By: Kelly White, Founder, RiskRecon, a Mastercard Company
Yes, I am stating the obvious; the threat of ransomware is here to stay. According to the stats from the U.S. Treasury Department, U.S. victims of ransomware paid $590 million in ransom to ransomware criminals in the first half of 2021 (https://home.treasury.gov/news/press-releases/jy0471). That big money has attracted a lot of ransomware gangs. Reporters covering the ransomware beat identified 59 different criminal groups behind the attacks over the last three years.
So, what does it mean to settle in for the long haul in the battle against ransomware? Update the foundations of your program to account for the threat of ransomware. Those foundations are your risk models, your information security standards, your policies and procedures, and your security assessment criteria and related questionnaires. Most of the capabilities for managing ransomware in the supply chain are likely already in your program, as they are the basics of managing IT and cybersecurity well. It is just that it is now more important to ensure your suppliers are doing the basics well.
Coveware’s 2021 ransomware study reinforces the importance of doing the basics well. Among other gems, they found that 42% of ransomware events started with a phishing attack, 42% exploited the environment through an internet-exposed RDP or another remote management service, and 14% exploited a software vulnerability present in an internet-facing system. Those three vectors accounted for 98% of ransomware attacks – the basics! (https://www.zdnet.com/article/ransomware-these-are-the-two-most-common-ways-hackers-get-inside-your-network/).
Update your supplier assessment criteria and related procedures to place added emphasis on controls that are critically important for reliability and resilience in the face of ransomware. In this section, I call out a few key controls that are commonly cited in reputable sources and standards that you should consider adding to your supplier assessment criteria. For a complete set of recommendations, I suggest reading the sources provided at the end of this section.
1) Operate an effective backup and restoration program.
- Make regular backups of all data files necessary to restore business operations in the face of loss of systems, applications, and data.
- Periodically restore systems from backup to ensure that backups are sufficient to restore operations quickly.
- Create offline backups that are separate from online backups to guard against the event that the ransomware reaches backup systems.
2) Prepare for an incident.
Verify that suppliers have a documented and practiced incident response plan and that they have a ransomware-specific response playbook.
3) Educate employees on how to identify and respond to phishing emails.
Cited earlier, 42% of ransomware attacks start with phishing. Ensure that suppliers are educating their personnel regarding the risk of phishing attacks and how to avoid becoming a victim. Employee security awareness companies such as KnowBe4, PhishMe, and Proofpoint, among others, actively engage employees in training programs with great results.
4) Only expose authorized and hardened network services to the Internet.
Sharing the lead with phishing, 42% of ransomware attacks start with exploiting an internet-accessible Remote Desktop Protocol Service. RDP services become more prominent during the pandemic as companies often hastily migrated employees to remote work.
Regardless of whether it is an employee’s computer operating from home, or a server deployed in a data center or the cloud, ensure that suppliers restrict all internet-exposed network services to only those that are explicitly authorized and that are operated in a defensible manner. RDP, a very common and commonly exploited remote access service, should not be exposed to the Internet. Rather, a secure VPN service should be used that requires two-factor authentication.
5) Keep software patches current.
According to Coveware, 14% of ransomware attacks started with exploiting vulnerable software in an internet-facing system. Demand that your suppliers operate a robust program for keeping software patches current, particularly the software of internet-facing systems.
6) Prevent malware from being delivered and spreading to devices
- Filter malicious emails before delivery to mailboxes for malicious software, phishing content, and disreputable sources.
- Proxy all end-user Internet traffic through a proxy that automatically blocks access to malicious sites and dynamically detects and blocks malicious code and content. A stronger approach to protecting against web-native threats is allowing access to only safe browsing lists.
7) Prevent malware from running on devices
An ideal position to be in is one in which malware simply can’t operate on endpoints. Suppliers can get part of the way there with endpoint protection platforms on every system. These stop identified threats before they install on the host system. However, they don’t provide 100% protection.
Two additional controls will greatly enhance the defensibility of systems.
- Remove administrator privileges from users and applications. This single action will render most ransomware from successfully operating on patched systems.
- Centrally administer systems and control what software can be installed and operated on systems. Application allow-list solutions can help manage this at scale.
8) Detect malicious network and endpoint activity
Of course, it is unreasonable to expect that preventative controls will block all threats. As such, it is essential to have robust network and endpoint activity and threat monitoring and blocking. This includes monitoring for intrusion attempts, sourcing from both outside and inside the network, data exfiltration attempts, known malicious, and abnormal communications.
A few resources from which these recommendations were developed and provide deeper treatment of ransomware defense are:
- The UK National Cyber Security Centre - https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks
- From Google - https://cloud.google.com/blog/products/identity-security/5-pillars-of-protection-to-prevent-ransomware-attacks
- Carnegie Mellon University’s Software Engineering Institute - https://insights.sei.cmu.edu/blog/ransomware-best-practices-for-prevention-and-response/
- The Cybersecurity and Infrastructure Security Agency - https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf
Click here to download the complete paper and get the full details on lessons learned from ransomware attacks.