The US Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA) has cited ransomware as "the most visible cybersecurity risk" attacking American IT systems.1 I think that's a valid statement, since "most visible" doesn't necessarily mean largest or most devastating, but it does still qualify ransomware as a significant threat.
Indeed, it seems that recent news has been full of public sector organizations being taken offline by ransomware. These public sector organizations have included some high-profile cases involving including schools, municipalities, and government agencies. Ransomware is highly visible, in part because a single, one-time infection originating from a user with high-level privileges can disable thousands of servers, causing millions of customers to be disrupted for weeks. This is what happened in Baltimore in May of 2019, and in Texas in August of 2019.2,3
A little over a year ago, the F5 2018 Application Protection survey found that public sector organizations did not prioritize impacts from denial of service to their applications or information leakages—both of which occur in a successful ransomware attack. Survey responses from public sector security leaders for estimated security incident impacts was the lowest of all reported sectors for both denial of service (extrapolated average $7.19M while Public Sector estimates were $5.07M) and leakage of personal information (extrapolated average impact was $6.57M while Public Sector estimates were $4.05M). Perhaps the survey respondents did not associate ransomware with these likely potential impacts? Or perhaps this was not seen as a likely threat until the recent campaigns? It does seem that the public sector has been singled out for special attention lately, so I’m sure they’d answer differently in a newer poll.
Across the industry, our 2019 Application Protection Research series found that ransomware was responsible for only 3.4% of reported breaches in 2018. Within the public sector, this number rises to 9.09%, with access control and payment form injection attacks more prevalent. In fact, in the public sector, web breaches were the most common at 36.36% (mostly because of the third party Click2Gov). One reason we do not see ransomware more prominently in the breach records is that, for some states, a ransomware infection is not considered a data breach requiring notification.4
Whether a number one threat or not, we know that ransomware is a significant enough problem to warrant consideration in most organizations’ risk analyses. In fact, considering the direct financial costs associated with operational downtime, the costs of ransomware defensive controls should be easier to justify than protections against more nebulous attack impacts, such as reputation loss from data breach.
Ransomware can tear through a network using a single opening in your defenses; therefore, you need to use a defense-in-depth approach. This means putting several dissimilar but overlapping barriers in place to slow down or stop the known ransomware attack vectors. Your first line of defense is to stop an attack from even landing on any of your systems. Let’s see what that entails.
First Layer of Defense: Stopping Ransomware Entry
A common security hole—and one that is easy to close—is weak authentication on Internet-linked logins. Locking down Internet-linked logins with better authentication is the first step organizations should take to protect against ransomware, ideally using multi-factor authentication. If you can’t manage that, then at least make sure default passwords and known leaked credentials are changed.
Phishing is the go-to tactic for many kinds of cyberattack, including ransomware, so phishing defense should be a high priority. In the F5 2018 Phishing and Fraud report, we reported that a majority of links in phishing emails lead to TLS/SSL encrypted sites with legitimate certificates. This means that the malware your users are clicking on remains hidden from traditional traffic inspection devices, so in order to find malware you will need to decrypt and inspect. Attackers are now cloning legitimate emails from well-known companies, making phishing attempts harder to spot. In the Phishing and Fraud report, we also noted that training employees to recognize phishing attempts will reduce their click-through rate on malicious emails, links, and attachments from 33% to 13%. Lastly, it is wise to scrape out executable email attachments.
Another common entry point for ransomware is a drive-by download, where attackers will booby trap websites with browser exploits that inject their ransomware. This means a user surfing to a site and viewing a weaponized banner ad can unwittingly land ransomware on your network. These attacks typically leverage one of the many vulnerabilities in web browsers, web scripting languages, and web animation tools. Defenders need to ensure that all browsers in use at a company are patched. Firewall filtering should also be used, but don’t forget that attackers often hide their traffic using encryption with legitimate TLS certificates. Again, the filtering system should have decryption capabilities to look for hidden ransomware.
Second Layer Defense: Ransomware Got In, but We Contained It
All those things you’ve done to ensure ransomware won’t get into your systems won’t be enough—something will slip through. We’ve talked about assume breach before, and it means you should expect ransomware to land in your network. The first, most obvious thing to do is run good anti-virus software—not only on the workstations, but on the servers as well. The software should auto-sync its signatures on its own and it should be able to perform quickly, in hours, not days.
Once ransomware gets into your network, it will automatically pivot laterally and look for other systems to infect and encrypt. This means you should segment your network as much as is feasible. That way, an infected system must pass through some kind of filter or additional access control before moving out of its local resource group. Open internal file shares, such as SMB, are especially vulnerable to ransomware attacks. Internal systems should be patched for vulnerabilities with published weaponized exploits, as ransomware may try to exploit these vulnerabilities as it moves around inside a network.
You locked down authentication for your first line of defense; don’t forget to harden authorization. This means ensuring that if a user account gets taken over, it doesn’t provide the ransomware with full access to all the applications and data stores everywhere. In some organizations, users are given overly permissive access to far too many systems. In a ransomware situation, every single file share to which a user has read/write access can become corrupted with ransomware.
System administrators, with their godlike access to everything, risk having their accounts turned into devastating weapons in a ransomware compromise. The number of administrators should be extremely limited, and, if possible, administrative usage should be partitioned to just the systems a given administrator is responsible for managing. The same goes for service accounts which run in the background, which can also function as deadly vectors in ransomware infections. Consider giving administrators separate accounts without administrative privileges for mundane activities like reading email and browsing websites. Reducing the footprint of administrative access to only those systems and activities where those privileges are truly necessary reduces the risk of systemic infection via phishing and drive-by malware attacks.
Third Layer: Ransomware Went Wild, but We’re Bouncing Back
Let’s assume your first two layers failed and your critical applications and data are seized up with ransomware—what do you do? Your immediate response should focus on containment. This may mean putting backup servers offline so they don’t become corrupted, shutting down workstations, and initiating a mandatory password change for all users. Hopefully you’ve got a good inventory of systems and decent logging in place so you can readily identify which systems were hit, and how the infected systems were impacted. If you know which ransomware variant infected your system, there are some online resources available that may help you find a decryption key (for example, No More Ransom).5
Before you attempt to recover from backup, be very sure that all traces of ransomware have either been eradicated or disconnected from your network—you may need to literally unplug infected machines from the network. The best way to ensure that the ransomware is gone is to rebuild the machines from bare metal using automation. This is not the kind of thing that will go smoothly if you’re attempting it for the first time during a ransomware incident. However, it is the kind of thing that you can plan for—ideally, your security team will already have practiced and documented this process in an incident response playbook. If not, note that this type of automated rebuild can provide a lot of operational efficiency and flexibility in circumstances that go beyond security incident response. If you aren’t already looking into automated system rebuild, consider ransomware a good excuse to begin.
Once you have contained the infection and rebuilt your system to be infection-free, you will need to recover your data from backup. Wise administrators recommend a 3-2-1 approach to backups. This means maintaining at least 3 copies of your data, in 2 different formats, with at least 1 located offsite and air-gapped away. Make sure your backup restoration capability matches the organization’s expectations regarding downtime and acceptable data loss, etc. I’ve been in IT long enough to endure a 30+ hour day babysitting data restores to servers. Test your backups to ensure you’re successfully restoring the data you need in a reasonable time frame.
When all is said and done, ransomware is likely to remain a significant threat for quite a while. We now primarily see ransomware hitting traditional, general purpose, physical computers, but it’s only a matter of time before it becomes a big problem for IoT devices, mobiles, and cloud systems.6,7 As long as ransomware keeps making money for criminals, they will keep using it. It pays to be ready.