Over the last couple of years, we have seen the emergence and rapid rise of ransomware as an extremely potent cyber attack. We have observed, and written about attacks like Bad Rabbit, NotPetya, and WannaCry. As businesses increasingly rely on digital systems, networks, and data for operations, the value of maintaining the integrity of these resources becomes equally critical. Ransomware is one of the most common and destructive cybersecurity attack threatening these digital resources.
A ransomware infection is particularly worrisome to SOC analysts because unlike APTs, data exfiltration and low-and-slow attacks, there is usually no advance warning of a ransomware infection. The attack is also very fast acting, often capable of encrypting or otherwise locking down thousands of target files in a matter of minutes. When organizations are attacked (as opposed to individual/personal computers) the ransomware often infects shared data and drives, rendering the resource useless for entire departments or the whole company. The attack could have life-threatening effects when organizations like a hospital, critical infrastructure or transport system is the victim. Most organizations quickly resign themselves and pay the ransom because the ongoing losses – both potential and real, are too great compared to the ransom demands.
There are many methods hackers use to infect an organization’s IT systems with ransomware. By far the most common method is through phishing email campaigns. This technique introduces a compelling message that convinces the victim to open an infected document, e.g. an Adobe PDF, Microsoft Excel or Word file or even an infected image file. Other attack vectors include exploiting software vulnerabilities, social engineering, and even removable media.
So how can organizations protect themselves from falling prey to a ransomware outbreak? For effective resilience in the face of ransomware outbreaks a complete people, process, and product approach is necessary.
The first component of this approach – people involves effective training across the organization. Educating users to build awareness reduces the chance that phishing campaigns will be effective. Encouraging users to rely on good “cyber hygiene” practices is also key – ensuring that they keep their devices up to date, identifying and avoiding suspicious public WiFi access points and keeping regular backups of their important files are all practices that reduce the risk of infection, and minimize the impact of a successful attack.
The second component – process ensures that in case of a successful ransomware attack, the number of users, devices and amount of data compromised is minimal. The incident response triage actions, when well defined and quickly executed, can go a long way in realizing this goal. This component is particularly important given the speed with which ransomware attacks occur. If a user is tricked by a phishing email, instantly informing the IT security team, quickly shutting down the network connection(s) and powering off the device if possible are all steps that will prevent a massive impact. Additional IR processes executed quickly by the security analysts can ensure the ransomware does not spread across the organization or access data on shared resources.
The third component is leveraging the technologies that prevent and the execution of a ransomware attack, minimize the impact and speed recovery in case one does get through. We have seen a rash of successful ransomware attacks over the last year, and this trend is likely not going to change in the upcoming year(s). Organizations have relied on perimeter, network and endpoint security products in the hopes of preventing such attacks. But in deploying these point products, are faced too many products to manage with too many alerts that do are not correlated together. SOC teams therefore still are struggling with the overall visibility and intelligence across these point products.
They must consider technologies that are able to collect the relevant data from across their enterprise, make sense of the point alerts in context of other events and then intelligently cut through the noise to identify the imminent, sophisticated attacks that lead to ransomware infections. And the technologies must be able to do this at scale. Organizations that deploy such machine learning and AI-based security monitoring solutions, train their users appropriately and implement effective triage and recovery processes will be much better prepared to defend against ransomware attacks.