Thwarting an increasing number of hacks involves planning, education, and a multi-pronged defense
It’s time to build your defense.
Last year, ransomware attacks grew by 150%, according to cyber-intelligence firm Group-IB, and in 2021, damages from cybercrime may hit $6 trillion, up from $3 trillion in 2015, according to the State of Ransomware report by security firm BlackFog.
"These bad actors have gotten very professional, hiring people with doctorates and PhDs in computer science and engineering," says Tony Ocampo, C1's senior solutions architect and an expert on ransomware. "When they ship their ransomware, it's very difficult to find, and that's why we're seeing these big numbers."
Those numbers, Ocampo says, should prompt every organization to plan ahead now, by educating employees on the threats, using sophisticated tools to defend their networks and data, and writing incident plans to ensure swift recovery of vital data and a smooth return to operations.
Ransomware isn’t necessarily new; it has been around since the late 1980s. But the 2009 arrival of bitcoin fueled its popularity because suddenly thieves could get paid anonymously through cryptocurrency.
Hackers trick victims into visiting an infected website or by downloading an attachment that encrypts an organization’s data. Sometimes, they even get into an organization’s system by personally entering an office and getting access through social engineering, or pretending to be someone they are not. They then demand a company pay hundreds of thousands of dollars—up to millions of dollars—to release stolen data.
The damage goes beyond time and money. It hurts an organization’s reputation, eroding trust among vendors and customers, who may now be wary of doing business with it.
Yet all too often, organizations assume that one solution at the edge of a firewall or an endpoint protection is enough. Hackers use multiple vectors to attack a network, so it’s important to use a multi-pronged defense, says Ocampo.
Education is paramount
At least once a year, leaders should hold training sessions to ensure all internal users understand the threat and the various ways that hackers may attack. Encourage people to be skeptical: If a phone call or an email appears fishy, practice caution. “Just as you wouldn’t give your bank or credit card information to a person who calls you at home, don’t validate any request for important company information,” says Ocampo.
Most people know about the threat of phishing attacks, which look like legitimate communication coming from email. A number of technologies can alert people to whether an email that looks like it comes from HR inside the company is really a spoof that’s coming from an external source.
Another new ploy is “smishing,” or fraudulent text messages requesting vital details that should not be provided. Employees should be educated on the risk of physical attacks, too, which come from thieves coming on site and pretending to be employees. An employee may open the door to a hacker by stumbling onto a bad website that infects a machine.
People are not always aware, and they think they're in a safe zone just because they're in the office.
– Eric Jansta, Cyber Security Expert and Senior Solutions Architect, C1
Keeping hackers out
Ransomware thieves first seek out access to your organization’s data, and once they get it, they corrupt or destroy backup copies and then encrypt their data, rendering your organization helpless, before demanding money. This is often accomplished through command and control attacks, which provide a hacker with full, remote access to your organization’s data.
Every organization should install firewalls inside their data center and employ what’s known as “east west traffic monitoring,” which is inter-server and application communication that should be monitored for unwanted snooping. Large volumes of data are passed through freely between servers in this manner.
It’s important to integrate services that look for and monitor data exfiltration, or the unauthorized data transfer from a computer. This solution can monitor traffic inside your environment and look for new flows of data that may be moving out of your typical environment, says Jansta.
The private cloud infrastructure might be inside a data center and gives control over your employees’ hardware. But there is also the public cloud which extends beyond your customer’s environment. And if not properly protected, it can leave you at risk. If a customer is infected with ransomware, for instance, then it can inadvertently drop a malicious payload from an Internet-based command-and-control server.
Data protection should cover that entire cloud infrastructure. Multiple cloud services can provide protection in the cloud and SaaS, which extend beyond a customer’s environment. They will identify if a client tries to connect to those servers and it will prohibit access if it tries to communicate with a command control server. The services will also monitor traffic flows, analyzing historical traffic flows and looking for anomalies. This can protect you if the ransomware payload tries to copy and encrypt the data.
