Over the past few years ransomware has evolved into the most significant cyber threat to organizations and so far its upward trend shows no sign of easing. There is simply too much money for cybercriminals to make and too many vulnerable targets available for them to exploit. Automated tools used to identify targets, the transition to cryptocurrency based extortion demands and greater collaboration among criminal groups have contributed to making ransomware the most effective way to monetize cybercrime. While there are many effective preventative measures to counter the ransomware threat, criminals have proven very adept at adjusting their tactics to circumvent even strong cybersecurity and recovery efforts – part of why cyber risk is so dynamic in its nature. Staying informed about why ransomware attacks typically happen and the most common delivery mechanisms deployed by threat actors can assist organizations in the race against cybercrime. Acknowledging that not all ransomware attacks are preventable, it’s also important for organizations to understand how ransomware attacks typically play out in order to be prepared for the worst case scenario.
Lessons Learned From 2020 Ransomware Attacks
While ransomware has traditionally been distributed through spam-based phishing campaigns, attacks are increasingly carried out against specifically selected targets, especially the most impactful attacks. Based on hundreds of digital forensic and incident response investigations into ransomware incidents in 2020 as well as monitoring of dark web forums the following lays out the typical path of targeted ransomware attacks.
1) Reconnaissance
Threat actors often research their targets in advance to determine the likelihood of ransom payment based on factors such as revenue or profit, presumed impact severity and sometimes also the existence of a cyber insurance policy. If the attack is publicly visible it will typically mount additional pressure on the victim to give into the extortion demand which may therefore also be a factor in the selection of targets. Exploitable vulnerabilities or access points are often identified using the same scanning and analysis tools used by security teams as well as public search engines like Shodan, Zoomeye and Censys that crawl the web for specific ports and protocols. In 2020 Remote Desktop Protocol (RDP) was the most attractive access point exploited by cybercriminals for ransomware delivery. Publicly disclosed vulnerabilities in the Common Vulnerabilities and Exposures (CVE) database are also a useful resource for hackers to research and take advantage of.
2) Gaining Access
Once the target and possible access point are identified the next step is to compromise user accounts by brute-forcing passwords, using default passwords or obtaining credentials through phishing (some of the world’s most costly ransomware attacks started with a single phishing email). In some cases it’s simply a matter of exploiting misconfigured access points without having to crack passwords. Another other option is to purchase access to already compromised user accounts or servers on the dark web. This is one of the major reasons for the recent growth in ransomware attacks: compromised RDP access is for sale for next to nothing and is a small criminal sub-industry in itself. The most attractive user accounts are those with admin privileges providing greater access to the target network.
3) Maintaining Access
After accounts or servers are compromised, threat actors will typically plant a backdoor (malware that enables remote access and control) into the system in order to establish a foothold. It’s not uncommon to see a threat actor use multiple backdoors in a network to allow for access to remain active even if the primary point of compromise is shut. Threat actors may observe business operations and traverse the network to look for data and resources, such as online backups, in some cases for months before encrypting files. Access may be maintained until it’s sold to another criminal group.
4) Destroying or Encrypting Backups
The main objective for threat actors when it comes to ransomware attacks is to force payment of the ransom demand, i.e. make the victim pay for a decryption key to unlock the encrypted files. The ability of the victim organization to recover from a recent or real-time backup is one of the most effective defense mechanisms to avoid such payment. However, cybercriminals have developed a workaround by traversing compromised networks to identify and destroy backups or by creating ransomware strains that propagate across compromised networks to encrypt online backups.
5) Stealing Data
In 2020, particularly in the second half of the year, criminals increasingly exfiltrated sensitive information from compromised networks before deploying encryption malware. This was another example of how criminals adjusted to the challenge of victims having a strong backup or for any other reason refusing to pay the ransom. Threat actors use the stolen data as additional leverage to force the victim organization to pay ransom by threatening the disclosure of the data, a tactic known as doxxing.
6) Encrypting Files or Systems
Whether or not threat actors employ backup destruction and/or data theft as part of their modus operandi, the ultimate goal is to encrypt as many files or systems as possible across the target network to effectively cripple the organization. The extent of encrypted files and servers will often factor into the size of the ransom demand.
7) Ransom Negotiation and Payment
Once the ransomware has been successfully delivered into the target network a ransom will be requested in order to release encrypted files, most often required to be paid in Bitcoin. While Bitcoin has been gaining popularity (and value), it is still relatively uncommon for organizations to have cryptocurrency readily available to pay in the event of a ransomware infection. Therefore, if ransom payment is the only option left, typically because there is no viable backup or recovery solution, organizations often need to call on experienced incident response firms to assist with the negotiation of the ransom demand and to facilitate payment in Bitcoin.
8) Recovery
Whether a ransom is paid or files are recovered from a backup, the process laid out in the previous steps typically lasts several days and leads to business income loss, network restoration and incident response costs. No perfect solution or seamless recovery option exists without disruption to operations and financial loss when it comes to ransomware infections. If a ransom is paid it usually takes several days to negotiate the payment and receive the decryption key(s) in order to start the recovery of encrypted files. In that case the recovery can still take hours or days and may not recover 100% of files. If a ransom isn’t paid, the victim organization must either recover the files and systems from a backup or rebuild the files from scratch. Neither option is instantaneous and may take days, weeks or months.
How to Prepare for and Respond to Ransomware Attacks
Understanding the typical causes of ransomware attacks, the process threat actors follow during an attack and the macro-level view of how these attacks can be prevented or how their impact can be reduced is an important step toward society combatting this growing cyber threat. Based on the typical characteristics of targeted ransomware attacks according to hundreds of incidents, we have compiled a list of preventative and response measures to address each phase of the attack. The good news is that there are effective actions that can be taken every step of the way.
