Businesses are under threat from increasingly aggressive and
brutal ransomware attacks. Loss of access to critical files, followed by a
demand for payment, can cause massive disruption to an organisation’s
productivity. But what does a typical attack look like? And what security
solutions should be in place to give the best possible defence?
“Sophos has compiled information which will help businesses gear
up against ransomware attacks. The company discusses the commonly used
techniques to deliver ransomware, and why these attacks are succeeding. In
addition, it provides ten security recommendations to help you stay secure, and
highlights the critical security technologies that every IT setup should
include,” says Ross Anderson, Sophos Product Development Manager at Duxbury
Networking.
The current wave of ransomware families have roots traced back to
the early days of Fake AV, through ‘Locker’ variants and finally to the
file-encrypting variants that are prevalent today. Each distinct category of
malware has shared a common goal — to extort money from victims through social
engineering and outright intimidation. The demands for money have grown more
forceful and audacious with each iteration with some hackers now demanding
millions.
Despite rumours of the demise of ransomware, it is still very much alive and kicking. A Sophos survey of 3 100 organisations found that 30% of cyberattack victims had been hit by ransomware. Additionally, and of concern, nine in 10 respondents said their organisation was running up to date cybersecurity protection at the time of the attack.
Why are ransomware attacks so successful?
Most organisations have at least some form of IT security in place. So why are ransomware attacks slipping through the net?
1. Hacking is
becoming easier while attackers are becoming more sophisticated in their
approach.
• 'Exploit as a
Service' (EaaS) programs that take advantage of vulnerabilities in existing
software products are increasingly accessible. These kits make it simple for
less tech-savvy criminals to initiate, complete, and benefit from a ransomware
attack.
• Criminals use
skilful social engineering to prompt users to run the ransomware’s installation
routine. They try to trick users into activating the ransomware with emails
that encourage the recipient to click on a link or open a file, for example:
“My organisation’s requirements are in the attached file. Please provide me
with a quote”.
• Producers of
ransomware operate in a highly organised fashion. This includes providing a
working decryption tool after the ransom has been paid, although this is by no
means guaranteed.
2. Security
problems at affected companies.
• Systems are
often unpatched leaving them unnecessarily vulnerable to threats.
• Inadequate
backup strategy and lack of disaster recovery practice/plan (backups not
offline/off-site).
• Updates/patches
for operating system and applications are not implemented swiftly enough or at
all.
• Dangerous user
permissions (users work as administrators and/or have more file rights on
network drives than necessary for their tasks).
• Lack of user
security training (“Which documents may I open and from whom”, “What is the
procedure if a document looks malicious”, “How do I recognise a phishing
email?”).
• Lack of layered
security strategy so attackers often only need to overcome a single hurdle.
• Inconsistent or
incomplete security policies that leave gaps through which attackers can enter.
• Conflicting
priorities (“We know that this method is not secure, but our people have to
work…”).
• Poorly configured IT security (badly regulated external access, for example, Remote Desktop Protocol exposed).
How does a ransomware attack happen?
There are multiple ways that a ransomware attack starts. Common
techniques include:
• Malicious
emails.
• Poisoned
websites redirecting you to exploit kits.
• Remote Desktop Protocol (RDP) and other remote access holes.
How do ransomware attacks unfold?
After initial exposure, attacks typically fall into two different
categories:
1. ‘Fire and
forget’. These types of automated attacks target multiple organisations with
the hope of securing a high quantity of smaller ransoms. Think back to
WannaCry. Thousands and thousands of organisations were hit by WannaCry at the
same time. These hackers use automated, ‘fire and forget’ techniques, where the
attack is launched and spread to as many computers as possible. Due to the
automation and number of attacks, the attacker is oblivious to the stages of
the attack.
2. Targeted ransomware. Targeted ransomware is a very manual attack, typically focuses on one victim at a time, and often demands much higher ransom fees. The attackers gain access to the network and move laterally; identifying high-value systems in the process. Strains of this type of ransomware, overcome challenges as they arise, making them particularly deadly.
10 best security practices to apply now
Staying secure against ransomware isn’t just about having the
latest security solutions. Good IT security practices, including regular
training for employees, are essential components of every single security
setup. Make sure you’re following these 10 best practices:
1. Patch early,
patch often. Malware that doesn’t come in via a document often relies on
security bugs in popular applications, including Microsoft Office, your
browser, Flash, and more. The sooner you patch, the fewer holes there are to be
exploited.
2. Backup
regularly and keep a recent backup copy off-line and off-site. There are dozens
of ways other than ransomware that files can suddenly vanish, such as fire,
flood, theft, a dropped laptop, or even an accidental delete. Encrypt your
backup and you won’t have to worry about the backup device falling into the
wrong hands. Furthermore, a disaster recovery plan that covers the restoration
of data and whole systems.
3. Enable file
extensions. The default Windows setting is to have file extensions disabled,
meaning you must rely on the file thumbnail to identify it. Enabling extensions
makes it much easier to spot file types that wouldn’t commonly be sent to you
and your users, such as JavaScript.
4. Open JavaScript
(.JS) files in Notepad. Opening a JavaScript file in Notepad blocks it from
running any malicious scripts and allows you to examine the file contents.
5. Don’t enable
macros in document attachments received via email. Microsoft deliberately
turned off auto-execution of macros by default many years ago as a security
measure. A lot of infections rely on persuading you to turn macros back on, so
don’t do it!
6. Be cautious
about unsolicited attachments. The crooks are relying on the dilemma you face
knowing that you shouldn’t open a document until you are sure it’s one you
want, but you can’t tell if it’s one you want until you open it. If in doubt
leave it out.
7. Monitor
administrator rights. Constantly review admin and domain admin rights. Know who
has them and remove those who do not need them. Don’t stay logged in as an
administrator any longer than is strictly necessary and avoid browsing, opening
documents, or other regular work activities while you have administrator
rights.
8. Stay up to date
with new security features in your business applications. For example, Office
2016 now includes a control called “Block macros from running in Office files
from the internet,” which helps protect against external malicious content
without stopping you from using macros internally.
9. Regulate
external network access. Don’t leave ports exposed to the world. Lock down your
organisation’s RDP access and other management protocols. Furthermore, use
two-factor authentication and ensure remote users authenticate against a VPN.
10. Use strong passwords. It sounds trivial, but it really isn’t. A weak and predictable password can give hackers access to your entire network in a matter of seconds. We recommend making them impersonal, at least 12 characters long, using a mix of upper and lower case and adding a sprinkle of random punctuation Ju5t.LiKETh1s!
To stop ransomware, you need to have effective and advanced
protection in place at every stage of an attack. Sophos XG Firewall is packed
with technology to help protect your organisation from ever-evolving ransomware
attacks. In particular, XG Firewall includes one of the best performing and
most effective IPS engines on the market, and provides a simple and elegant
solution to lockdown your RDP servers.
XG Firewall offers flexible and easy segmentation tools like zones
and VLANs to secure your LAN and reduce the risk of lateral movement, reducing
surface area of attack and minimising the risk and potential scope of
propagation.
Should hackers somehow access your network, Intercept X uses
multiple layers of defence to stop ransomware in its tracks. Anti-exploit
technology stops the delivery of ransomware, deep learning blocks ransomware
before it can run, and CryptoGuard prevents the malicious encryption of files,
rolling them back to their safe state. The endpoint detection and response
(EDR) functionality within Intercept X additionally detects advanced ransomware
attacks that may have gone unnoticed and search for indicators of compromise
across your network.
Furthermore, Sophos Managed Threat Response (MTR) enables 24/7
threat response actions to be identified and executed utilising a fusion of
machine and machine intelligence.
Sophos Phish Threat sends simulated phishing attacks to your
organisation, testing preparedness against real world attacks. Emails can be
customised to your organisation and industry and have been carefully localised
for multiple languages. Detailed feedback lets you see how many users failed,
overall susceptibility to attacks, and more.