Ransomware attacks are occurring at an all-time high as organizations continue to adapt to the realities of remote work. It’s more clear than ever before that IT admins need to implement robust security policies and procedures to prepare for these attacks.
To help admins prepare for this increasing threat, AvePoint rounded up some of our top security experts to discuss all things ransomware in a new webinar titled “Ransomware: Prevention, Response, and Recovery.” You can access the full presentation here (for free!) or read on for a summary of their discussion.
Our speakers (AvePoint Security Team):
Dana Simberkoff: Chief Risk, Privacy, and Information Security Officer
Henry Feliu: Manager, Information Technology
Alex Varvel: IT Administrator
James Nankervis: Information Security and Privacy Analyst
What is Ransomware?
Ransomware is a type of malware from the crypto virology that threatens to publish the victim’s personal data and continually block access unless a ransom is paid. Unfortunately, it’s becoming more and more prevalent.
Today, ransomware is broken into two main categories:
- Locker ransomware
- Crypto ransomware
These are commonly paired with exfiltration and extortion techniques. An example of this is the Babuk malware that affected the Washington DC Metro Police last year.
The Challenge to Organizations
Ransomware has been on a huge upswing, especially since the start of the pandemic. It has been targeting more and more end users because at home, all it takes is a user to bypass all the hard work you’ve put into your network infrastructure and security mechanisms on their own device while they still have access to everything.
That’s why it’s important to look out for ransomware trends and how they work, because the price of ransomware has been going up.
The Rising Costs of Ransomware
Cybercrime in general has estimated a total cost of about $6 trillion in 2021. And we’re seeing how that increases in ransomware as well, because the average ransom fee has increased from $5,000 in 2018 to over $200,000 just a year ago. This past year, we saw a new ransomware payout record of $40 million.
But whenever we take a look at ransomware, you can’t just measure the ransom as your total expense. You’re going to have to deal with not only the ransom, but also lost productivity, IT costs, legal fees to try to resolve things, updated tools to make sure it doesn’t happen again, and additional reporting and monitoring services. So, it’s really hard to gauge how much is needed to be set aside if an infection actually does occur.
Upswing in Attacks and the Effect on Stocks
Not only are we seeing increases in the cost metrics, but we’re also seeing an increase in attacks. The past quarter has totaled nearly the entirety of 2020—and that’s a huge amount in a span of just a three-month period!
But it isn’t just that more people are being attacked; bigger enterprises and organizations are quickly becoming the victims of increased attacks rather than smaller individual devices.
There was been a recent study done on the New York Stock Exchange where they saw an average of a 22% stock dip immediately after these attacks. This is being seen as another reason why there’s an upswing in attacks—not only to get the ransom, but also to create brand damage by way of manipulating stocks.
So, this is really something that security professionals must look at, address, and put top of mind.
Common Attack Vectors
Here are the three most common attack vectors that we’re seeing:
- Phishing. This is the most common type of attack where we’re seeing bigger organizations being hit. This mostly targets privileged users such as executives.
It’s very important to have a phishing campaign and training in your organization to help mitigate this. Because again, our networks and security mechanisms may be effective at blocking out a large volume of this, but as soon as the user runs something, it will bypass all of those doors and blockades that we’ve put up.
- Remote Desktop Protocol (RDP). Now that we’re seeing more people working from home, we need to make sure that those open services to the internet and everything are locked down with appropriate controls.
- Software vulnerabilities. This is where it’s important to have a good vendor assessment program and enterprise risk management tools to track compliance in your organization. It’s also crucial to make sure that you have a good patch policy to keep things up to date once these vulnerabilities have been discovered.
Prepare Against Ransomware: Technology Best Practices
From a proactive state, one of the fundamental areas that need to be harnessed is policies and procedures. As an organization, you definitely want to make sure that you have the correct footprint available.
In conjunction with your incident management policy, here are some of the policies that you need to create, define, adapt, and constantly enhance:
- Business Continuity Plan (BCP) and disaster recovery plan. It’s good practice to go through your BCP and disaster recovery plan on a frequent basis. At minimum, it should be at least once per year wherein you do some testing—whether it’s tabletop testing or dry runs—to help home in on the actual step-by-step process that should be taken in order to acknowledge, notice, find, and remediate any potential vulnerabilities within the network or any breaches that have taken place.
- Patch management policy. This is to ensure that every device within the network is being patched according to, for example, what the vendors or the OS providers are requiring. There should be constant updates to these security patches to ensure any vulnerabilities are quickly found.
- Device hardening or network hardening policies. You must take into account the ability to disable or stop services that can be used as a vector for any breaches or attacks by any malicious characters.
These should be looked at as yearly (or more frequently) practices. It’s also best to improve, enhance, and have more efficient ways to deploy them.
Prepare Against Ransomware: Business Best Practices
There are many different considerations that you need to be aware of at the executive level. The first is: “We don’t plan to fail, but we fail to plan.”
The number one thing that executive teams, CISOs, and CIOs should be doing with their executive management team is planning that inevitably, every company has one person that will click on anything. Don’t wait until you’re infected to start figuring out what to do.
You want to have these conversations proactively with your management team, decide what your strategy is going to be, and put your incident response team in place so that you know who is going to be doing what, who you need to bring to the table, and how you’re going to be communicating with them, particularly if your systems are compromised.
Make sure that you have multiple ways of communicating and reaching people. Communication is key. It’s extremely important to remember that you need to have a combination of people engagement, process engagement, and technology engagement.
