CSGN-2301
Ransomware is a type of malware that encrypts the files on a victim’s computer, making them inaccessible, and demands payment in exchange for the decryption key. It is a rapidly growing threat that can cause significant damage to organizations of all sizes. Ransomware can be launched via phishing emails, exploiting known vulnerabilities, misconfigured cloud storage or Shadow IT. The best way to protect against ransomware attacks is to implement a comprehensive security strategy that includes regular software updates, a robust backup and disaster recovery plan, employee education, using endpoint detection and response (EDR) tools and advanced threat protection. In this advisory, we will discuss in detail the various ways organizations can prevent and mitigate ransomware attacks.
Regularly update and patch all systems and software to address known vulnerabilities.
Because many known vulnerabilities are addressed through software updates and patches. If a system or software is not updated, it may be vulnerable to exploitation by attackers, who can use those vulnerabilities to gain access to a network or system. Once they have access, they can then deploy ransomware to encrypt files and demand payment for the decryption key. By keeping all systems and software up to date, organizations can reduce the risk of known vulnerabilities being exploited and minimize the risk of a successful ransomware attack.
Use reputable antivirus and anti-malware software, and keep it updated.
Using a reputable antivirus and anti-malware software, and keeping it updated, is important for stopping ransomware attacks because these programs are designed to detect and remove malware, including ransomware. The software uses signature-based detection and behavior-based detection to identify and block known and unknown malware. When the software is updated, it includes the latest malware definitions and detection methods, which increases its ability to detect and block new and emerging threats, including new strains of ransomware.
It’s important to note that no software is completely foolproof and cyber criminals are constantly creating new strains of malware, so keeping the software updated is crucial to ensure that it is able to detect and block the latest threats.
Implement a robust backup and disaster recovery plan, and test it regularly.
A backup and disaster recovery plan in the context of ransomware prevention is a set of procedures and processes that organizations use to protect and recover their data in case of a ransomware attack. The goal of such a plan is to minimize the impact of a ransomware attack and to ensure that the organization can quickly return to normal operations.
The plan typically includes regular backups of important data and systems, which can be used to restore the organization’s operations in case of an attack. The backups should be stored in a secure location, such as an off-site facility or cloud storage, and should be tested regularly to ensure that they are complete and usable.
The plan also includes procedures for responding to a ransomware attack, such as isolating affected systems and networks, identifying the source of the attack, and restoring operations from the backup data. The plan should also include communication protocols to inform the relevant parties of the incident and the steps being taken to restore normal operations.
It’s important to note that a backup and disaster recovery plan is not a one-time process, it needs to be updated and tested regularly to ensure that it can effectively protect and recover data in case of a ransomware attack.
Limit access to sensitive data and systems to only those who need it.
Limiting access to sensitive data and systems to only those who need it is an important security measure that can help to mitigate the risk of ransomware attacks. By implementing access controls and permissions on sensitive data and systems, organizations can ensure that only authorized individuals have access to them. This can help to prevent and limit the scope of unauthorized access, which can be a common vector for deploying ransomware.
It’s important to note that limiting access to sensitive data and systems should be done in conjunction with other security measures such as Regular software updates,backup and disaster recovery plan, employee education, using endpoint detection and response (EDR) tools and advanced threat protection to have a comprehensive security strategy.
Educate employees about ransomware and phishing scams, and how to spot and report suspicious activity.
Employee education is important to raise awareness about the risks of ransomware and phishing scams, and to teach employees how to spot and report suspicious activity. This can help to prevent successful ransomware attacks and minimize the impact of an attack if one occurs.
Use a firewall to control access to your network, and segment it to limit the spread of malware.
A firewall is a security device that controls access to a network. Segmenting the network can help to limit the spread of malware, such as ransomware, by isolating infected systems and networks from the rest of the organization.
Consider using endpoint detection and response (EDR) tools to monitor for and respond to suspicious activity on your network.
Endpoint Detection and Response (EDR) tools can help to monitor and respond to ransomware attacks by providing visibility and control over the activity on endpoints, such as computers, servers, and mobile devices. EDR tools can detect and respond to suspicious activity on a network, such as the deployment of malware, and provide real-time visibility into the state of endpoints, including memory and process-level activity.
There are several ways EDR tools can detect and respond to ransomware attacks:
- Behavioral-based detection: EDR tools can use behavioral-based detection algorithms to identify and alert on suspicious activity on endpoints. For example, if a process begins to encrypt a large number of files, this could be flagged as suspicious activity and may indicate a ransomware attack.
- Signature-based detection: EDR tools use signature-based detection to identify known malware, including ransomware. The tools are updated with the latest malware definitions, which increases their ability to detect and block new and emerging threats.
- Network traffic analysis: EDR tools can also analyze network traffic to detect signs of a ransomware attack. For example, if an endpoint begins communicating with a command and control server or other suspicious IP addresses, this could indicate a ransomware attack in progress.
