August 29, 2019

Ransomware – It Never Went Away – WST

Unfortunately, Ransomware (malware that encrypts all of an organization’s files and asks for money to decrypt them) is still a current and very real threat.  Like all attack methods, it has only matured and become more dangerous over time.  Automated ransomware is getting better at finding and quickly encrypting as much as possible.  And, the more skilled hackers have found that if they breach a network via phishing, gaining admin access to the environment allows them to destroy backups first, before encrypting everything…making a victim payout much more likely.

If you haven’t already, there is no time like the present to take stock of your readiness against this type of incident.  Good antimalware controls, restricting user’s local privileges, restricting the execution of unnecessary scripts, and user security awareness has been, and continues to be the first line of defense against ransomware attacks.  Unfortunately, someone, somewhere is going to have a bad day and run something they shouldn’t.  At that point, layered security controls are key.  Some additional recommendations:

  • If someone gets into ransomware, at a minimum, it can find and encrypt any files that user can access.  Remember least privilege.  If a user doesn’t need access to a shared folder to do their normal duties, restrict access.
  • Backups will be your only way out if ransomware encrypts a bunch of data.  Make sure they are safe.  Critical backups should be kept offline, or only accessible in an out-of-band fashion.  Remember, ransomware attackers will be looking for them.  Keeping them off the network, or only accessible via alternate protocols and authentication can help keep them safe.
  • Make sure your Incident Response (IR) plan has a “playbook” for ransomware attack.  Just as important, this plan should be rehearsed.  Ransomware attacks can be devastating and far reaching, making even basic response tasks difficult.  Make testing your ransomware response plan part of your next IR tabletop exercise, if you haven’t already.
  • Similar to backups, make sure copies of critical documentation, diagrams, essential tools, and the IR plan itself are also kept offline.  You don’t want your response plan encrypted and inaccessible when you need it most!

Past Weekly Security Tips – WST