Protect Your Organization from Ransomware with a 4-Step Approach

In putting together this blog post on defending against this new wave of ransomware attacks we reviewed research from a variety of surveys including the Verizon Data Breach Report, the Cybersecurity Insiders Survey, the Ponemon Survey Data, a survey conducted by HelpSystems in conjunction with Cybersecurity Insiders.

Key findings in the benchmark cybersecurity surveys include:

1. Only 5% of survey respondents DID NOT experience a ransomware attack.
2. 86% percent of the survey respondents view malware and ransomware either as an extreme threat (49%) or moderate threat (37%).
3. 76% consider a malware or ransomware attack in the next 12 months moderately to extremely likely.
4. The Verizon Data Breach Report suggests 43% of all breaches affected small businesses.
5. 54% consider phishing emails the most dangerous attack vector, followed by trojans with 13%.
6. 75% of companies infected with ransomware were running up-to-date endpoint protection
7. The World Economic Forum Report listed cyber threats as the 4th greatest risk to world economies - The Cybersecurity Insider survey confirm the perceived threat among the heads of security that they surveyed.

Phishing Attacks are the Common Vector for Ransomware

Last year during a 12-month period starting in Q2 ransomware attacks increased over 365% against businesses, however, only 12% against consumers. The transition for larger extortion payouts has been increasing over the last several years.

The malware is most often delivered through phishing e-mails and now more commonly spear-phishing emails. As we know, the ransomware once downloaded on the system encrypts hard drives or other parts of the system that makes data difficult or impossible to access.

While there are countless types of ransomware strains and families, 3 families of the malware have done a significant amount of the damage: Dharma, Ryuk and GandCrab.

Dharma Ransomware

Still, it currently has three separate systems in circulation, each of which has several variants that go under different names. The old system in this family is called Crysis. That was first released in February 2016. Dharma is the second in the series, released in July 2018, and Phobos brings up the rear, releasing in September 2019.

The three family members are difficult to distinguish because they share a lot of code. Typically, anti-malware systems can’t distinguish between them, often flagging Dharma as Crysis. The situation is complicated further by a large number of variants of each. What makes Dharma so successful is that it spreads by targeting internet-facing ports and remote desktops. Microsoft created the Remote Desktop Protocol (RDP) and it is integrated into Windows. This means that Dharma was specifically designed to attack computers that have the Windows operating system.

As opposed to most ransomware attacks that leverage phishing attacks, Dharma can gain access to networks without even having to get a victim to click a link or download a malicious file from a phishing email. The malware is manually delivered by attackers who exploit Remote Desktop Protocol (RDP) services via TCP port 3389 and brute force the password to gain access to a computer.

Ryuk Ransomware

A variant of the older Hermes ransomware, Ryuk tops the list of the most dangerous ransomware attacks. In last year’s CrowdStrike Global Threat Report, Ryuk accounts for three of the top 10 largest ransom demands of the year: USD $5.3 million, $9.9 million, and $12.5 million. Ryuk has successfully attacked industries and companies around the globe. Hackers call the practice of targeting large companies “big game hunting” (BGH).

A Russian cybercriminal group known as WIZARD SPIDER is believed to operate Ryuk ransomware. UNC1878, an Eastern European threat actor, has been behind some healthcare-specific attacks. The deployment of this ransomware is not direct; hackers download other malware onto a computer first.

When Ryuk infects a system, it first shuts down 180 services and 40 processes. These services and processes could prevent Ryuk from doing its work, or they are needed to facilitate the attack. It is estimated that Ryuk earned it’s the Russians more than $3.7 million in its first four months.

The hackers leave ransom notes in the system as RyukReadMe.txt and UNIQUE_ID_DO_NOT_REMOVE.txt that read something like the following image.

GandCrab Ransomware

Similar to most ransomware strains, the GandCrab now offers ransomware-as-a-service to interested criminals on the dark web and encrypts the data on a system however, GandCrab far eclipsed the success of competing ransomware affiliate programs largely because its authors worked to update the malware so that it could evade antivirus and other security defenses.

GandCrab is distributed via multiple spreading vectors, which include spam emails, exploit kits and other affiliated malware campaigns. GrandSoft and RIG are the two most commonly used exploit kits for distributing GandCrab along with the high number of malicious spam emails. These spam emails trick users into opening the file contained inside the attached ZIP archive, which is generally a script that downloads the GandCrab ransomware and executes it.

Like Dharma, when free decryption tools were released to combat GandCrab its developers released new versions. The group behind GandCrab suggested that they earned over $2 billion but have now ceased operations suggesting their first of its kind ransomware-as-a-service model has made them comfortable.

A decryption tool for the most recent version of GandCrab is available from the awesome group No More Ransom.

The 4 Step Solution to Protecting Against Ransomware Attacks

Because IT security, incident response and cybersecurity organizations in general have investigated so many ransomware attacks over the past several years, we are all getting a sense of how to defend more effectively. That said, the team at Hitachi Systems Security has taken our philosophy and blueprint for defending and responding to a ransomware attack. The team has leveraged their deep understanding of how ransomware infiltrates a system, spreads throughout a network and uses locks data and system functions to attack in order to create the following four steps that organizations should take to defend against an attack.

