Cyber Risks: Ransomware
Protecting against a ransomware attack requires the right approach to IT security and risk management, including a defence in depth approach to securing your environment.
Cybercriminals treat ransomware as a business, and they constantly adapt their techniques to maximise their profits. Our team helps you protect your organization against these attackss and connect you with expert partners who can provide you with the right services to reduce your cyber risks.
Stages of a ransomware attack
Initial compromise of your environment
Some cybercriminals specialise in gaining initial access, often through phishing or software vulnerabilities, and then sell that access on the dark web.
These initial access criminals scan for vulnerable assets exposed to the internet and exploit known vulnerabilities to gain access to your system. When they cannot exploit devices, they will exploit trust in others. Once they have access, they may chain together additional vulnerabilities to escalate privileges or move around within your network. They will also use legitimate security tools to evaluate your system. .
Malware is deployed
The cybercriminal establishes a command and control (C2) connection from their system to yours and the C2 link allows them access into your network.
Scouting for valuable information
The cybercriminal explores your system to search for valuable resources, such as employee information, banking details, embarrassing personnel records, customer lists, sensitive IP, and backups for business-critical resources and systems.
Evading detection and response
Typically, the cybercriminal takes steps to evade logging, detection, and response.
What the criminals do
Cybercriminals employ several tactics to maximise the damage they cause.
Target backups
Organizations with backups that are difficult for the cybercriminals to reach are much less likely to have to pay a ransom. Cybercriminals often target backups to limit your options in critical situations. They may delete entire virtual machines that host backups or modify business-critical files and wait to launch their full attack once the desired recovery point is no longer available.
Exfiltrate data
In most ransomware incidents, cybercriminals are now also stealing data.
Launch ransomware
Newer ransomware variants can encrypt systems faster and employ better encryption techniques to make recovery harder.
Ransom demand
The cybercriminal demands a ransom payment in cryptocurrency to provide one or more decryption keys for your data. In some cases, they might also promise to delete stolen data.
Cybercriminals recently have used new techniques to increase the pressure on an organization to pay. One technique is to contact employees directly with their personal information attached. They will try to undermine an organization to control the narrative about the incident response and portray the response as ineffectual to add pressure to their ransom demand.
How to protect against ransomware
Improve your email security
Phishing is one of the main ways that cybercriminals steal credentials or get employees to download malicious software.
Reduce exposure to phishing emails
Implement measures that could change the way suspicious emails are handled (SPF, DKIM, DMARC are email security standards that can help to mitigate spam and phishing attacks). Consider blocking emails from new domains, which may have been set up by cybercriminals for phishing.
Patch on-premise email servers to deprive cybercriminals of any low-hanging fruit.
Intelligent email evaluation
Automatically detonate and evaluate inbound attachments and links in a sandbox environment to determine if they are malicious prior to user delivery.
Employee training
Train employees to recognise phishing emails and resist attempts by cybercriminals to steal their login credentials or click on attachments and links.
Patch critical vulnerabilities
Keeping systems and applications up-to-date is critical in preventing unauthorised access and malware infections.
Manage access
Put in place appropriate measures for general user and system access across the organization: privileged access for critical assets (servers, end-points, applications, databases, etc.) and enforce multi-factor authentication (MFA).
Manage your assets
Your asset management inventory system should include an asset discovery tool that continuously maps devices on your internal network, an up-to-date asset database, and an up-to-date configuration management database.
Implement EDR
When effectively deployed and monitored, end-point detection and response (EDR) tools are one of the best defences against ransomware and other malware attacks.
EDR solutions monitor servers, laptops, desktops and managed mobile devices for signs of malicious or unusual user behavior/activity. These tools also enable quick response by trained security experts. EDR needs to be in enforcement mode rather than audit mode.
Get a configuration assessment or penetration testing
Many organizations benefit from external help to identify weaknesses in firewalls or switches leading to lateral movement in their system, and to understand how a cybercriminal might be able to move around their system.
Secure your backups
Backups should be on a non-virtual device, and immutable if possible. If backups are actively replicated to an off-site facility, the compromise of one copy could render the other useless.
How to respond to a ransomware attack
We encourage policyholders who experience an actual or suspected incident to notify us immediately.
CTA to Notify a Claim or Incident
Keep evidence
Keep firewall logs, which roll over quickly. If you have centralised logs, protect them and keep a copy. If possible, disconnect suspected compromised devices from the network. Try to avoid turning them off if possible.
Change passwords
Resetting users' passwords may not prevent a cybercriminal from using stolen credentials. Change the password for the KRBTGT account twice to prevent a golden ticket attack.
Protect backups
Take at least one copy of backups offline. Test backups to ensure they’re valid. Evaluate the restore point for signs of persistence.
ALARMING STATISTICS: US$4.5 million Average cost of a ransomware attack, excluding the ransom.
Combatting ransomware demands a comprehensive strategy. From fortifying email security to training employees and securing backups, our team empowers organizations to navigate the evolving landscape of cyber threats effectively.