Managing Ransomware Threats

Ransomware attacks have been growing in popularity with hackers and there seem to be a lot of misconceptions about these threats and how to manage them. In many discussions, with even security practitioners, the primary response to a question on ransomware seems to be to ensure there are sufficient backups and to restore the data to defeat this type of attack.

This is a huge underestimation of the problem and the requirements for handling this situation. Below, I shall cover some ground and lay out a strategy to prevent and handle ransomware threats. Please note that this is an attempt to address the problem from a corporate standpoint and not from an individual’s. This is also not an attempt to define how you should implement the controls, but an attempt to point you to the things you should be doing. There are a lot of details that need to be addressed before you can determine that many of these controls are in place.

A ransomware attack typically installs malware on a computer (PCs, server, DB, etc) and encrypts the data, demanding a ransom payment for the ability to decrypt the data.

If you are trying to find out how to handle a ransom attack after you have been attacked, you are already way too late. Your options are very limited. Either pay or pray that the attackers were really stupid and try to recover the data by engaging a specialized consulting company. What you need to do is plan for this before you are attacked. The NIST cybersecurity framework provides categories or areas of controls that you could use to ensure that you are covered all around. These areas of Identify, Protect, Detect, Respond, Recover. You will need to have controls in each of these areas to manage a ransomware threat.

An important point to remember is that, even though the focus of this article is Ransomware, a lot of the controls mentioned here will lay the foundation for a secure environment and help you mitigate other cyber threats as well.

Identify
The first thing you need to do is find and identify your critical assets. This would include infrastructure components and data within your network. You may be able live without the latest copies of some data or even survive completely losing some data. For example, a company that primarily sells products online may be able to shrug off an internal office room reservation system database being taken out, but they most probably cannot shrug off their customer database or payments database being taken out in a ransomware attack.

To understand what you can live with and what you cannot, you have to know what assets are critical for your business to be able to continue to run when you are under attack . This does not mean that you ignore the non-critical parts of your environment, but that you have to prioritize the critical parts and then move outwards to the non-critical parts.

You will need to have an inventory of infrastructure components and databases and the data stored within them. You should also have an inventory of all the software (versions, signatures, etc) that you have within your environment. Malware can piggyback on or masquerade as legitimate software and it will be critical for you to be able to tell the difference. Critical assets also include key personnel and they should be identified. These are the people you will turn to in case of an attack. You may want to invest in automated tools that identify and map hardware components and software on the network.

This will require a combination of automated tools and manual effort.You are probably going to use the automated tools to identify assets and then manually verify their criticality. You should also use knowledge within existing human resources to identify potential assets hiding in the background.

Protect
Before an attack happens, you need to ensure that you critical assets are able to withstand various attacks. This would include hardening your servers and other devices within the environment, segmenting your network, ensuring that wireless access points are appropriately fire-walled, your firewalls are configured properly, devices and software are updated and patched to the most secure versions. User devices (desktops/laptops) need to be locked down (disallow arbitrary software installations, turn off USB/Bluetooth as appropriate, etc.). Ensure that you have suitable anti-malware scanners on email and web gateways. These gateways are a common entry point for malware and you must ensure that they are effective by keeping them updated.

This would be a good time to audit all your user and system accounts, remove inactive accounts and ensure that the “principle of least privilege” is enforced for all active accounts. You will also need to educate users about malware and their entry points to the organization. Particular emphasis should be placed on safe internet usage and email security (phishing and malicious attachments).

This will require a lot of planning, identification of protection tools, creation of standards and procedures. Implementing the controls will require people that can configure firewalls and other infrastructure components properly and tools to lock them down.

Detect
Once you know what your critical assets are, you need to be able to detect attacks on them. You need to know how the attack is happening and where it it happening. When an attack happens, you should also be able to detect it immediately (we shall talk about finding out about attacks before they happen in the Cyber Threat Intelligence section below). You will also have to continuously monitor if the controls that you have put in place to protect your environment are working as they should.

Detection is going to be done predominantly using automated tools. Typically you will require a central log analysis tool to correlate the data coming in from multiple sources.The alerts generated by the tools will need to be sent to a SOC (Security Operations Center) for action. The SOC in turn will have to have clearly laid out procedures to escalate to and involve the right people in the response.

Respond
In the event of an attack, you need to be able to identify which components have been attacked and try to contain the damage. This will require you to take the affected components offline or out of your network. This is where the other areas mentioned above come into play, You should know your critical services and performance requirements, be able to identify components that you can take out on the fly and still retain (as much as possible) the primary service that you run.

To achieve this, you must have an incident response plan ready and should have rehearsed the plan multiple times with different scenarios. You should have Quick Reference Cards (QRC) for staff on immediate steps to take including who to contact and their information. You should have canned messages that you may need to provide your customers, regulators and any other stakeholders. You may also need to have a group of decision makers ready and they should have rehearsed their roles as well. You may need to make the decision to completely take all of your services offline, run a reduced set of core services, or pay the ransom, which means you may need to have cryptocurrency (the most preferred option by attackers) ready.

Recover
As you are responding to the attack, you also want to start thinking about restoring your services by switching to backup site/servers. You need to be prepared to bring online new servers with applications and data from loaded from backups. You should work with either an internal team of experts or external consultants to conduct forensics to determine ingress points, identify the extent of the damage and ensure that any weaknesses that we exploited are closed.

Checklist

The below is a quick checklist to prepare for attacks:

  1. Prepare Incident Response Plans and rehearse the response to different scenarios
  2. Prepare QRCs for staff on what to do and who to contact. Ensure that everyone knows their role
  3. Have a plan to notify regulators, customers, suppliers, 3rd parties and other stakeholders
  4. Prepare to take components offline to contain damage and to prevent malware from spreading
  5. Prepare to restore services from backups