We see it time and time again. Another ransomware attack has breached the perimeter and maliciously encrypted the critical files of an organization. Finance, operations, HR, medical, customer data, all in the hands of someone else. They’re completely inaccessible without a key that only the cybercrime group holds. The organization doesn’t want to pay, but they have to get back online, and fast. They try to resist, and tell them that they can’t possibly pay their ransom. The hackers show them their own financial documents and say “Yes, you can”. Soon enough, another organization is in the news for paying a ransom, often to the order of millions of dollars. And the vast majority of ransomware victims aren't lucky enough to have the government go and get your ransom back for them.
Of course, the threat posed by ransomware isn’t limited to just your finances and your reputation. If your organization provides critical services to your community, those people are no longer being served if you can’t conduct business. We’ve seen cyberattacks shut down critical infrastructure, close schools, halt oil and gas shipments, delay surgeries and chemotherapy, and in one recent case, a German medical patient died after a ransomware attack forced an hour’s delay in treatment.
With all that said, you’re not powerless. There are concrete, actionable steps you can take to better protect your organization, your resources, and the people who depend on you from a ransomware attack. MFA. SSO. AV. EDR. IR. Much like the health benefits of real alphabet soup, this alphabet soup will keep your organization healthy. It can seem confusing at first, but we’re here to walk you through it.
Reduce your Attack Surface
This first item is perhaps the most simple and, by itself, can even save your organization money. First, you should have a comprehensive inventory of all business-critical apps, equipment, and services. Once you identify those assets critical to your organization, ruthlessly strip out anything that’s running that’s not strictly required - it’s the equivalent of removing an old back door that nobody uses anymore. Be sure to disable or unplug any unnecessary physical IT equipment. Uninstall or disable any services, programs, or other software that your organization may have, but no longer has a business use for. Old or forgotten servers, websites, or software can often serve as an entry point for hackers. Additionally, a penetration test can help you discover and validate that these sorts of unknown assets aren’t lingering on your network.
Credential (Password) Hygiene
Almost everyone has done it - they’ve used the same password on multiple sites or devices, they use passwords with predictable patterns, they’ve shared passwords with others in their organization, or they’ve left passwords linger just a little too long after they’ve been compromised. Even so, it’s a dangerous practice. A single compromised password, combined with a lack of multi-factor authentication (MFA, we’ll get to that later), was likely the cause of the recent $4.4 million ransomware attack on the Colonial Pipeline according to their CEO. All it takes is one compromised account to serve as an entry point for hackers, ransomware cyber criminals, and other unsavory characters. We recommend the use of strong, automatically-generated passwords that are stored in a password manager (such as 1Password, or those included with most major web browsers). Password managers work by storing these strong, computer-generated passwords in an encrypted database on your computer or in the cloud and automatically inserting them where they're needed. RipRap can also use open-source intelligence methods to help determine if any of your organization’s passwords have been compromised in previous breaches.
Multi-Factor Authentication (MFA) and Single Sign-On (SSO)
You may already be familiar with Multi-Factor Authentication and Single Sign-On, but perhaps you haven’t thought about it too much. If your bank texts you a one-time PIN to enter when you log in for the first time in a while, that’s one form of MFA. Many services offer MFA these days, and we encourage enabling it within your organization, and enforcing it with technical controls wherever possible. SMS, or text message-based MFA is a great start, but it’s even better if you can use an app on your phone or a dedicated hardware token. With MFA, even if a username and password are compromised, there’s still usually one more missing piece that a hacker would need in order to compromise that account.
Have you ever logged into a food delivery service with your Facebook or Google account? That’s SSO. Rather than having countless usernames and passwords distributed across dozens of different services, SSO allows you to use one account with strong, properly-configured security to assert your identity across various web services. Google Workspace (formerly GSuite) supports this, as do many other business productivity platforms. We recommend enabling SSO for as many services in your organization support it - then treating that account used for SSO as a “crown jewel”, protected with strong identity management, strong passwords, and MFA.
Identify your Critical Data, and Back. It. Up.
Why pay countless sums of money to restore your data from a group of hackers when you already have comprehensive backups that can get you back up and running in a matter of hours? Properly-configured backups can also protect you from user errors, hardware failures, and other issues that can affect your organization’s ability to perform its mission. The first step of taking backups is knowing what to back up. Take a few moments to identify the critical data used by your organization. There may be more than you think, and you may want to consult with your IT team to get their perspective on configuration data that may be keeping things running behind the scenes.