- Isolation: EDR tools can isolate the endpoint that has been infected by the ransomware, preventing the malware from spreading to other systems and minimizing the impact of the attack.
- Remediation: EDR tools can help in removing the malware from the endpoint, including the ransomware, to prevent further damage.
- Rollback: EDR tools can roll back the endpoint to a previous state, before the attack, using snapshots or backups of the endpoint. This can help to restore the endpoint to a known good state and minimize the impact of the attack.
- Reporting: EDR tools also provide detailed reporting on the attack, including the type of malware, the number of files encrypted, and the systems affected. This information can be used to improve the organization’s security posture and prevent future attacks.
It’s important to note that EDR tools are not a replacement for other security measures, but rather they are complementary tools that can be used to detect, prevent and respond to attacks.
Regularly review logs and audit trails for signs of unauthorized access or suspicious activity.
Reviewing logs and audit trails can help to identify signs of unauthorized access or suspicious activity, such as attempts to deploy malware. This can help to prevent a ransomware attack or minimize its impact. Some common indicators of compromise that can be found in event logs when dealing with ransomware include (but not limited to):
Covering Tracks (MITRE T1070.001):
Process command line includes parameter "Clear-EventLog"Process: "wevutil" Parameters: "*cl *"Process: "fsutil" Parameters *deletejournal*A common defense evasion technique is to disable the Sysmon driver and service:
Process: "fltmc.exe" Parameters: "unload SysmonDrv"Process: "sysmon.exe" Parameters: "-u"Inhibiting System Recovery (MITRE T1490):
The use of tools such as vssadmin, wbadmin, bcdedit and powershell to delete shadowcopies are common in preventing system infected by ransomware to recover.
Parameters: "delete shadows" | "shadowcopy delete" | "delete catalog" | "recoveryenabled no"Data Exfiltration (MITRE T1567.002):
Process: "rclone.exe" Parameters: "copy"Mass File Deletion:
After encryption, many ransomware variations typically remove the unencrypted files. Although it has nothing to do with the encryption process specifically, it is a reliable sign of ransomware activity. It is possible to create a detection rule in your organisations SIEM solution using this ransomware behavior. A detection alert should be generated if several files are removed quickly. This warning, however, can be susceptible to false-positive results. A detection notice may be triggered by a valid software uninstall or file restore activity.
Look out for Windows Event log ID: 4663 with hex attribute of %%1537 in close succession.
Keep in mind that ransomware attacks can be launched via the cloud, so ensure that your cloud-based systems are also properly secured.
Ransomware attacks can also target cloud-based systems and services, so it’s important to ensure that they are properly secured to prevent a successful attack. This includes implementing security controls, such as access controls, encryption, and monitoring, to protect data and systems in the cloud.
Misconfigured cloud storage buckets can also be used by attackers to steal sensitive data, they can then use the data to launch targeted attacks or to extort the victim. If a storage bucket is not properly configured, it may be left open to the public, allowing anyone to access and download the files stored in it. Ransomware operators can take advantage of misconfigured cloud storage buckets by scanning the internet for open storage buckets, and then downloading and encrypting the files stored within them.
To prevent the misuse of misconfigured cloud storage buckets, organizations should ensure that their cloud storage buckets are properly configured with proper access controls, such as authentication and authorization, and that they are regularly auditing their cloud storage configurations to identify and fix any misconfigurations.
Shadow IT
Shadow IT refers to the use of technology and services within an organization that are not approved or managed by the IT department. Employees may use shadow IT to access cloud-based services such as file sharing, messaging, and storage, without the knowledge or approval of IT.
Shadow IT can make organizations vulnerable to ransomware attacks in a few ways:
- Lack of security controls: Cloud-based services used in shadow IT may not have the same security controls as approved services, making them more vulnerable to attack. For example, a file-sharing service used in shadow IT may not have the same access controls and encryption as an approved service, making it easier for attackers to gain access to sensitive data and deploy ransomware.
- Lack of visibility: The IT department may not be aware of all the services and technologies in use within the organization, making it more difficult to identify and respond to security threats. This lack of visibility can make it easier for attackers to launch a ransomware attack and for the attack to go unnoticed.
- Lack of backups and recovery: Employees using shadow IT may not be aware of the importance of regularly backing up and recovering data, leaving them vulnerable to data loss in case of a ransomware attack.
- Lack of compliance: Shadow IT services might not comply with regulatory requirements and compliance standards, putting the organization at risk of data breaches and regulatory fines.
To address the risk of shadow IT, organizations should have a clear IT policy that outlines the approved services and technologies that can be used within the organization. Additionally, IT departments should implement tools and processes to detect and manage the use of shadow IT, and educate employees on the risks associated with using unapproved services and technologies.