Combatting ransomware means starting at the end…

Published: Tuesday, 22 February 2022 09:05

It’s not just the initial ransomware attack that organizations need to be concerned with, it’s also the aftermath. The questions of: Is it over? How do we recover? What is stopping threat actors from doing it again? Ed Williams looks at ransomware incident management.

Ransomware is one of the most feared threats in the cyber security landscape. It’s ability to not only cause financial loss but also obliterate a business’ ability to function in one attack makes it a force to be reckoned with. In addition, it’s getting harder to assess whether the attack is over or if there’s more to come.

The devastating impact of ransomware should be enough to trigger mass preparation within all organizations, but that isn’t always the case. Unfortunately, the nature of cyber security means you don’t necessarily see the true extent of your ROI until an attack actually takes place, and by that time, it’s already too late. Selling the need for additional security measures to the board without being able to back it up with strong numbers and guarantees is extremely challenging. And with it being so easy to believe that these attacks will never happen to us, businesses often end up short-changing their security measures.

So, to truly understand the value of cyber security and simultaneously lessen the ransomware aftermath, we need to start at the end and work backwards. And that means beginning with the situation that no organization wants to end up in – picking up the pieces after a cyber attack.

Phase 3: what is the impact on the business?

Understanding where the true value of cyber security lies when it comes to ransomware means taking a sneaky look at the final page in the book. Rather than working through the story in chronological order, it’s time to spoil the ending and work backwards.

So, in the scenario when ransomware is successful in breaching the network perimeter and reaches its target, what is the impact?

Ransomware usually has the same three purposes: encrypting critical information, exfiltrating data, and identifying and destroying company back-ups. If the attacker is successful in achieving at least one of these targets, the organization could be looking at serious financial and reputational damage. And unfortunately, the threats do not end there. One of the most dangerous aspects of ransomware is that it could sit in your network undetected for any length of time, monitoring activity, recording patterns, and feeding back critical information to the attacker before its program is initiated. Plus, once the initial attack has taken place, there is no guarantee that the adversary won’t return at a later date to repeat their previous campaign.

It can take months, and even years in some circumstances, to recover from a full-blown ransomware breach. If the attack targets the company’s backups, it greatly lengthens the time it takes to restore the business to its former standing.

So, now that we’ve addressed how devastating a ransomware attack can be, let’s explore the different ways ransomware is deployed.

Phase 2: how does ransomware operate?

Ransomware has been developing over the past decade, but the typical entry points haven’t changed. The popular methods for attackers are phishing/email compromise, password guessing, and exploitation of vulnerabilities. Even in a landscape of rapidly advancing technologies with mind blowing capabilities, it’s still the small mistakes that can have the biggest fallout. Once the initial entry point has been identified, attackers can scale up their campaigns to target all manner of organizations, with a particular focus falling on supply chains. The countless number of connections and unlimited collaboration that takes place within the chain makes it a hot target for criminals and ransomware.

We’ve all witnessed the acceleration in ransomware attacks, and are familiar with the usual culprits, including low-hanging fruit vulnerabilities and rapid adoption of the cloud. As an industry, we’re simply unable to patch quickly enough to stay ahead of attackers, and there are still far too many weak passwords left unchecked and vulnerable to exploitation.

The silver lining is that we are seeing a convergence in the ways that threats and vulnerabilities are being reported. However, while there is more emphasis on ransomware readiness, businesses will remain on the backfoot if simple errors like unpatched networks and weak passwords are overlooked.

Phase 1: what measures should be taken pre and post attack?

So, we’ve ended up in the spot where most organizations are currently standing: the blissful time before the chaos descends. Knowing what is awaiting us further down the line, it should hopefully become clear what preparations need to take place to avoid it. The first step towards a stronger security posture is to assess and identify your most valuable data. Now, what would happen if that data fell into the wrong hands? We already know the answer to that question. And fortunately, the solution can be summed up in two words: simplicity and proactivity.

Ransomware is often seen as being a solely IT security problem, but in reality, it isn’t. Again, the top three ways that ransomware enters the network is either phishing/email compromise, password guessing, or exploitation of vulnerabilities, all of which are human controlled errors. Network infrastructure is dependent on people, processes, and technology – if just one element is neglected, the whole system falls apart.

There are hundreds of anti-ransomware products on the market with varying degrees of success, but before these solutions even come into play, the fundamentals must first be addressed. It’s essential that organizations maintain up-to-date patching, regularly assess the strength of passwords, and apply the rule of least privilege to stay ahead of criminals. Cyber security works best when it’s kept simple, as there is far less room for error, and it makes it much easier to manage.

But as we know, it is impossible to prevent every single attack, so part of the preparation must include a business continuity plan for when the inevitable happens. The 30-day period after exploitation is critical and should prioritise the hunt for malware lurking in the network that could grant access for ransomware further down the line.   

Skip to the end to find the start

Mitigating the aftermath of a ransomware attack is a company-wide responsibility. Gaining full support from the board is therefore critical throughout the cyber security journey, but it can be hard to demonstrate the ROI. The budgets available for security increase very quickly after an attack, so the key is to acknowledge the value before it comes to such drastic circumstances. In this situation, we don’t want a surprise ending – we want to know exactly what’s waiting for us down the line, so that we can prepare ahead of time. It’s time to sneak a peek at the last page of the book, so we know where we need to begin our journeys.

The author

Ed Williams is EMEA Director of SpiderLabs, Trustwave