Assets should be segmented with security in mind. Technology that can provide micro-segmentation and identity-based segmentation are worth investigating. Zero Trust Network Access (ZTNA) is supplanting traditional VPN because of its focus on limiting lateral movement. Ultimately, limiting lateral movement makes spreading ransomware throughout the network less likely.
- Strengthen anti-spamming posture for email – Since attachments, links and phishing attempts in the form of “spam” are a common attack vector for ransomware gangs, stopping those emails before they arrive in users’ inboxes is an important investment.
- Patch and keep system software up to date – Unpatched systems can create a giant opportunity for ransomware attacks. A robust and continuous vulnerability monitoring solution can highlight the unpatched systems and detect accidental exposure of such system to the Internet.
- Endpoint Detection and Response or Extended Detection and Response (EDR/XDR) – Provide a final line of protection at the device itself. Integrating these tools with monitoring and alerting (e.g., SIEM, SOAR, etc.) can provide a powerful method to detect and prevent the use of the attacker’s favorite tools—possibly disrupting the entire attack.
Preparing for the worst
Even if an organization follows all of these recommendations, the risk of a ransomware attack doesn’t disappear, it is just reduced. As information security leaders, we must plan how we would handle a ransomware attack (i.e., have an incident response plan). As a baseline, a good backup and restore strategy must be in place and it should be tested periodically. Define who must be informed – both internally and externally. Determine who will decide whether to pay the ransom and if so, to what degree. Know who will make the communication to these stakeholders as well as to law enforcement. Planning ahead is better than answering these questions in the midst of a crisis.
Of the three most common initial attacks used with ransomware: credential exploitation, phishing and exploitation of vulnerabilities, securing identity and access management provides the greatest impact. Securing identity and access also helps prevent the attacker’s most common tactic, moving laterally within an organization. Properly establishing an identity and access strategy can be a complex undertaking calling for an experienced architect with business process knowledge. Protiviti’s IAM practice serves clients across industries and of all sizes and experience levels to actively defend against ransomware threats and many other threats.