4 Steps Organizations Should Take to Defend and Respond to Ransomware Attacks

In cyber or IT security we typically refer to an attack as having “Land and Expand” strategy. Meaning the cyber-criminal must get the malware onto a system first, then, after they “Land,” the attacker must move the malware to other systems by escalating credentials or some other means to “Expand” their attack and find the most lucrative victims.

Based on the attack strategy Let’s walk through how to execute the 4 steps and how they can help close the gaps that cyber-criminals use to steal billions from their victims.

Prevention through Social Engineering Training and Effective Patch Management

The prevention strategy is aimed at hardening systems or targets against attacks. Systems are reinforced against phishing attacks, RDP/Remote Access attacks, and other attacks a best practice approach to eliminating vulnerabilities. Prevention is about implementing:

1. Improve Patch Management – Attackers are getting more effective at scanning systems for vulnerabilities. If the Log4j vulnerability taught us anything is that the moment a vulnerability is discovered and added to the CVE criminals are busy scanning millions of systems to uncover those that have the vulnerability.
2. Employee Social Engineering Training – Do not think of formal mandatory training with dozens of employees on a web conferencing call or in a meeting room weekly to understand phishing tactics. This is about sending periodic e-mails making certain employees DON’T CLICK ON LINKS AND ATTACHMENTS without verifying them to some degree.
3. Scan E-mails – Content scanning and filtering technology is fairly effective at identifying “known” malware from getting through an e-mail gateway. Using email attachments is the most common technique that hackers rely on to gain entry to a system and organization. Most of these viruses are sent using files with .docx and .pdf extensions that contain the malware.

Isolate Infected Systems Immediately and Minimize Privileges

As we suggested at the beginning of the section, attackers leverage the “land and expand” strategy to exploit one system and move through the organization until they find sensitive data or whatever information they hope to find. They use lateral movement to pivot from the first system to other systems that hold the data that they are targeting. This privilege escalation is executed by the attacker using vulnerabilities in systems to methodically obtain additional privileges as they move through the organization’s environment to ultimately compromise higher value targets.

To prevent an escalation of the attack or lateral movement of the malware from one system to another you must first take your system off the network. You don’t necessarily need to shut down the system, however it should be isolated.

Also, administrators should use separate accounts; one for day-to-day business use including web browsing and emails and a privileged administrator account that should only be used on separate administration devices. This reduces the risk of an infected device being used for administrative purposes.

Finally, administrator accounts should be prevented from browsing the web and accessing emails, and only be used when a task requires elevated permissions. The principle of 'least privilege' should be implemented wherever possible. Users should only have the privileges necessary to do their job.

Backup Systems and Verify the Malware has been Eliminated

In a Vanson Bourne survey of 500 cybersecurity decision makers sponsored by SentinelOne last year, 48 percent of organizations said they had experienced at least one ransomware attack in the last year, with the average organization experiencing 6 attacks with the recovery time over 33 hours on average.

Thus, how do you recover quickly from a ransomware attack? Let’ discuss two critical ways:

1. Back-up Solutions - Successful backups with an effective retention policy enables organizations to recover from ransomware attacks without having to pay the ransom. While wiping machines and reloading the software and data is time consuming and arduous, it is certainly much more cost effective than losing the data or having to pay a ransom to get the data unlocked. In addition, there are offsite backup technologies that allow organizations to replace the locked data with “mirrored” or the same data which is stored offsite.
2. Digital Forensic Investigation to Improve Protection – As organizations replace the data on the systems that that were infected by the ransomware, they should re-scan the systems to make sure the malware isn’t in the back-up data. In addition, a digital forensic investigation post-mortem will help organizations understand their weaknesses and how, specifically to bolster their defenses.

Improve Security Controls to Prevent Attacks

According to Wikipedia security controls are “Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.” Good definition. Let’s look at a one example:

1. NIST suggest that to implement a quality vulnerability management program and patch management program that the following should be a part of any organization’s “prevention” program against malware attacks:
   • Create a system inventory – identify which systems are high value
   • Scan for vulnerabilities – identify which vulnerabilities on which systems need to be fixed quickly
   • Automate deployment of patches – as organizations mature, they can manage the vulnerability management process through automation

Conclusion

Ransomware is the most prevalent threat facing organizations of different sizes and in nearly every industry. In fact, it is estimated that the damages done by ransomware attacks cost more than $20 billion globally in 2021 and this number is expected to reach $265 billion by 2031. In ransomware cases investigated over the past year, 95% of cybersecurity issues can be traced to human error and 43% of all breaches are threats from within an organization, whether malicious or accidental, according to The Global Risks Report published by the World Economic Forum (clicking this link will download the 117 page report). And, as we said, in the vast majority of cases, a single device will likely be the starting point of a company-wide attack.

Cybercriminals are constantly creating and testing new vectors and variants of ransomware including ransomware-as-a-service. Because of this, the number and complexity of the attacks has risen dramatically. RDP (Remote Desktop Protocol), Phishing and software vulnerabilities are allowing attackers fairly easy access to systems. We hope this blog post on the 4 keys to protecting and recovering from a ransomware attack will help your organization.