Ransomware 101 Part 2: How to Prevent and Detect a Ransomware Attack
Since we published part one of our Ransomware 101 blog series, several high-profile ransomware attacks have made the news. Most notable is Accenture, which was hit with a $50M ransom demand by the LockBit 2.0 ransomware gang. PC company Gigabyte suffered an attack by the RansomEXX gang, which claims to have stolen 112GB of sensitive internal data as well as a code repository.
These are just the high-profile victims ─ there are likely scores more, some we may never hear about. According to a report just published by Barracuda Networks, ransomware attacks increased by 64% between August 2020 and July 2021, with 30% of ransomware demands exceeding $30M, and 6% exceeding $50M. The average demand is $10M.
Our Ransomware 101 blog series addresses multiple aspects of the ransomware issue, including what you should know and what you should do to protect your firm, your clients, and your finances. In part one, we discussed the evolving and growing threat of ransomware. In this article (part two), we’ll provide a framework for what your organization can do to prevent and detect ransomware attacks.
For a step-by-step framework of the considerations and actions your organization should be taking to prevent and detect ransomware attacks, download the checklist developed by ACA’s cyber experts.
How to prevent a ransomware attack
The three keys to preventing a ransomware attack are Configuration, Access, and Patching (CAP). Employee awareness and education are also critical.
Awareness – Reduce the chances of ransomware entering your system
Phishing and similar tactics are frequently used to introduce ransomware malware into systems. Close this common entry point for cyber criminals by conducting regular mandatory phishing prevention training and testing as well as cybersecurity awareness training for your employees.
Configuration ─ Reduce the number of entry points an attacker could use to gain access to your system
Ransomware attackers can access your network through misconfigured security controls. Ensuring these controls are configured properly will reduce the attack surface to help prevent this access.
- Review the security settings of remote and cloud access configurations to identify opportunities to strengthen defenses and reduce the number of possible entry points (attack surface).
- Watch for legacy protocols and services left enabled.
- Ensure multi-factor authentication is enabled for all publicly exposed interfaces.
Access ─ Reduce the number of internal access points for an attacker who has entered your system
Once inside your network, criminals often move laterally and access vulnerable targets. For example, they can gain access to a particular employee’s account and then use their access privileges to move within your network, sometimes escalating their permissions and access as they go.
While local administrative rights on workstations and broad access to network file shares may empower your organization’s employees, it’s critical to restrict access as much as possible.
- Limit network access to read-only permissions as much as possible. Do not leave full access in place everywhere. Attackers cannot use read-only access rights to encrypt files in a ransomware attack.
- Assign local administrator privileges on workstations to a separate account that is used only when needed. Browsing the web and reading email with administrator privilege allows attackers to gain a foothold in the network (also called a drive-by attack). Users can still install software or change settings as needed with only the occasional need to use the separate account.
- Implement multi-factor authentication, role-based authentication policies, and “zero-trust” models for devices and users.
Patching – Reduce the chances of an attack happening via an unknown or entry point
Even with systems secured to reduce the attack surface and user access limited to only what is needed, software vulnerabilities remain. As these vulnerabilities are discovered, patches and software updates are released. However, these updates aren’t effective if they aren’t deployed right away. In general, exploits are available to attackers the same day that patches are announced. Installing patches as soon as they are released reduces an attacker’s opportunity to take advantage of these vulnerabilities.
- Make sure all software updates are applied as soon as patches become available.
- Ensure patching extends to your third-party service providers as well (e.g., patch management requirements should be written into vendors contracts).
How to detect a ransomware attack
In addition to having attack mitigation steps in place, you also need to be vigilant about monitoring for an attack in progress so you can respond as quickly as possible. In general, you should be following the three “R’s” of detection: Record, Review, Respond.
Record ─ Keep track of what’s going on across your system
Engineers and astronauts love telemetry - the ability to know from a distance what is going on with a system. Servers, workstations, and network devices provide telemetry when enabled and configured. Logging the events on a device and then reviewing these events allow system administrators and security professionals to know when an attacker has gained access to a network or system. When logs are not enabled, or when they are not configured for retention and review, we are blind to the activities of attackers.
- Enable logging on workstations, servers, applications, and network devices.
- Transfer logs promptly to secure, aggregated storage.
Review ─ Watch out for suspicious activity
Unread event logs are useless. Security Incident and Event Monitoring (SIEM) and similar technologies provide automation to sift through logs for suspicious events. Human system administrators and incident responders should review these events to identify when something unexpected or unauthorized is happening.
Ransomware attacks involve reading large numbers of files in quick succession as well as intensive CPU utilization to encrypt these files. The exfiltration of confidential data to an attacker’s system can be detected by monitoring network flows, identifying unusual volumes, times of day, and destinations.
Even without an SIEM in place, firms may be able to detect these activities with simple rules and heuristics.
- Review event logs to help identify unexpected or unauthorized activity.
- Monitor network flows to identify unusual volumes, times of day, and destinations.
Respond ─ Be prepared and know what to do if an attack happens
First responders such as fire fighters and police officers practice their emergency response plans so they are ready in the event of an actual emergency. Similarly, cyber incident responders must practice their incident response plans so they are prepared and ready. Reacting to a suspicious event with heightened anxiety and adrenaline requires preparation to be successful.
- Prepare and practice incident response plans and activities so the response team understand their responsibilities, steps, and tools, as well as the empowerment they will need to react if a ransomware or other attack is detected.
- Always keep the cyber incident response team at the ready.
Download the ransomware prevention and detection checklist
For a step-by-step framework your organization can take to prevent a ransomware attack, download our checklist.
How we help
ACA Aponix® helps firms to stay on top of their cybersecurity programs. Contact us discuss how we can help assess and strengthen your current program to prevent ransomware attacks.