Cyber Risks: Ransomware

Cybercriminals treat ransomware as a business, and they constantly adapt their techniques to maximise their profits. Our team helps you protect your organization against these attackss and connect you with expert partners who can provide you with the right services to reduce your cyber risks.

Stages of a ransomware attack

Initial compromise of your environment

Some cybercriminals specialise in gaining initial access, often through phishing or software vulnerabilities, and then sell that access on the dark web.

These initial access criminals scan for vulnerable assets exposed to the internet and exploit known vulnerabilities to gain access to your system. When they cannot exploit devices, they will exploit trust in others. Once they have access, they may chain together additional vulnerabilities to escalate privileges or move around within your network. They will also use legitimate security tools to evaluate your system. .

Malware is deployed

The cybercriminal establishes a command and control (C2) connection from their system to yours and the C2 link allows them access into your network.

Scouting for valuable information

The cybercriminal explores your system to search for valuable resources, such as employee information, banking details, embarrassing personnel records, customer lists, sensitive IP, and backups for business-critical resources and systems.

Evading detection and response

Typically, the cybercriminal takes steps to evade logging, detection, and response.

What the criminals do

Cybercriminals employ several tactics to maximise the damage they cause.

Target backups

Organizations with backups that are difficult for the cybercriminals to reach are much less likely to have to pay a ransom. Cybercriminals often target backups to limit your options in critical situations. They may delete entire virtual machines that host backups or modify business-critical files and wait to launch their full attack once the desired recovery point is no longer available.

Exfiltrate data

In most ransomware incidents, cybercriminals are now also stealing data.

Launch ransomware

Newer ransomware variants can encrypt systems faster and employ better encryption techniques to make recovery harder.

Ransom demand

The cybercriminal demands a ransom payment in cryptocurrency to provide one or more decryption keys for your data. In some cases, they might also promise to delete stolen data.

Cybercriminals recently have used new techniques to increase the pressure on an organization to pay. One technique is to contact employees directly with their personal information attached. They will try to undermine an organization to control the narrative about the incident response and portray the response as ineffectual to add pressure to their ransom demand.

How to protect against ransomware

Improve your email security

Phishing is one of the main ways that cybercriminals steal credentials or get employees to download malicious software.

Reduce exposure to phishing emails

Implement measures that could change the way suspicious emails are handled (SPF, DKIM, DMARC are email security standards that can help to mitigate spam and phishing attacks). Consider blocking emails from new domains, which may have been set up by cybercriminals for phishing.

Patch on-premise email servers to deprive cybercriminals of any low-hanging fruit.

Intelligent email evaluation

Automatically detonate and evaluate inbound attachments and links in a sandbox environment to determine if they are malicious prior to user delivery.

Employee training

Train employees to recognise phishing emails and resist attempts by cybercriminals to steal their login credentials or click on attachments and links.

Patch critical vulnerabilities

Keeping systems and applications up-to-date is critical in preventing unauthorised access and malware infections.

Manage access

Put in place appropriate measures for general user and system access across the organization: privileged access for critical assets (servers, end-points, applications, databases, etc.) and enforce multi-factor authentication (MFA).

Manage your assets

Your asset management inventory system should include an asset discovery tool that continuously maps devices on your internal network, an up-to-date asset database, and an up-to-date configuration management database.

Implement EDR

When effectively deployed and monitored, end-point detection and response (EDR) tools are one of the best defences against ransomware and other malware attacks.

EDR solutions monitor servers, laptops, desktops and managed mobile devices for signs of malicious or unusual user behavior/activity. These tools also enable quick response by trained security experts. EDR needs to be in enforcement mode rather than audit mode.

Get a configuration assessment or penetration testing

Many organizations benefit from external help to identify weaknesses in firewalls or switches leading to lateral movement in their system, and to understand how a cybercriminal might be able to move around their system.

Secure your backups

Backups should be on a non-virtual device, and immutable if possible. If backups are actively replicated to an off-site facility, the compromise of one copy could render the other useless.

How to respond to a ransomware attack

We encourage policyholders who experience an actual or suspected incident to notify us immediately.

CTA to Notify a Claim or Incident

Keep evidence

Keep firewall logs, which roll over quickly. If you have centralised logs, protect them and keep a copy. If possible, disconnect suspected compromised devices from the network. Try to avoid turning them off if possible.

Change passwords

Resetting users' passwords may not prevent a cybercriminal from using stolen credentials. Change the password for the KRBTGT account twice to prevent a golden ticket attack.

Learn more

Protect backups

Take at least one copy of backups offline. Test backups to ensure they’re valid. Evaluate the restore point for signs of persistence.