*This bulletin is based on a November, 2019 article written by Craig Hoffman, David Kitchen, Ted Kobus and Anthony Valachof BakerHostetler with updates from Steve Robinson, National Cyber Practice Leader at Risk Placement Services, Inc. *
Organizations across all industries, including government agencies, are facing a surge of ransomware attacks launched by cybercriminals. New types of ransomware have the potential to cause significantly more disruption to computer data and networks. Some attackers have also recently alleged to have exfiltrated data from the victim’s environment as a means to extort a payment. In a situation where an organization cannot restore its systems from backups, the demands from the attackers for the tools to unlock encrypted files are increasing. Further, attackers are targeting organizations of all sizes, not just the larger organizations that often make headlines. The attacker’s motivation is financial and small and medium-sized organization are easier targets to infiltrate and leverage access to extort a ransom payment. Resources exist, however, to help organizations identify steps they can take to avoid becoming a victim and be better prepared to respond effectively.
Today’s Ransomware Threat and Organizational Costs
Organizations affected by ransomware attacks have limited choices: (1) restore systems from available backups, (2) pay the ransom to obtain a decryption tool, or (3) pursue business without the encrypted data. Organizations are currently facing highly variable, but increasing, ransom demands, and even extortion, that often exceed the amounts paid in prior years. The financial impact is not limited to the cost of the ransom but includes operational, business interruption, reputational and other costs. Even if a decryption tool is obtained by paying the ransom, there are instances in which not all files can be restored, and it can take several weeks and a substantial commitment of internal resources to restore infected systems. Additionally, if an attacker has exfiltrated data from a company’s environment, the company may face a costly process of providing notification to individuals and regulators, and face the risk of fines and litigation.
Ransomware claims have risen more than 50% in the last 12 months according to claims data from Risk Placement Services. Seven-figure demands have become more commonplace and the juxtaposition ofhigher frequency and severity will have an impact on cyber insurance pricing, limits offered and underwriting practices.
Steps to Protect Against This Threat:
While Cyber Liability insurance provides financial assistance and help in connecting law and forensic firms to guide organizations through the response, the following are steps to take now to avoid becoming a ransomware victim.
Avoid being phished: Most attacks start with an employee falling victim to a phishing email. Train employees to spot suspicious emails and avoid common social engineering tactics. Also look into using an email threat filter. Attackers obtain access to an organization’s system or steal employee access credentials before deploying the ransomware.
Use strong passwords: Require the use of strong passwords that must be changed periodically, prohibit reuse of passwords and implement a password management tool for employees.
Enable MFA: The use of multifactor authentication (MFA), particularly for remote employees, can lessen the risk of an attacker accessing your system or email accounts. MFA creates an additional layer of authentication by requiring the employee to input a unique code before access is granted.
Secure remote access to company systems: Attackers frequently seek to connect to systems using Remote Desktop Protocol (RDP) before deploying ransomware. Adopt controls to restrict source IP addresses seeking RDP access. This can be done by requiring the use of a third party to connect to your system remotely or by using a virtual private network (VPN).
Limit use of domain administrator accounts: Administrator accounts should be limited to select employees and, even for such employees, should not be used for normal work functions. Administrators should have separate accounts to use for their non-administrative functions.
Maintain strong employee access controls: The greater the access a compromised employee’s account has to different parts of an organization’s computer system, the more easily ransomware can spread. Limit an employee’s access to the minimum systems and files necessary to do their job.
Segment the network: Attackers often move laterally to deploy ransomware. By identifying and segmenting critical data stores from systems accessible from the internet, an organization can limit the impact of an attack.
Ensure patch management: Attackers often exploit software vulnerabilities that could have been remedied by regular and timely deployment of software updates and patches.
Configure firewalls properly: Many types of ransomware move laterally using standard Windows Operating System protocols, including Server Message Block (SMB), to communicate between systems. Ensure that your firewall policy is configured properly to restrict permitted communications between common endpoints.
Deploy endpoint monitoring: Endpoint monitoring solutions can detect system anomalies and malware, such as credential harvesting tools that often precede a ransomware attack. Evaluate your current endpoint monitoring solution and upgrade, if needed, to properly protect against malware and ransomware threats.