Reducing the Attack Surface
Except for large organizations that cannot hide due to their significant public footprint it is entirely possible to reduce the risk of ransomware attacks by not showing up in automated scans carried out by threat actors looking for eligible targets. Disabling unnecessary network services and blocking internet facing ports will greatly reduce the risk of attacks before they happen. The number one preventative action is to disable RDP to avoid being found in scans for port 3389. Remediating CVE’s associated with ransomware attacks is another impactful measure toward reducing the attack surface. Finally, creating a high level of awareness of ransomware attacks among employees by conducting frequent cyber risk training will help reduce the human vulnerability aspect of the attack surface.
Access Control, Authentication and Principle of Least Privilege
With ransomware attacks often involving compromised user accounts the most effective defense includes multi-factor authentication, strong passwords and account lockout mechanism. These controls make it extremely difficult for threat actors to take over user accounts and this is particularly important when employees are temporarily accessing the network remotely. Restricting access for authorized users and devices based on least privilege will help prevent further exploitation or infection because those same restrictions apply to threat actors once inside the network. Additional controls include IP whitelisting, which limits access to only trusted users/devices, and the use of VPNs to encrypt all traffic to and from remote users/devices.
Heuristic Malware Detection and Continuous Monitoring
Initial network compromise does not need to result in a fully-fledged ransomware infection of critical files and systems, especially if threat actors first install a backdoor to further study the network environment or to attempt privilege escalation. Backdoors are harder to detect than regular malware since their purpose is to provide threat actors with stealthy access to a system. Intrusion detection or prevention systems that incorporate heuristic analysis should be deployed at both the host and network level as traditional signature based detection will not work against most backdoors. Continuous scanning and monitoring is imperative such that alerts are acted upon immediately and because threat actors may take advantage of their backdoor access within hours or days.
Frequent and Protected Backups
The ability to successfully recover from a data backup is one of the most effective weapons against ransomware attacks. Organizations should follow the “3-2-1 Data Backup Rule”: maintaining three copies of critical data (production data and two copies) on two different media (disk and tape) with one copy stored off-line, segregated or immutable. Additionally, organizations should confirm that all critical data is part of the backup process and run periodic failovers to ensure that backups are correctly configured and functioning properly. All of these measures will significantly reduce the risk of threat actors or the ransomware itself accessing and destroying available backups. Ransom payment should never be a consideration if files or systems can be restored from a backup.
Data Encryption and Segmentation
Preventing criminals or ransomware from stealing sensitive data should always be a goal in itself, however it will also reduce leverage in forcing payment of a ransom. This is best achieved by storing sensitive data in encrypted format to begin with, segmenting the data repository from the main network and requiring multi-factor authentication to access the data. In cases where such controls were not in place or were somehow circumvented, it should be noted that there are typically no legal or regulatory benefits to paying ransom in order to avoid public disclosure of sensitive data. In most cases it won’t make any difference to an organization’s legal or regulatory obligations that threat actors promise to delete stolen data if a ransom is paid.
Endpoint Detection and Response
At the stage when ransomware is installed there is still opportunity to contain it before it spreads to the broader network. Endpoint detection and response works by continuously monitoring both endpoint and network activity which is then analyzed in a central database based on advanced algorithms that incorporate threat intelligence. The system remembers the behavior of endpoints on the network and is able to predict if an unusual pattern is a potential attack based on its analysis and respond in real time to contain or remove ransomware.
Incident Response Support
Few organizations have the internal capabilities required to respond to a ransomware attack. Being prepared means having an experienced incident response provider readily available, either through a cyber insurance carrier or by way of a retainer, to help guide the organization with respect to considering all options to avoid ransom payment. If all such options have been exhausted, the incident response firm can assist with negotiation of the ransom payment. Threat actors have only one objective when it comes to ransomware: getting paid. That means they’re typically willing to negotiate. Initial demands presented by threat actors are usually reduced by more than 50% as part of such negotiations, something few organizations will be aware of without the support of an experienced incident response firm. Regardless of whether a ransom is paid or not, costs are reduced dramatically when incident response providers are part of the process. This is especially true when it comes to attacks that involve data theft.
Disaster Recovery Planning
Since most organizations will likely experience attempted ransomware attacks, if not successful ones, it makes sense to plan for such events. Such plans should include 1) key personnel responsible for the execution of the plan and third party incident response support 2) mapping of critical data and network resources including dependency on third party service providers since they could also fall victim to a ransomware attack with impact to services provided to the organization 3) a description of the backup and recovery procedure 4) recovery time objective, and 5) communication to any customers or business partners that might be impacted by the attack. Having a robust disaster recovery plan will reduce the impact and financial loss associated with a ransomware attack.
To view our full infographic, please click here.
This material was created in partnership with Stroz Friedberg, a CyberChoice First Responder℠. To learn more about Stroz Friedberg and their incident response and proactive cybersecurity consulting services, please visit https://www.aon.com/cyber-solutions/solutions/digital-forensics/
©2021 The Hartford
The information provided in these materials is intended to be general and advisory in nature. It shall not be considered legal advice. The Hartford does not warrant that the implementation of any view or recommendation contained herein will: (i) result in the elimination of any unsafe conditions at your business locations or with respect to your business operations; or (ii) be an appropriate legal or business practice. The Hartford assumes no responsibility for the control or correction of hazards or legal compliance with respect to your business practices, and the views and recommendations contained herein shall not constitute our undertaking, on your behalf or for the benefit of others, to determine or warrant that your business premises, locations or operations are safe or healthful, or are in compliance with any law, rule or regulation. Readers seeking to resolve specific safety, legal or business issues or concerns related to the information provided in these materials should consult their safety consultant, attorney or business advisors. All information and representations contained herein are as of March 2021.
