Hopefully, you have seen the news about the growing reality of ransomware and how it is impacting companies and government entities on a global scale. While ransomware is not new, the severity, reach and costs associated with this cyber threat are increasing exponentially; it has risen to the level of a national security threat. Ransomware is an existential threat to every business—large and small—so it is crucial that companies start taking steps to reduce the risk of ransomware and other cyber attacks.
As a network security provider with years of in-the-trenches ransomware defense and enterprise-level recovery experience, we understand the real threat and what the long and painful road to recovery can involve. We have seen firsthand, companies that were successful for hundreds of years, put out of business due to a ransomware event. Companies ranging from a single lawyer to hundreds of employees have ceased operations. Owners have liquidated 401ks and their life savings to just keep the company going after an event. Even where insurance is involved, the process takes days to months and always has costs above and beyond coverages.
The average ransom amount for just one of the hundreds of ransomware variants has risen to $939,063 per victim. And this is just the beginning of the costs of being a victim. Lawyers, incident response (including forensics and remediation), reputational damage, new computing devices, potential breach notification, lawsuits, fines, and more, are all normal recovery expenses. Many companies also lose employees and clients because of these attacks. These expenses are often multiples of the ransom paid and cannot be avoided, even if you choose not to pay the ransom demand or have a fully viable backup.
Apply the following mitigations to reduce the risk of ransomware and other cyber attacks…
• Require multi-factor authentication for local and remote network access of any nature and additionally for all admin/domain and application management functions.
• Patch ALL systems and patch frequently. This includes all OS patches AND third-party software. Patches should be deployed within a short period of time from vendor release. Our recommendation is patch at least once-a-month. Emergency security patches for zero-day exploits should be deployed as soon as is practical for your environment and based on service availability. See article: Small and midsize businesses can mitigate security risks with patch management.
• Manage or Remove Deprecated or End-Of-Life systems to prevent them from being compromised through known security vulnerabilities that the vendor is no longer addressing. If the system cannot be deprecated, then place the system into a ‘DMZ’ in which a security device is filtering down only specific source, destination addresses and port numbers to minimize your risk.
• Update Firewalls and other network device firmware.
• Enable strong spam (email) filters to prevent malware infected and phishing emails from reaching users. Filter emails to stop executable files and those that lead to infected sites.
• Implement user training and simulated attacks to demonstrate to users what actions typically cause malware infections and credential capture, like opening email with malicious attachments or going to infected websites, etc.
• Filter network traffic to stop communications with known malicious IP addresses.
• Implement URL reputation services to block known malicious websites and classes of websites such as pornography, gambling, hacking, etc.
• Limit access to data and other assets to an as needed basis, internally and externally. Segment your network!
• Restrict remote systems access and implement best practices such as VPN, an RDP gateway, and requiring multi-factor authentication.
• Use active scan antivirus/antimalware to conduct scans using up-to-date signatures and behavioral analytics.
• Remove all local admin rights and restrict non-IT staff rights to that of a standard user. Never use accounts with admin level rights to complete non-admin functions.
• If you can, BLOCK (and if not, Disable) Office macros and/or consider using browser isolation or Office Viewer software to open Microsoft Office files not received or created internally.
• Implement a backup system that covers all critical data and system states. Be sure to do full restore testing and follow emergency plans to ensure that they will work when you need them. Ensure that full restores of backups are regularly tested.
• Avoid paying a ransom by:
a. isolating backups from the network; and
b. instituting insider protections. Many threat actors get domain level access. Remember, if you can delete, corrupt, or encrypt your backup, so can the threat actor. This includes all forms of backup including cloud. If they are acting as an admin, have access to documentation, email, passwords, etc. (which they most often do), even cloud services or “offline” copies will not help you; and
c. storing offline image templates with the appropriate preconfigured operating systems and applications to rebuild more quickly; and
d. storing license keys, source code and copies of executables offline where they cannot be encrypted, deleted, or corrupted.
• Get breach insurance that covers ransomware…this is a significant subject we only touch on here due to the complexity and importance. See Top 5 Reasons to Buy Cyber Breach Insurance and Does Your Firm Qualify for Cyber Breach Insurance? for more info.
• Ensure your exception-based monitoring can immediately trigger alerts on common indicators of a security breach, and that there are escalation procedures in place such that an engineer will assess the situation very quickly, regardless of the day of the week or time of day. CRITICAL NOTE: The starting of the encryption process for most large-scale ransomware events occurs during the night and on weekends, but most often on holiday weekends.
• Create a Business Continuity Plan (BCP) for security events. Do table-top exercises to ensure that all staff know their responsibility, and what to do, as rapidly and error-free as possible… MINUTES matter in ransomware breaches.
If you think you may have ransomware or even the known precursors, do not panic, as this often causes mistakes. If you make the wrong move early in the process you can destroy any chance of full recovery. Please take it very seriously and act quickly. Disconnect all devices from the Internet (and all wireless), then call us immediately and we will begin to guide you through the response. Hesitation can be a HUGE mistake. Waiting a few hours or until the next morning has resulted in infections that could have been stopped.
We have seen cases where swift action on first awareness would have saved 100’s of thousands to millions of dollars in costs, months of negative impacts, and even jobs. If you make the wrong move, threat actors will often know you have discovered them and pull the trigger on their plans early. You have potentially minutes to take action to stop them from executing.
a. Do NOT search for help, information on ransomware, or any other thing that may tip off the attackers. They are very often watching what is happening on your actual computer and network and will trigger their encryption earlier than planned.
b. Do NOT shut down a device that is known to be in the process of encryption. You may corrupt the OS or other applications and make recovery using the keys impossible.
c. Do NOT communicate on the network, company related email, IP phones, Teams, Slack, etc., as they are VERY OFTEN listening to, and reading, your communications.
d. Do NOT communicate with the threat actor until you have the support you need. This often starts a timer and having the right negotiator can have a massive impact on the results.
There is much more to this than what is written here. See CRN’s article on the 10 ‘Horrifying’ Ransomware Trends and Best Prevention Methods featuring Alvaka CISO/COO, Kevin McDonald. Reach out to us if you would like to discuss your defensive posture, ransomware readiness, network security or our management solutions.
Please do not hesitate to call if you need help in recovering from any cyber incident. We are available 24/7, 365 days a year. If we cannot help with your specific issues, we will work to assist you in finding the support you require.