Ransomware: Practical Tips to Tackle a Looming Menace

July 12, 2021

Ransomware attacks have increased by 50%, according to the 2021 NTT Global Threat Intelligence Report. Beyond increasing in frequency, ransomware events are becoming more sophisticated and highly targeted — not just encrypting an organization's data but exfiltrating it as well. We see this at all levels: from attacks on companies of all sizes up to nation-state actions. The Biden administration recently warned business leaders to increase the protection of their companies against ransomware attacks.

In this environment, organizations need to ensure that they are equipped with an end-to-end malware protection architecture. While attacks are ever-more varied, email is still by far the most common attack vector. Hence, reinforcing your email security is critical. Security is only as strong as its weakest element, and all an attacker requires is for one distracted user to click on an infected link. While user training is critical to reducing the number of attacks, it alone will never prevent all email attacks. Therefore, capabilities such as DMARC and email filtering have become a necessity.

Defense against ransomware

Ransomware, like most malware, frequently spreads by using the privileges of the end-user and exploiting vulnerabilities in the endpoint. Here are a few basic best practices to stop the spread of malicious ransomware:

Reduce user privileges (eliminate any end-user admins) and use multi-factor authentication (MFA) as this significantly limits the opportunities for an attack to move laterally.
Decrease the blast radius of any potential attack with network segmentation.
Implement user endpoint detection and response (EDR) solutions for policy-based isolation, as modern malware often moves far faster than manual intervention. The WannaCry ransomware cryptoworm covered 150 countries in just 24 hours.

The Cybersecurity and Infrastructure Security Agency (CISA) has released an MS-ISAC Ransomware Guide, which provides a checklist for companies in their ransomware preparation. The White House identifies five key security controls to prevent ransomware attacks from being successful:

Back up your data, system images and configurations, regularly test them and keep the backups offline
Update and patch all systems
Test your incident response plan
Check your security team's work with qualified third-party penetration testing
Segment your networks

Ransomware related FAQs answered

Let's run through some common questions we field about ransomware.

Should we pay the ransom?

Paying ransomware groups opens a can of worms that can be difficult to close. There is a chance that you pay the ransom, but the criminals keep a copy of your data anyway. There's also the chance they didn't encrypt the data properly in the first place (or didn't bother to do so), and your data is already destroyed.

It is also worth bearing in mind that in some circumstances, paying the ransom may run afoul of some U.S. laws. The Office of Foreign Assets Control (OFAC), a financial intelligence and enforcement agency of the U.S. Treasury Department, issued an advisory alerting companies about the potential sanction risks they would encounter while giving in to ransom payments.

If you are infected with ransomware and decide to pay, should you negotiate?

If your organization thinks that there's no alternative but to pay, you should negotiate the price. Intel471 observed that negotiation between an earlier victim and Darkside resulted in a price drop of more than 50% — from $30 to $14 million. Additionally, negotiating is in your best interest to avoid wasting money: there is a possibility that the attackers may have failed to encrypt the data and instead destroyed it. Establishing a dialog with the attackers allows you to ask for a subset of the data to validate that it still exists. This is analogous to a kidnapping; as part of the negotiations, the kidnappers will be asked to prove that the victim is still alive. It's worthwhile to establish a dialog to get a better idea about what you're dealing with.

Should organizations go it alone or hire help?

Companies should always have a retainer in place with an incident response company. Look around the history of ransomware, and you'll see the landscape dotted with companies that struggled to deal with the situation because they didn't have someone in place to help them through. Look at the City of Atlanta when they were hit with SamSam; a significant part of the delay in their response was because they didn't have the proper contracts in place to recover from the incident. Without trusted partners, you not only don't have someone to rely on when an incident occurs but also likely haven't tabletopped your response, put run books together or done any of the prep work needed for effective remediation. As a rule, unless you offer incident response as your core business practice, you should engage professionals who value your data.

Should companies look for decryption keys online before doing anything?

Companies shouldn't take any ad hoc steps to respond to ransomware. Looking for a decryption key is a little like investigating a crime scene on your own. You might solve it, sure, but you are more likely to trample on evidence, waste valuable time or even aggravate the situation. An amateur response to a professional attack rarely ends well for the victim.

Should a company wait to call its cyber insurer?

First and foremost, organizations need to have an incident response plan in place. If you have a cyber insurance policy, you are likely to have an incident response plan as part of its requirement. With cyber insurance, it is imperative to understand the exclusion clauses of any given policy. There is often a disconnect between the business expectations and insurer's coverage regarding what types of incidents are covered and which ones are excluded. There may also be specific requirements, such as written consent from the insurer and failure to follow any stipulations, resulting in the company not being reimbursed.

Where do organizations go wrong in responding to these types of attacks, and what should they avoid in the future?

The most common failure is a simple lack of preparation and prioritization. Ransomware is exploding in volume, sophistication and cost. Read any threat report from the past couple of years, and you'll get tired of the word quickly — companies can't afford to ignore it anymore. And as COVID-19 has forced organizations to pivot to remote, dispersed workforces rapidly, you are introducing new high magnitude risks any time you make changes to your infrastructure. Cyber adversaries are searching for — and often finding — gaps in remote work infrastructure and attacking them ruthlessly.

Do not assume your two-year-old incident response plan will be sufficient. Update and test it. Likewise, don't assume that a cyber insurance policy is adequate — it should be one of the many security controls to have in place. And work diligently to find and close the gaps in your security environment following any move to a remote-work paradigm.

Don't let ransomware defeat you

The only effective way to deal with ransomware is to close the security gaps in your organization and avoid dealing with them in the first place. Run penetration tests because that's precisely what your attackers are doing to find out where you're vulnerable. Assess your security regularly and thoroughly. If possible, go above and beyond the bare minimum of what is required for compliance or insurance reasons: this is an area where an ounce of prevention is better than a pound of cure — and it's less costly, too.

Back up your critical systems as often and as comprehensively as possible because if you do fall victim to an attack despite your best efforts, good backups are the best way to deal with them. Also, engage an incident response partner, develop a runbook for ransomware (and other likely attacks in your industry) and practice running through those run books. Having walked through the steps once or twice goes a long way toward reducing anxiety when you're dealing with a crisis.

And above all else, engage with a trusted advisor who will help you prepare and be ready to come to your aid when you need them.

Understand how NTT DATA Security Services can help you navigate rising cyber threats and protect your organization today while preparing for tomorrow.