Leaders can reduce risk within their private cloud network, which comprises an organization’s internal data center, by assigning role-based access controls, or RBAC. This means assigning certain employees various levels of access and permissions, whether that’s those who can load software or access certain areas of the network. It helps limit permissions to a user. “Microsegmentation'' is also vital because it creates a firewall for each individual device that’s separate from the operating system that could be corrupted. It can block traffic between devices, isolating systems that may be compromised, and thereby limiting your risk.
On individual devices, malware and antivirus software is an obvious must, because end users tend to be the main attack vector, or the path a hacker uses to gain access to a network. Some of these antivirus services now rely on machine learning, which identify threats based on unusual behavior of an application within an operating system. It’s also important to firm up endpoint security networks to look for any traffic irregularities and identify potential risks to the environment. Patching holes in the system, too, should be routine to reduce potential exploits.
Protecting your data
As you can imagine, ransomware can be crippling. These attacks shut down an organization’s entire system and inhibit its ability to do absolutely anything—including generating revenue and performing work.
Some companies may assume the easiest way to get back to operations is to simply pay the ransom. That’s not the best idea. First, it doesn’t necessarily guarantee you’ll recover the data. Second, the federal government has warned that organizations could be held liable for paying the ransom, because they’re inadvertently perpetuating those attacks with funds that allow the thieves to continue operations.
The best approach is to rebuild your environment. That’s why protecting your data ahead of time is vital.
Backups are a primary target for a ransomware attack. The first thing a hacker will do once they’re in your environment is identify the location of your primary file servers and where your data, applications and backups reside. Just before the crooks encrypt your data, they’ll start corrupting your backups, modifying and writing those files.
To protect those backups, smart leaders will employ immutable infrastructure, or backup software solutions that prevent anyone from modifying data that’s already been backed up. Organizations should backup data monthly, weekly, and daily, and they should create rules that prohibit data from being modified after it’s backed up and prevent it from being deleted remotely.
Creating a plan
Many companies may have a disaster recovery plan, which involves maintaining operations when something in their infrastructure fails. This is usually in cases of natural disaster. Recovery could take minutes or hours. But ransomware is different, because an organization’s production and disaster recovery environments are gone. It would likely take many days or weeks to resume operations.
It’s important to plan ahead by installing data recovery software solutions, designed specifically for a ransomware attack. These backup tools operate solely with the intention of recovering data in these ransomware cases, allowing you to quickly recover your protected backup.
Leaders should put into place an incident response plan now, to ensure they respond quickly to any future attack and minimize the damage. This document would outline the steps to be taken to recover from a ransomware attack, including when to call the police, when to contact the insurance company, and what next steps should be taken in response to an attack—and to ensure it happens quickly.
The faster you move, the faster you can cut it off in the middle of an attack, recover your files without having to go back to recover your entire environment, says Jansta.
Without such a plan, an organization may spend hours trying to respond to an attack, first alerting management, organizing a meeting, and then making a plan—all while the ransomware continues its attack.
Leaders should realize, too, that an insurance company may actually delay the time it takes to get operations going again. Why? In an attempt to minimize risk, an insurer may not allow an organization to come back online until it has done its own forensics. Unfortunately, the insurer’s policies may not take into consideration your goals and recovery time into consideration.
Jansta recommends a company create an incident response plan and provide it ahead of time to the insurer, indicating that it has already installed a backup solution to protect against ransomware and has a goal of getting back online within four hours, Jansta says. “Everybody will then be on the same page about coming back online within hours instead of keeping everything offline until they feel satisfied,” he says.
A ransomware attack is a matter of when and not if. In fact, there’s a good chance that ransomware is already in your network, just waiting to launch an attack. Every organization must be prepared and take proactive steps now. This includes ensuring full cyber security and employing a cyber-recovery plan as well as awareness, education, multiple cloud and endpoint protection services, data backup protection designed specifically for ransomware, and a backup recovery plan. This will put you one step ahead of hackers and ensure your organization is never brought to its knees by ransomware.
C1 has developed an engagement model to provide fully integrated backup to disaster recovery and cyber recovery environments, protecting critical applications and data in your environment. Contact C1 to schedule a complimentary Ransomware Readiness Workshop to identify gaps in the policies, procedures and solutions you have in place as they relate to ransomware protection. This workshop is the first step in the C1 WAVES methodology that leads to a fully integrated and vetted cyber recovery architecture.