Ransomware, Ransomware, Ransomware
Unless you’ve been on a quiet sabbatical or otherwise offline and not watching the news for the last year or so, it’s been the talk of the town. Ransomware is one of those recent topics that has left cybersecurity circles to hit the public consciousness. It’s been all over the media, the Twitters, and featured weekly in just about every security company’s blog, including our own most recent Q2 report.
I’ve answered more questions about ransomware this year with non-IT friends, casual acquaintances, and even my mom, than I’ve ever even talked about my job. It’s a threat that’s not going anywhere, and based on the amount of articles we’ve written and webinars we’ve attended, it’s still a very hot topic and will likely continue to be until criminals figure out another way to make more money in a less extortion-y way.
It’s a pretty bleak picture, or at least it seems to be. Blue teams are constantly under siege, and much like the movie “300”, attackers are throwing everything they’ve got at the embattled security Spartans holed up in their SOCs. Attackers, like Xerxes’ army, have more time, resources, and initiative than ever. Meanwhile, companies are losing millions in payments to attackers and costs of incident response.
We’ve seen businesses slow to a crawl or get stopped dead in their tracks in the wake of an incident. Not to mention, we’ve all seen the effects of the media fallout and speculation more than a few times, as well as the impact on the public. The good news is: There’s a way forward but it’s going to take the strength of a phalanx to do it.
Outside of a few offhand references to the movie “300”, we’ll spare the in-depth history lessons on tactics and specific groups for another time (plus we already have some great blogs on the topic).
On this go-round, let’s focus on what today’s reality is, some general things to think about in the fight against ransomware, and how to reduce your risk. Some of you may be first-time visitors, so there will be some 101-level things we’ll talk about, but also cover some more advanced topics as well.
The Current Threat of Ransomware
Through the first half of 2021, we’ve seen a number of groups appear on the scene and another group of them disappear, reappear, or rebrand. The tactics have changed over the years, evolving from targeting individuals and small businesses to going after large corporations and other big businesses, as criminals seek larger payouts and more public impact. These days it’s not only a question of encrypting data and holding the decryption key (and your data) for ransom, but also if the public disclosure of your data is worth the price.
A large number of threat actors in the ransomware scene are growing more professionalized and operating with unprecedented levels of technical expertise (and maybe even some business acumen). Some of these groups often perform due diligence and choose victims carefully; on the other hand, you also have your criminal groups who target companies and individuals indiscriminately. Motivations for one actor may not be the same for another actor, but there’s usually always a financial angle. They may find their way in via myriad means, but historically, it’s all of the usual suspects: exploited vulnerabilities and social engineering, with a side of luck and/or preparation.
Shoring Up Defenses Against Ransomware
Look, we get it, it’s hard to defend against the unknown, and sometimes even knowing leads to decision paralysis. Which vulnerabilities do you tackle first, and which ones are the most dangerous, i.e., in this case, what causes you to fall victim to ransomware? And that doesn’t even take into account all of the other possibilities when it comes to vulnerabilities.
There are concerns with compliance, making sure you don’t brick an application when you upgrade or update a server, losing access, or any other second- or third-order effects from patching that can affect uptime, security, and cost. Sometimes it’s even a question of knowing exactly what assets you have and where they are, which can also be a struggle.
Several prominent ransomware actors target specific vulnerabilities, buy compromised accesses, use phishing attacks, or a combination of all of these to be successful. In light of this, it’s going to take a few different approaches to stay safe.
Patching, Updating, and Asset Management
This is a process that never ends. At a minimum, you should identify your most critical systems and assets, understand where those assets and your important data live, identify who has access, and develop processes around patch management. In addition to identifying the assets, having a plan for regular backups and storage should be implemented. If you’re looking for help to get started on the path of discovery, you can access our free asset discovery tool Orca here.
When vulnerabilities are announced publicly, pay attention to the CVSS numbers. Although these scores do not always reflect how widespread the exploitation of the vulnerability is, it does give a good idea of the relative ease to accomplish an exploit and the impact it may have. While you may not be able to patch right away, look at vendor recommendations to mitigate risk until a system is patched; but also remember to circle back to actually finish up with patching.
It’s also a good idea to look at exposed services and ports, either through scanning, penetration testing, or a combination of these. Criminals such as initial access brokers specialize in selling compromised remote access, such as SSH, RDP, and VPN; while botnets and mass scanning techniques are able to hunt for vulnerable infrastructure at scale and in an automated manner.
Phishing Awareness Campaigns
Regardless of the threat, phishing will always be a way in. It’s been a hallmark for several ransomware campaigns, and there are a likely handful of ransomware groups who are actively using the method. We’ve talked phishing before, but just as a refresher, it may take a combination of user training, anti-phishing tools and policy, and some process to fight it; hopefully layered among some other security tools and incident response policies.
Mitigating Insider Threats
An interesting tactic that should be mentioned here is there are criminal groups who are actively seeking insiders to help them gain access or provide other kinds of needed insider information. Whether it’s a result of financial reasons or something more sinister, the threat from insiders is real, and isn’t just the accidental URL click from a phish. Depending on the size of your organization it may mean looking into an actual insider threat capability, or developing processes shared among security teams, to include cyber, fraud, legal, and physical security.
Unintentional insider threats may also mean leaving information exposed on the internet, such as credentials, keys, passwords, and even internal documents on public repositories, such as GitHub, or in other publicly accessible infrastructure, such as an AWS or SharePoint instance. All of these might help outsiders understand internal processes, network layouts, or allow access to different parts of your estate.
How Can Digital Shadows Help You?
Threat intelligence is only a part of the overall defensive strategy, but can add context and other valuable information to the fight against ransomware. We have been tracking dozens of ransomware actors, their leak sites, as well as other criminal locations for years. We understand how they can gain access and may even have insight to vulnerable organizations they might be targeting. We are also constantly updating profiles and other information that could be valuable to your defenders.
If you’re curious about how SearchLight can help shed light on ransomware and other threats, you can take it for a 7-day test drive, or contact us to schedule a demo and discuss your particular intelligence needs.