Ransomware attacks have changed significantly recently, in a number of crucial ways. These changes include the methods used by the attackers, as well as the scope and severity of such attacks. We’ll look at how these attackers operate, and what ransomware mitigation options are available.
Techniques ransomware attackers are using today
Ransomware in its simplest form is malicious software deployed on a victim’s system, that encrypts data until a ransom is paid.
Today, attackers are using advanced ransomware means to perpetuate their attacks. Lockbit, for example, is a “self-piloted” attack that automatically scans and vets targets, and spreads an infection throughout the network, and is one of the most deployed ransomware variants in the world. The latest versions of Lockbit even render administrative permission checkpoints ineffective, and disable user safety prompts.
This ransomware type is part of a larger trend of RaaS, or “Ransomware-as-a-Service,” a distribution model where cybercriminals provide ransomware tools and infrastructure to other individuals or groups, allowing them to carry out ransomware attacks without needing advanced technical expertise. There are even “affiliates” who earn a cut of the ransom for a successful attack.
In terms of techniques for deploying ransomware, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) outlines several attack types that organizations today can expect. These are grouped by initial access vector and include:
Internet-Facing Vulnerabilities and Misconfigurations: Ransomware attackers exploit weaknesses in software or system configurations exposed to the internet to gain unauthorized access and initiate their attacks.
Compromised Credentials: Attackers utilize stolen or weak login credentials to gain unauthorized access to systems and networks, providing them with the ability to launch ransomware attacks.
Phishing: Attackers send deceptive emails or messages to trick users into downloading malicious attachments or clicking on malicious links, which leads to the installation of ransomware on their devices.
Precursor Malware Infection: Attackers first infect systems with a precursor malware, such as a botnet or downloader, which then facilitates the delivery and execution of the ransomware payload.
Advanced Forms of Social Engineering: Attackers employ sophisticated psychological manipulation techniques to deceive and manipulate individuals or employees into taking actions that result in ransomware infections, bypassing traditional security measures.
Third Parties and Managed Service Providers: Attackers target vulnerabilities or weaknesses in the security practices of third-party vendors or managed service providers, aiming to gain access to their networks or systems, which can serve as a stepping stone for launching ransomware attacks.
85% of organizations are likely to experience a ransomware attack this year, and a new target is hit every 14 seconds. What should be done to mitigate the effects of such an attack?
What are the mitigation measures for ransomware?
There are several ransomware mitigation measures that can be put into place to address the fallout from a ransomware attack. CISA offers excellent advice in its “Preparing for Ransomware and Data Extortion Incidents” document. Advice includes:
Maintain offline, encrypted backups of critical data: storing backups offline and encrypting them ensures that even if the primary systems are compromised, the data can be recovered from secure backups.
Maintain and regularly update “golden images” of critical systems: having up-to-date system images allows for faster restoration in case of an attack, reducing downtime and minimizing the impact.
Consider replacing out-of-date hardware that inhibits restoration: outdated hardware or restoration solutions can hinder the recovery process and frustrate effective restoration efforts.
Consider using a multi-cloud solution to avoid vendor lock-in for cloud-to-cloud backups in case all accounts under the same vendor are impacted: utilizing multiple cloud providers for backups reduces reliance on a single vendor and safeguards against a widespread account compromise.
Implement a zero trust architecture to prevent unauthorized access to data and services: adopting a zero trust approach ensures that all access requests are verified and authenticated, minimizing the risk of unauthorized access and limiting the spread of ransomware within the network.
Other ransomware mitigation steps include:
Regularly educate and train employees: provide cybersecurity awareness training to employees, educating them about phishing techniques, safe browsing habits, and the importance of not clicking on suspicious links or downloading unknown attachments.
Enable strong access controls and privilege management: implement the principle of least privilege (PoLP) to limit user access rights and permissions. Regularly review and revoke unnecessary privileges, ensuring that only authorized individuals have access to critical systems and sensitive data.
Develop an incident response plan: establish a detailed incident response plan that outlines the steps to be taken in the event of a ransomware attack. This plan should include procedures for isolating affected systems, notifying appropriate personnel, and engaging with cybersecurity professionals to contain and mitigate the attack effectively.
Are ransomware attacks avoidable?
With effective ransomware mitigation and prevention strategies in place, organizations can ensure that they are protected from the impact of an attack. When it comes to how to prevent a ransomware attack, a combination of methods is generally advised: from educating employees, to adding ransomware protection solutions, and having advanced and effective data protection and backup in place.
While attacks will continue to evolve, and attackers will think up new methods to perpetrate ransomware deployments, by implementing these measures organizations can ensure that their business will not be brought to a standstill.
How should companies handle ransomware attacks?
One of the major questions asked when it comes to ransomware attacks, is if the ransom should be paid.
Etay Maor, adjunct professor at Boston College in cybersecurity, says that “It’s an enormous mistake to think that paying ransomware demands will solve anything. The initial payment is only for the start of things.”
