It seems that every week, there are alarming headlines announcing yet another ransomware attack - evidence that threat actors are relentless in their pursuit to exploit high-value targets. From the SolarWinds attack in 2020 to the most recent Kaseya VSA compromise in July 2021, ransomware attacks are carefully orchestrated to incite as much chaos and instability as possible.
In addition to the growing sophistication of ransomware, threat actors are also evolving in the techniques they’re leveraging to launch attacks. Within the past year, we have seen increasing instances of adversaries relying on the ransomware-as-a-service model and double extortion to guarantee payment.
Since complex attack tactics require equally complex recovery solutions, the remediation costs have also increased substantially. In fact, the average recovery cost from ransomware in 2021 has risen to $1.85 million USD, more than twice the $761,106 USD reported in 2020.
Even if an organization chooses to pay the ransom, the effects of ransomware are crippling and linger for years to come. Aside from facing the financial burden, the business will face reputational damage, loss of brand trust/loyalty, and depending on the scenario, may even face legal and regulatory repercussions. Therefore, security leaders must do their part to ensure they can prevent ransomware attacks from occurring.
So, what steps can your organization take to prevent a ransomware attack? Here are some of our recommendations:
- Conduct regular security awareness training with your employees so they know how to spot phishing emails and common social engineering tactics. You can also perform consistent security assessment & testing, including phishing simulations and table top exercises to test your team on the effectiveness of your training
- Practice strong cyber hygiene with regular patching, robust policies, strong password etiquette, and disciplined access controls.
- Ensure that the servers for any IT service management software applications that require administrative privileges are not Internet-facing, as was the case for the Kaseya cyber attack. Threat actors can easily use certain search engines to find exposed IP addresses for the exposed servers and use that information to target organizations
- Employ an effective multi-layered defensive posture balancing people, process, and technology, rather than structuring your cyber defenses around only one or two of those elements. For example, phishing emails are commonly used by adversaries to gain access into your network. To balance people, process, and technology, you would:
- Implement a top-down security culture and provide security awareness training (people),
- Establish protocols for steps that that your employees need to take when they spot a phishing email (process), and
- Have full visibility across all your data sources so you can detect and contain any attacks (technology).
- Ensure that your security team has full visibility into your IT environment using EDR agents and centralized logging on domain controllers since they are a key target for ransomware actors
- Leverage 24/7 detection with both automated and expert-level manual response, which will allow your organization to benefit from cybersecurity expertise and resources that are beyond your in-house capabilities.
- Invest in critical defensive tools, including next-generation antivirus, network monitoring, email gateway, VPN security, multi-factor authentication (MFA), and endpoint protection
- Always require MFA to access your organization’s VPN or remote desktop protocol services.
- Keep your operating systems and 3rd-party apps patched and up-to-date so threat actors have fewer vulnerabilities to exploit
- Don't install software applications or give it administrative privileges unless you know exactly what it is and what it does.
- Use the principle of least privilege so only the users that need access to certain data have access to it.
- Establish protocols so that if an employee requires access to data they don’t normally need to complete a specific task, that access is taken away after a certain period of time or it expires as soon as the task is complete.
- Implement network segmentation so that if one system is infected, it can easily be isolated from the rest of the networks to ensure the ransomware doesn’t spread through your environment.
- Backup all your data on a regular basis and store the backups separately to ensure they cannot be accessed from your network.
- Work with your security team and Incident Response (IR) provider to build an IR plan that’s right for your organization so that if a cyber attack does occur, your team is ready with remediation and response efforts.
Ransomware is easily poised to be one of the largest digital threats facing organizations today and this threat is not going anywhere. In fact, the Cybersecurity & Infrastructure Security Agency (CISA) recently released the Ransomware Readiness Assessment module as part of its Cyber Security Evaluation Tool (CSET). This self-assessment module is designed to “enable users to perform a comprehensive evaluation of their cybersecurity posture using many recognized government and industry standards and recommendations”.
Being prepared for a ransomware attack is just one part of the equation. Today’s CISOs must adopt an “assume breach” mentality and be ready to detect and respond to an attack. Learn how Managed Detection & Response can help your organization detect and contain threats before they become business-disrupting events, connect with an eSentire security specialist.
