Ransomware mitigation: Where do we go from here?


Johannesburg, 13 Dec 2021
Read time 10min 20sec

Following recent headlines surrounding cyber security, it’s reasonable to conclude that ransomware has rapidly become one of the biggest global threats our businesses and institutions face today. These attacks – which infiltrate our networks, lock up critical data and demand a substantial ransom in crypto-currency to restore vital information – have reached crisis proportions, especially in areas like healthcare and government. 

Even as ransomware attacks become ubiquitous, they are evolving into more sophisticated and targeted threats. Ransomware as a service, for example, uses an “affiliate model” that features a network of bad actors and has become a profitable business for organised cyber criminals. Ransomware software from these criminal cyber gangs (such as Darkside) enables cyber criminals to target victims and deploy their malware. When they collect a ransom from their victims, the cyber criminals give a percentage back to the ransomware software creators. There are even criminal “help desks” that collect a fee for helping victims manage the ransomware process to get their information back using crypto-currencies, and sometimes even offer a demo to prove they can decrypt the data.

Here’s how it works:

Source: Ransomware on the Rise

Our best strategy for mitigating the devastating impacts of ransomware is to gain a better understanding of the perpetrator’s techniques and to implement ransomware mitigation programs that directly reduce our risks.

Why should preventing and mitigating ransomware be a top priority?

Research just released from ThycoticCentrify confirms that having strategies for mitigating ransomware threats and an incident response plan that is incident-ready must be a top priority for every organisation. In fact, ThycoticCentrify’s latest State of Ransomware Survey & Report reveals two out of three companies surveyed were victims of a cyber attack in the last 12 months – and more than 80% felt they had no choice but to pay the ransom demands.

Such numbers are shocking and a huge warning to the rest of us that ransomware is here to stay until we become resilient, resulting in fewer ransomware payments. We must recognise a ransomware attack is not a matter of if but when. How we are prepared to respond to the challenge has far-reaching consequences.

What are the major risks of ransomware attacks?

Initially, ransomware attacks focused on locking up or encrypting data and demanding money in exchange for providing a decryption key to unlock the victim’s information. As more companies than ever have been paying the ransom, usually with crypto-currencies (which are difficult to trace) the amounts demanded have increased as well.

The message to attackers is clear. Restoring a victim’s information is good for business since many companies feel they have no choice but to pay up; they also expect to get their information back and attackers are obliging. It’s a self-reinforcing vicious cycle that feeds on every successful attack. Recent major incidents highlighted that the success of the decryption process was poor, indicating that even if you do pay the ransom, it could take a long time before your business is back online. It is very likely that the ransomware gangs are going to improve this in future variants.

Exfiltration of critical data

More recently, ransomware attackers use a breach to explore and traverse a network undetected to locate and exfiltrate or steal information before deploying the ransomware payload.

I have observed many ransomware cases that specifically target privileged access. Compromising a user account provides an initial foothold into the network, giving attackers a foot in the door to roam around and eventually gain privileged access. Overprivileged users such as local administrators are a favourite target enabling the attackers with an easy way to elevate privileges to domain administrator accounts.

Once attained, privileged access through service accounts, local admin or domain administrator accounts enables attackers to cause as much damage as possible. They can discover where backups and most sensitive data is located. Taking over these types of accounts allows attackers to turn off security, create back door access and elevate their privileges to domain administrator status. This is especially dangerous as we are now getting to a point where many users should be considered privileged users because of the access they possess – and which can be exploited by an attacker.

Compliance and regulatory concerns

Ransomware attacks can also impact regulations and compliance, triggering regulatory reporting requirements from the CCPA or GDPR. So, not only must you deal with unavailable data and systems, but also personal information, loss of employee or customer data, posing liability or legal issues stemming from compliance violations.

Reputational damage

One thing I’ve seen more frequently is ransomware attackers announcing the encryption of your data on Twitter feeds. In some cases, attackers may actually be communicating with your customers directly by tagging your organisation or by mentioning it in their own feeds. Thus, organisations have to recognise the potential damage to their business reputation and plan for a response accordingly.

What techniques do ransomware attackers use to lock up our information?

In the past, ransomware attacks typically targeted a single computer or limited network. When an employee clicked on a link, they unknowingly downloaded malware which would then encrypt the computer or server. A backup restore could usually help fix the problem if one was available.

Today, attackers focus on compromising user credentials and passwords to gain an entry point from which they can exploit our vast connected networks. Once inside the network, undetected, the cyber criminals seek to elevate credential privileges, traverse the network, locate sensitive data and plan how to exfiltrate and encrypt the data.