William J. Roberts co-chair of Day Pitney LLP’s Cybersecurity and Data Protection Practice Group, adds that there has to be nuance and it can depend on the circumstances. Specifically, it will depend on such elements as if the target has effective backups: “Organizations that have fully or nearly-complete backup copies of the data affected by the ransomware generally don’t need to pay a ransomware demand.”
In any event, organizations should have a ransomware mitigation strategy in place before an attack takes place, to have decisions and priorities down in writing.
What is the first action to take when exposed to ransomware?
When disaster strikes, it can be difficult to stay focused on the order in which responses should be carried out. To make things clearer, CISA, together with the FBI, NSA, and Multi-State Information Sharing and Analysis Center (MS-ISAC), put together a sequential incident response plan.
The first steps?
- Determine which systems were impacted, and immediately isolate them.
- Power down devices if you are unable to disconnect them from the network to avoid further spread of the ransomware infection (only if it is not possible to temporarily shut down the network or disconnect affected hosts from the network using other means).
- Triage impacted systems for restoration and recovery.
- Examine existing organizational detection or prevention systems and logs.
- Confer with your team to develop and document an initial understanding of what has occurred based on initial analysis.
- Initiate threat hunting activities.
Ransomware prevention checklist
The Center for Internet Security suggests seven initial ransomware mitigation steps to take to prevent or limit the impact of an attack. The ransomware prevention checklist includes:
1. Maintain backups – thoughtfully
2. Develop plans and policies
3. Review port settings
4. Harden your endpoints
5. Keep systems up-to-date
6. Train the team
7. Implement an Intrusion Detection System (IDS)
Critically, CISA recommends having a cyber incident response plan (IRP) in place as part of your ransomware prevention checklist, including an associated communications plan, that deals with possible scenarios and responses, as well as notification procedures.
Which is the best solution to protect your important files from ransomware?
The best ransomware mitigation solution to protect important files from ransomware is one that provides a solution in line with the best practices as developed by the experts.
Specifically, such a solution should include:
- A real-time intrusion detection system
- An incident management dashboard
- Effective backup to air-gapped immutable object storage
- Caching that allows near-instant disaster recovery
- Immutable snapshots
- Zero-trust architecture
With these elements in place, both the initial attack and subsequent ransomware mitigation, are effectively addressed.
Specifically today, with a remote, geographically distributed workforce, providing secure file systems and data access while preventing the intrusion of ransomware into the network, is critical.
Download the CTERA Ransomware Protection Solution Sheet
Ransomware mitigation & protection with a Global File System
With CTERA’s Global File System, you get access to state-of-the-art ransomware mitigation and protection.
This includes the groundbreaking Ransom Protect, an AI-driven ransomware defense mechanism that identifies and shuts down ransomware attempts in real-time.
CTERA’s Ransomware Protection also includes all the critical elements of an effective ransomware mitigation solution:
A real-time intrusion detection system: Ransomware Protect uses advanced machine learning to identify and block suspicious file activity in real-time.
An incident management dashboard: Ransomware Protect includes a comprehensive incident management dashboard, providing visibility, evidence, and logs for post-attack forensic use.
Effective backup to air-gapped immutable object storage: CTERA’s continuous real-time protection provides an RPO (recovery point objective) measured in minutes or seconds, not hours or days.
Caching that allows near-instant disaster recovery: replicating data continuously to the cloud, CTERA’s caching technology allows organization to easily and quickly roll back even dozens of terabytes.
Immutable snapshots: with these snapshots, CTERA ensures that there is an effective safe haven for data, as snapshots cannot be deleted or modified over the retention period.
Zero-trust architecture: CTERA edge filers do not handle credentials for the object storage, ensuring architecture that is unique among global file systems.
“If it weren’t for CTERA, ransomware would have been a devastating and potentially business-closing catastrophe.”
– Rob Svendsen, S.J. Louis Construction
Learn more about CTERA’s solution here.
Conclusion: ransomware mitigation can ensure ongoing protection
Ransomware has evolved, and will continue to change as attackers constantly seek new victims. Understanding their techniques is important, but when it comes to staying protected a comprehensive ransomware mitigation strategy is required.
CTERA offers the best practices of ransomware wrapped up in one superior solution. From initial detection and response, to ongoing protection, and mitigation to limit any potential damage caused.
To get set up, schedule a call with a CTERA expert today.
FAQs
How to stop ransomware using a risk mitigation plan?
A risk mitigation plan for stopping ransomware involves identifying potential vulnerabilities, implementing security measures, such as regular backups and updates, training employees, and having an incident response plan in place to minimize the impact of an attack.
What is the primary method for mitigating ransomware attacks?
The primary method for mitigating ransomware attacks is a combination of preventive measures, including intrusion detection systems and effective backup.
What technology stops ransomware?
Several technologies help in stopping ransomware, including advanced behavior-based detection systems and intrusion prevention systems (IPS).
What are the FBI checklist recommendations to mitigate ransomware attacks?
The FBI has put together a document called “Ransomware Prevention and Response for CISOs” that contains important information. It can be accessed here. Elements of its checklist include user awareness and training, and ensuring all software patching is up-to-date.
To ensure you’re aligned with ransomware mitigation best practices, explore CTERA’s Ransomware Protection solution now
Related resources: