10 Lessons Learned From The Biggest Ransomware Attacks

Running Away From Ransomware

The amateurs who thought they could make easy money off ransomware have moved onto things like cryptomining, according to Kevin Haley, director, product management for security response at Mountain View, Calif.-based Symantec. As a result, Haley said the adversaries that continue to use cryptomining tend to be very good at it.

Purveyors of ransomware have set their sights purely on businesses since the best money can be made from infiltrating and crippling an organization, Haley said. Unlike many consumers, businesses have the means to pay the hacker and can't just wipe their systems and start over again, according to Adam Kujawa, director of malware intelligence at Santa Clara, Calif.-based Malwarebytes.

The humans behind the computers executing malware are cunning and creative, Kujawa said, and will attack an organization's security system in ways that might not have been anticipated. As a result, Kujawa said behavioral detection, machine learning and artificial intelligence are very important for keeping companies safe from future threats.

Here's a look at 10 ways that organizations can better protect and defend themselves against ransomware attacks.


Ask Adversary For References And Check Them

Businesses that have a communication channel with the adversaries carrying out a ransomware attack should ask for references, which the more legitimate threat actors are likely to provide, according to Caleb Barlow, vice president of threat intelligence at Armonk, N.Y.-based IBM Security.

If the adversary provides the names of some of the other companies they've attacked, Barlow said the victim organization can call those businesses and get information about the extent of the impact and how the threat actor responds to the payment of ransom. This additional information can help the victim in deciding whether or not to pay the ransom, Barlow said.

Even the way in which the adversary responds – or doesn't respond – to the request for references can provide a better understanding of who's on the other side, Barlow said. For instance, a lack of response might indicate that the victim was hit as part of a broader ransomware attack, raising questions around the likelihood of the data being unlocked even if a ransom payment is made.

Bitcoin Should Be Quickly Accessible In A Pinch

Paying the ransom is far more common than most people realize, Barlow said, with most organizations never disclosing that they've done so unless there's personally identifiable information (PII) involved or it's required under a regulatory framework.

As a result, Barlow said companies should consider how they'd go about getting access to large sums of Bitcoin on very short notice. Not too long ago, virtually no company would have been able to get $250,000 in Bitcoin within a single business day, but now, Barlow said between 10 percent and 20 percent of companies know how to do that.

Businesses can park their Bitcoin at a third-party law firm so that it's ready at a moment's notice, Barlow said. If the bad actor doesn't realize how important the data is that they've locked up, Barlow said companies are sometimes able to get it back for a relatively modest sum.


Data Segmentation Can Protect A Company's Crown Jewels

User credentials and other highly-sensitive information should be held apart from the rest of the organization's data to provide an additional layer of security, according to Malwarebytes's Kujawa. Items such as user social security numbers, medical information, bank account information, usernames, passwords and email addresses should be held in a more secure part of the network, Kujawa said.

Increased segmentation makes it more difficult for ransomware or other forms of malware to traverse through the system laterally and allows for the infected system to be isolated more quickly, Kujawa said. Segmentation is more important for large enterprises than SMBs since the former have more people touching their data and are more likely to be targeted.

From a data management perspective, Kujawa said access to data should be lined up to ensure that employees are only able to access files that are essentials to their job function. Cybercriminals frequently take advantage of lax data security and misconfigurations to move within the victim's network, according to Kujawa.


External Hard Drives Can't Be Used As The Primary Backup Source

Using an external hard drive for backup such as a thumb drive, zip drive or tapes isn't a good idea, according to Malwarebytes's Kujawa, since ransomware is capable of identifying and encrypting those devices. Instead, Kujawa said the backup should be off the network and outside the reach of the malware.

Backups should be off-premise or cloud-based, Kujawa said, and use both multi-factor authentication and encryption for additional protection. If a business doesn't have the means to establish their own internal off-premise or cloud-based backup, Kujawa recommended hiring a third-party service such as Box.

Although most organizations do have some sort of backup mechanism in place, Kujawa said capturing all relevant company data with the backup can be difficult particularly. This is particularly true in larger organizations or businesses where employees have files or documents outside the official corporate domain, according to Kujawa.

Harden And Isolate Systems That Can't Be Modernized

Many businesses are running older, unsupported operating systems (OSes) that would cripple the organization if they failed but can't have security put on or around them due to their age, according to Symantec's Haley. Businesses sometimes wish to keep an older OS in place to support proprietary software or a mission-critical server that can't run on more modern technology.

If the OS absolutely cannot be changed or modernized, Haley recommended hardening or isolating it so that access is restricted to as few people as possible. Haley gets why some businesses stick with an older OS from a business perspective, but cautions that there's some risk inherent in the decision.

The server or entry point for a ransomware infection is usually either a critical system that's running an old OS or a forgotten, unknown, or unmanaged system that isn't being patched or kept up to date, according to Haley. As a result, Haley said hardening and isolation are critical.

Having Legal Counsel Direct Response Will Shield Some Communications

Having an outside legal counsel that specializes in cybersecurity direct the incident response process will help keep much of the communication out of the public eye or courtroom, according to IBM's Barlow. A large-scale cybersecurity incident often triggers action from regulators or investors, Barlow said, which in turns opens the victim organization up to lawsuits.

As a result, litigants usually attempt to get their hands on all communications related to the cybersecurity incident during the discovery process and cross-examine company executive should the case make its way to trial. But if the work products are attorney-directed, Barlow said businesses aren't forced to expose as much in terms of how they responded to the incident.

Organizations should be very cautious about what's said in emails or other messages about a cybersecurity incident, Barlow said, since the potential exists for those communications to be hauled into court. Businesses that don't have outside legal counsel directing their incident responses will quickly learn that they need it, according to Barlow.

Patches And Updates Must Be Deployed Quickly

Updating systems isn't typically as easy as people in the security community make it sound due to the presence of proprietary software that runs in a specific version of Java or Flash, according to Malwarebytes's Kujawa. As a result, Kujawa said businesses might need to spend time testing how their proprietary software works under the new conditions before formally pushing the update through.

Businesses would be wise to examine ways in which they could deploy patches and updates across the entire organization without hindering day-to-day operations, Kujawa said. Bright IT employees should be able to ensure that nothing is killed or destroyed when a new patch is deployed, according to Kujawa.

Ransomware such as WannaCry has targeted exploits where a patch was already available, but organization hadn't yet gotten around to deploying it for their outward-facing systems, Kujawa said. This often happens because organizations assume they're not important enough for anything bad to happen to them, according to Kujawa.

Prevention-Based Approaches Are More Important Than Ever

Prior to the rise of ransomware, the damage associated with malware or other security exploits was assumed to be relatively small and capable of being removed at any time, according to Malwarebytes's Kujawa. But now, Kujawa said businesses must have technology in place that keeps an eye out for new or emerging forms of ransomware.

Companies should leverage technology that looks for behaviors that match up with known ransomware activity by examining what each of the processes or threads in the system is doing. Kujawa said. If enough operations similar to ransomware activity are identified, a flag will be generated indicating the possibility of ransomware.

If the past, Kujawa said organizations that believed they had been infected with a virus might have run a free version of the security vendor's tool and assumed they're safe. But ever since the functionality of CryptoLocker became evident a half-decade ago, Kujawa said businesses are taking the security of their data much more seriously.

Responding Rapidly Can Help Stem The Bleeding

Corporate America is used to acting in a slow and methodical manner, waiting for data to come in before making any decision and hiring outside consultants to provide their perspective if it's a tough call, according to IBM's Barlow. But when companies are hit with ransomware activity, Barlow said they must be able to make decisions quickly, with limited room, and relying only on the people in the room.

Businesses under siege from a sophisticated cyber adversary do not have to wait for the next staff meeting or for senior executives to return from vacation, according to Barlow. Instead, he said companies must adopt an incident command structure that processes through decisions quickly and is capable of constantly re-evaluating a situation.

Companies that have plans in place to bring in an outside incident response firm are saving more than $1 million if they're able to remediate in 30 days or less, Barlow said. That's because the longer the remediation process takes, Barlow said, the more likely it is that a business will lose additional data and suffer from regulatory or reputational issues.

Security Awareness Training Can Reduce A Company's Risk

Security awareness training is never going to eliminate risk or make users perfect, but it can reduce risk by teaching users to behave in a more responsive manner, according to Symantec's Haley. The goal is to make users less likely to click on suspicious links or attachments in emails by helping them spot potential irregularities, Haley said.

As part of a phishing simulation, Haley said businesses can send emails out to users with telltale signs of phishing and provide them with education and advice should they click on the suspicious item. It's vital, though, that these simulations never be seen as punishment or an attempt to make fun of people who fail the test.

Phishing simulation programs are quite common today, Haley said, but those that are implemented improperly tend not to last for long because people get mad at the programs. For this reason, Haley said it's essential that the IT department let management know that a phishing simulation is taking place and get them to buy into the program beforehand.