As we write this blog following on from the recent ransomware attack from the Darkside gang on The Colonial pipeline, and recently AXA the insurance provider was hit with ransomware for refusing to payout for ransomware attacks, we are reminded that Ransomware is still a significant threat to all sectors.
So, for those that don’t know, lets break down what Ransomware is? For starters, Ransomware is simply a method for a program or application to exploit a weakness in your IT or Critical Infrastructure and aims to render your data and/or systems to become unusable. This might be in the form of encrypting all of your data including backups or to take control of your Operating Systems to ensure you can no longer use them. The outcome from this is your operational service is no longer operational and as you might have guessed, users or employees at your company can no longer carry out their day-to-day duties and can lead to long delays in downtime meaning your business effectively losses money. This is further felt when Cyber gangs like Darkside or other state actors undertake these activities with intention to hold your data for a ransom, meaning pay up or risk losing your data or having it exposed. The latter resulting in a data breach with further consequences.
So, looking into Ransomware, we’ve examined simply what it is, but why do people carry it out? Simply, because it’s a form of new Gold! Gold you say? I say Gold, not because it’s shiny and has been a valuable commodity to Humans for many centuries but because it’s easy to access and has a commodity impact in causing disruption and creating an established form of Cyber criminal financing. Ransomware has excelled over recent years, largely helped by three things in the order of:
Cryptocurrency - This helps with requesting payment with some form of secrecy given you’re not asking a targeted organization to pay a bank account which can be blocked or frozen given the financial governance in place when compared to the cryptocurrency market
Wider Attack Service - These days we are increasing our attack surface by exposing systems and services to the internet and this warrants further attention and increased likelihood that we may fail to patch or protect an asset exposed
Security Maturity - Many companies both corporate and small still believe they won’t be attacked, or the chances are small that they can neglect implementing some form of internal security measures against ransomware. Often companies with good Cyber hygiene are often subjective to such attacks as they have such an extensive inventory of systems that are not tracked and monitored
The above are of course our opinions and does not reflect the good that many businesses are doing to recognize the risk that Cyber imposes on their business. However, our view is these are some key pillars that are lacking when investigating the findings from analysis taken when a ransomware attack is successful and achieves its objectives in preventing companies from being Operational and often results in large costs due to remediation, in some cases, putting large businesses bankrupt.
Most common attack methods whilst rely on the pillars we have highlighted above, often fall foul on a number of entry methods, these being:
Phishing emails that lead to compromised accounts
Password Spraying attacks resulting in account access
Exposed services with high exploitable vulnerabilities
The first two points above rely on the Human Security element whereby we need to ensure we promote Cyber hygiene to all members of our organization. Remember the philosophy that security is 'everyone's responsibility' often paints the real picture needed to be taken by all companies. Steps to improve this can be to promote Cyber training either through workshops or through the use eLearning. Whilst these methods don't appeal to most, in some cases you can take this a step further and undertake red/purple team testing for a good penetration test supplier to carry out the impact of such an attack. Phishing simulation provides a good method of training users in identifying and reporting potential attacks via phishing emails and can provide low investment alternatives to allude to high preventative attack outcomes such as ransomware.
With exposing additional services to the public or internet, there are many approaches a business can undertake to prevent their services from being exploited, these being:
Evaluate your Asset Inventory, it's a boring job, but a must and once you have this information, ask yourself, what are your critical to non-critical systems? Evaluate the Critical systems and ask yourself, how are these systems being protected?
Subscribe or procure a vulnerability scanning system to scan your endpoints or services and set this to run periodically on a week-to-month basis. This will prevent easy systems that are vulnerable to being exploited by random attackers. This kind of service can be managed in-house our outsourced at relatively low to medium cost and can provide valuable insights into where your weaknesses lie at the edge of your infrastructure
Outsource a penetration test with a CREST or Tiger CHECK certified penetration test company to undertake a footprint or Open-Source Intelligence (OSINT) analysis against your organization to allow ethical hackers to identify for you, where you are likely to be targeted. This option is somewhat more cost bearing, however is likely to provide you with factual upfront information on how ransomware gangs might leverage your weaknesses for their gain
Finally, somewhat more logistically bearing on your internal IT or Information Security department or whoever looks after your IT systems, is to implement endpoint detection and response (EDR). This can ensure that your Operating Systems such as endpoints (laptops and mobile systems) and/or Server Infrastructure can potentially defend against most types of ransomware
The above is a short checklist that we advise many companies to adopt, however, to fully ensure your defenses are capable of preventing a ransomware attack and a potential data breach, we recommend a full review with a security consultant and/or architect to ensure that they can review your systems to ensure sufficient protection is in place.
To learn more about phishing simulation awareness and vulnerability scanning and management, why not read further on our services pages to find out how we can help you better protect your organization from ransomware. If you're still unsure about how we can help, why not schedule a free discussion with us to identify your concerns and how we assist you in protecting your IT Systems and Data.