Once you’ve identified the critical data, you should put together a plan to back it up. At least one set of backups should be stored offsite (to protect in the event of a fire or natural disaster), and ideally it should not be integrated too closely with the organization’s IT infrastructure. A backup won’t protect you against ransomware if the attack also maliciously encrypts your backups. So take those backups, ensure at least one copy is securely stored somewhere else (ideally encrypted by you, with a key that your organization controls to protect from loss/prying eyes), and then separate it from the organization's online infrastructure.
Also, one last thing - make sure that the backups you are taking actually work. Too often has an organization believed themselves to be safe, taking regular backups, only to realize their backups weren’t actually backing anything up at all. Or that the data couldn’t actually be used to restore functionality. RipRap can help you develop a strategy to back up your data and test it to ensure that it can be used to restore operations should the worst happen.
Antivirus (AV) and Endpoint Detection and Response (EDR)
Antivirus is a concept almost as old as computing itself, with some of the first computer viruses emerging in the 1980s. Computer viruses were originally created for the amusement of their creators, to gain notoriety or to wreak a bit of havoc on networks and systems, but their motivations have evolved. Today's ransomware authors seek to disrupt business and cause havoc, but with the aim of demanding a ransom payment in order to get their victims back online. Ransomware can be considered a type of virus, and as such, many attacks can be proactively detected and stopped in their tracks.
To enable this, detection and prevention mechanisms have also evolved. Advanced versions of what used to be called antivirus software are now called Endpoint Detection and Response (EDR), which go beyond traditional virus definitions to provide advanced protection. Many EDR suites leverage threat intelligence, artificial intelligence, machine learning, and heuristics to identify and block known and unknown threats. And in the event some advanced, unknown threat does get through, these tools provide Incident Response (IR) capabilities to support event reconstruction, threat isolation, and recovery.
To get started, ensure you have antivirus or anti-malware protection installed with current definitions at the very least. Microsoft Windows Defender is free, and included with most licensed installations of Microsoft Windows. Just ensure that your Windows license is valid, and that endpoints are configured to receive automatic updates. For more advanced EDR capabilities, RipRap can help get you started.
Patching and Updates
We get it. Installing software updates can be a headache, take time out of your workday, and sometimes can introduce changes that you’re not expecting into your workflow. With that said, patching your systems is a critical step in thwarting vulnerabilities that could allow for introduction of ransomware into your systems. The 2017 WannaCry malware used stolen National Security Agency (NSA) computer exploits against vulnerabilities that had already been patched in up-to-date installations of Microsoft Windows. This global cyberattack shut down hospital systems and cost organizations billions of dollars in lost productivity and remediation costs, but had they simply updated Microsoft Windows, WannaCry would have been powerless against them. Patching is free. We highly recommend it.
Luckily, most modern operating systems make this easy. Microsoft Windows, MacOS, and most Linux distributions all have automatic update features that can be enabled, and are enabled in most default configurations. Any other software products in use should also be configured for automatic updates wherever possible, and where they’re not, continually reviewed for updates that close security vulnerabilities. This is also where that IT inventory we talked about at the beginning of this article comes in handy - this list of hardware and software products in use should continually be reviewed for emerging security vulnerabilities.
User Awareness and Training
If it’s been said once, it’s been a million times. Your people are your first and last line of defense, and people are your weakest link in your security posture. These ideas may seem at odds, but they can both simultaneously be accurate! It’s true that a user that unknowingly clicks on a suspicious email attachment that releases ransomware can endanger your organization. But a user that sees the same attachment, and flags it for your IT team or security partner for inspection can prevent an attack, bolster defenses against the same type of attack in the future, and aid threat intelligence efforts.
The best thing you can do is train and equip your users with the knowledge on what to do in the event they suspect a phishing or ransomware attempt in the organization. By training employees to recognize these threats and empowering them to flag them for further analysis, you enable your employees to do something heroic - save the organization from an active threat trying to do it harm, and protect your mission and the people you serve.
Wrapping it Up
Following the steps in this article can improve your organization’s security posture against ransomware and similar threats considerably. It won’t just protect your finances, but your people and the people you care for as well. We recommend you consider the above to get yourself started, and when you want to take your organization’s security to the next level, reach out to RipRap. We’re always here to help. Just shoot us a note at info@RipRapSecurity.com.
Founded by two former US Government cyber security operators, RipRap Security brings decades of experience to the table in countering advanced cyber threats to government organizations. Our team brings this expertise to your organization at fixed, predictable pricing. Reach out for a free consultation.