This dwell time – the time from the point of entry until the actual launch of ransomware and detection of the attack – enables attackers to understand the network, find and exfiltrate critical data. They will then leave crypto-locking malware on your systems to launch when they are ready. Typically, once an attacker gains access to domain administrator privileges, it is usually only a matter of hours before the ransomware is deployed and business comes to a halt.

In many cases, organisations see the only realistic way to get their network back up and running is to pay an exorbitant ransom demand or risk devastating damage to their operations and reputation.

The illustration here demonstrates the pathway that many ransomware attackers use to breach an organisation’s defences and then exploit and elevate privileges before launching the actual ransomware attack.

A popular ransomware variant called Cryakl (now called CryLock 2.0) has had numerous updates in the past 18 months and now exhibits a much-improved encryption capability that can be especially devastating. CryLock has evolved and moved into an affiliate program model where its creators share the Cryptor with other ransomware gangs. Criminal gangs can scan your environment in order to gain initial access, compromising credentials to capture user passwords. They sell that information to other criminals who will then execute a ransomware attack, collect the ransom and share royalties with the ransomware creators.

How to mitigate ransomware

Here are the basic ransomware mitigation strategies you must implement

According to our recent ransomware survey, most organisations are taking the proper steps to establish basic cyber security hygiene and prevent ransomware attacks.

This includes:

  • Backing up critical data (57%);
  • Regularly updating systems and software (56%); and
  • Enforcing password best practices (50%).

You should also:

  • Use multi-factor authentication on Internet-facing systems for all users to prevent a relatively easy takeover of their credentials;
  • Develop and deploy a zero-trust strategy that enables you to enforce the principle of least privilege access across applications, cloud platforms, systems and databases. This goes a long way to preventing an attacker from escalating privileges and roaming your network undetected; and
  • Protect and isolate your backup and restore capabilities, as ransomware attackers will likely try to deploy the ransomware on your backup systems.

What’s the best way to prepare for and deal with a ransomware attack?

Have an incident response plan tested and in place. It’s critical for managing any cyber security incident and especially for a ransomware attack when the perpetrators may still be active on your network.

Having an incident response plan is a good start, but the goal is to be incident-ready.

When you’re dealing with ransomware, you tend to have a limited amount of time to respond, making it essential that you act as quickly as possible. Obviously, the more time attackers have at their disposal, the more damage they can cause, the more systems they can encrypt and the bigger effort it will take to recover and get back to an operational state.

Part of your incident response plan must include an incident response checklist. It will clarify the type of assets at risk as well as assigning roles and capabilities you have internally to deal with the attack at various stages. I recommend incident checklists with designated owners and responsibilities. You need people responsible for physically going and gathering evidence from systems. You need staff to prepare and execute the recovery operations and capabilities, identifying what systems have been affected with an asset inventory assessment.

You must act as fast as possible to stop the initial breach from escalating. You can then try to find out how they got in and ultimately secure that access so the organisation can get back to business and recover.

Your incident response must do the forensics and answer key questions in order to fully understand how to remediate.

  • How did the attackers gain access and how did they do it?
  • Did they have domain administrator access?
  • Did they get access to the domain controller?
  • Did they get access to servers, desktops, laptops and applications?
  • Did they impact just the on-premises devices or were they able to move to cloud environments?

What can we do to stop ransomware attackers from accessing our critical data and mitigate risk?

How do we make life more difficult for ransomware attackers? In my experience, forcing the attackers to take higher risks helps you detect and prevent ransomware attacks faster. The more risks the attacker has to take, the better chance you have of catching them before they can deploy the ransomware.

Privileged access management (PAM) security controls provide effective tools that can make it much more difficult for attackers to steal passwords and abuse privileges. Password randomisation, rotation and ongoing management are also effective in limiting an attacker’s ability to explore your network and escalate privileges. Using a PAM solution forces attackers to take greater risks, increasing your ability to detect an intruder before they cause more damage.

Ransomware attacks are one of the most urgent threats to organisations today. As more ransoms are paid to restore data, cyber criminals are further incentivised to step up their efforts to compromise your networks. While companies are increasing their spending on cyber security solutions to mitigate ransomware and other attacks, it is essential they also protect all users as if they were privileged users.

By safeguarding privileged access with PAM solutions (to reduce or eliminate attacker dwell time) and implementing a robust incident response plan, organisations can minimise the risk from a threat that will only increase for the foreseeable future.

To learn more about how to mitigate the impacts of a ransomware attack, read our 2021 State of Ransomware Survey & Report.