In view of two major ransomware attacks, the Colonial pipeline and JBS, it’s time to refocus on proactive cyber security as time and again reactive security controls have failed to prevent large scale and targeted ransomeware attacks.
Here is a glimpse of the state of things when it comes to ransomware attacks:
(Courtesy: Combating Ransomware – Ransomware Task Force (RTF))
Only 8% of the businesses that paid a ransom got all of their data back. Thus, indicating that a paid ransom, guarantees little.
Ransomware as a service (RaaS) is a business model that provides ransomware capabilities to would-be criminals who do not have the skills or resources to develop their own malware.
Two-thirds of the ransomware attacks in 2020 were using a RaaS model.
Given this shift, what actions/steps can businesses take to prevent a ransomware attack or limit the impact of a ransomware attack. Chris Krebs provides us some guidance in his tweet. We will further build on it to provide an initial plan of action for an organizations as well, but let us start with guidance from Chris:
- Implement multi-factor authentication (MFA) – This one goes without saying since it avoids the issue of stolen / compromised login credentials. Also certainly it helps with password phishing attacks.
- Make sure your devices are being patched regularly – Tracking vulnerabilities in your external facing devices like VPN, Firewalls is key. Take an example of CVE-2021-20016 which is a SQL injection vulnerability in SonicWall SSLVPN SMA product that allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information. This vulnerability was actively used for “initial compromise” by DARKSIDE ransomware group earlier this year. ThreatWatch Attenu8 platform had flagged this vulnerability as highly exploitable back in February 2021 while the FireEye analysis of DARKSIDE ransomware group exploiting it surfaced in May 2021, almost 3 months later.
- Ensure regular backups and check your backups – It is critical to ensure that you have working backups of data for business continuity. Ensure that the backups actually include what you need and test that these can be restored successfully.
- Update and test your incident response plan – Prepare a realistic response plan which includes what to do if you get infected by ransomware and a detailed plan of action.
Additionally we recommend that you look at the guidance provided below:
- Take a proactive approach to cybersecurity
- Keep focus on “Identify” and “Protect” rather than just “Detect” and “Respond”.
- Do away with scheduled scans wherein your team is always playing catch-up.
- This might seem like a flip to the above points, but ensure that you have tools (like SIEM, SOAR) for “Detect” and “Respond” pieces in your arsenal.
- Enforce strong password – Poor passwords simply make the attackers life easy. Enforce a strong password policy which helps ensure complex passwords that are recycled (rotated) and not reused frequently (history).
- Block uncommon attachment types in emails – Non-standard attachments like .exe, .ps1, .vbs, etc. should simply be blocked at your email gateway.
- Patch your internal devices and systems – Attackers typically exploit vulnerabilities on internal systems for privilege elevation and lateral movement. Simply patching your external facing devices is not enough, since all it takes is one slip for an attacker to get a foothold inside.
- Run vulnerability scans for your image backups (not data backups) – Many organizations keep a backup image of their critical systems (like portals, servers, etc.). If you need to restore such a backup, then it is quite possible that between when the backup was taken and when it is being restored, there might be new vulnerabilities discovered for softwares present in the backup image. If you simply restore from the backup, then you potentially might be restoring softwares to a prior date and there might be exploits / malware weaponized vulnerabilities affecting those softwares.
Stay ahead of the curve with a proactive approach to cybersecurity.
Contact us at info@threatwatch.io to know more about how ThreatWatch can help with proactive cybersecurity.