Technology will help you, but only if it’s being used properly and only if your end users and business users understand what they should and should not be doing. It really is our job as technology professionals to make sure that we make it easier for employees to do the right thing than the wrong thing.
The Value of Backups
Another fundamental thing that you need to consider is backup and recovery. It depends on the organization, of course, because every business or entity might have its own business justifications or needs, but a weekly full backup to a daily incremental backup would be very helpful.
Basically, you want to minimize the amount of time between the attack and your most recent backups so you don’t have to worry about data loss and business continuity.
You’re attacked! What should you do?
It’s crucial to have a good incident response policy or incident management policy. You want to have a chain of command or a team that is able to quickly pick up on the scenarios when you’re being attacked.
If there’s a breach incident or any anomalous activity that’s taking place within your organization, you should know who to report to. That’s usually a manager and said manager can take that up a chain of command or to the appropriate team members (e.g., your IT or security team). That way, the best practices can be put into effect.
Now, the appropriate team leaders should reach out to the individual to help with the next steps—which is taking the device off the network, performing a chain of custody, and gathering whatever information they can to best understand and figure out exactly what happened. Is it something malicious? Is it just something benign? Is it just a freak occurrence?
You want to take that approach of, “An ounce of prevention equals a pound of cure.”
The Key to a Good Strategy
First, you definitely want to have something in place to protect the data that you have in your environment. Get a reputable antivirus or malware solution to help protect the data that’s being housed within your organization.
It’s also really important to remember that we protect what we treasure, and we improve what we measure. So, the key to a good strategy is making sure that you understand what information you have, where it is, what it is, who has access to it, and that you have clear containers built for storage methods that are secured for transporting that data, using it internally, sharing it internally, and sharing it externally so you actually know where the data is.
It’s almost like having an x-ray or a map of data inside your organization. So, if a particular user or device is compromised, you can then quickly understand what the impact will be not only for that device, but anything that that user may have had access to.
You can’t protect everything from everyone, but you have to be strategic in the way that you’re building layers inside of your perimeter to make sure that you’re containing events when they do happen.
Building a Security-Minded Organization
I think most folks already understand that your employees and innocent actors may tend to be your weakest links, because employees without proper training and sufficient technology supporting them tend to make choices that make their jobs as easy as possible.
One of the things I like to do is tell everyone at AvePoint that security is part of everybody’s job. Training and awareness are definitely critical when it comes to working efficiently with your employees. Fortunately, I think we’re at a time, culturally, where ransomware has become such a big deal that there’s a lot more consumer awareness of what it is and how it affects people.
It’s also important to have clear processes in place for what happens when. We mentioned that when something bad happens, you need to have that very clear methodology on how these things get reported.
But you also want to make sure that your employees are not trying to be heroes. Sometimes, if an employee thinks they can fix a problem themselves, that can actually create more damage than not. While we want to quickly report the incident, we need to contain it as well. And so, you need to make sure that you have a clear chain of command in place for reporting these incidents and escalating them immediately as they occur. That way, you can mitigate damage as quickly as possible and limit your losses. Those processes need to be defined through procedures that are clear and easy to follow.
And then finally, technology really is where all this comes together by implementing policies like least privileged access and limiting what an outsider could do with an insider’s credentials, what kinds of escalation privileges they may be able to implement, and what kinds of systems they may be able to get access to. We want to have good practices in place for isolating devices and segmenting and billing perimeters inside of the network.
What You Can Do NOW
If we were to talk about what you could do immediately, you should ensure that you have a regular, granular backup solution in place. In particular, make sure that you can restore from backup. Knowing that your data is being backed up is one thing; knowing that that backup data can’t be restored is an entirely different thing. And that’s something that I would recommend that you go out and actually do and test on a regular basis.
We do have some case studies available through AvePoint’s website of some of our customers who have been able to successfully withstand a ransomware attack. They were able to continue their business and work through ransomware attacks by using some of our backup software and methodology.
But, within the next 30 days, one of the things that is really important for you to consider is creating a plan for visibility and classification of information.
Make sure that you understand, again, that you can’t protect everything from everyone, so you need to prioritize what is most important and which elements of your business are going to be critical for you to remain up and running. Make sure that’s where you put your efforts first.
In the longer term—within the next three months—you should really work on those perimeter controls and how you can layer in defenses across your network. This is particularly important as many companies are in either remote, cloud-based, or fully hybrid environments now. Data is everywhere and accessible from many different end points, so we want to make sure we have those controls really thought through for that type of working environment.
Getting a granular view of your content—who has access to it, how they’re using it, and even adding tags to the information—would be really helpful, and you can do that by leveraging tools like Policies and Insights. This level of visibility would also help ensure that you know what to restore or isolate in case a breach happens.
A data-centric audit and protection approach to things is also recommended in terms of automating surveying what you have, classifying it, and making sure it’s in the right location and with the right controls for that group.
Another layer is governance, which is ensuring that you have an automated way that people can get what they need, and that that information is shared and collaborated on in the appropriate locations. This is key so things don’t spread and information isn’t leaked to different departments.
We can all agree that time is of the essence. The sooner you can react to a vulnerability or attack, the better off you’re going to be.
Webinar: Ransomware: Prevention, Response, and Recovery
Product Page: Policies & Insights for Microsoft 365
Product Page: Cloud Backup Solution For Microsoft 365, Dynamics 365 And Salesforce
Ransomware Case Study: Walls Construction
eBook: Mitigating Collaboration Risk Workbook