In 2017, the world experienced some of the most devastating cyber attacks yet. Most ransomware campaigns were successful due to insider negligence. In some cases, this was achieved with malicious intention by way of an external actor using an insider’s credentials.
While there have been a number of remote storage options to help organizations rapidly recover in the event of a ransomware attack, the problem of the attack happening in the first place needs to be prevented.
Ransomware in review
Ransomware is a type of malware that encrypts all data on your device and holds your data for ransom until you make a payment to the hackers. Much more dangerous variants can lock your hard drives down or can delete your files after encrypting them. Ransomware attacks hit an all-time high in 2017.
Some of the worst ransomware was not just developed but also launched in successful global campaigns. The most well-known were WannaCry which impacted the National Health Service of the UK, NotPetya which impacted FedEx and BadRabbit which took down Kiev’s metro system. The campaign for each of these ransomware attacks impacted hundreds of companies and thousands of computers across the globe. The ransomware attacks have cost companies billions and caused widespread economic and social impacts in the countries affected.
The scale and effectiveness of ransomware in 2017 can be attributed to the theft of cyberweapons from the NSA by the Shadow Brokers in 2016. One of the common types of the stolen exploit that was leaked in the ransomware was called EternalBlue. This allowed for lateral movement across a local network. This means that all it takes is one computer to be infected and soon a whole network can be under siege. Soon these new cyber weapons were integrated into new and improved ransomware variants such as Locky and Black Mamba.
The most dangerous part of all of this? Most attacks are likely to happen to negligent insiders, anyone with privileged access to your network. This includes employees, vendors and even yourself.
How insiders put organizations at risk
So you may be wondering how exactly ransomware breaches your security. Well, it’s simple: it mainly happens through people. More than half of all attacks happen as a result of negligent or malicious insiders in an organization. One of the most common methods to gain access to people in your organization is through phishing emails. These are emails that appear legitimate but are seeking to trick people into divulging information or more importantly download and open a malware-laced file. The latter is how ransomware is transmitted by way of phishing.
In 2016 ransomware was reported to be in roughly 93 percent of phishing emails. It is very reasonable to state that all it takes is for one employee to be tricked for your whole organization to come to a grinding halt. Yes, it is best to have data backed up on another drive but you should also have an idea about business continuity. Prior to business continuity planning, there need to be some processes and programs in place that help to mitigate insider threats.
Additionally, any insider can hire a hacker to work with them to take down the organization they work for. In some cases you may have someone who comes in and actually is working with an expert on the outside to conduct data exfiltration. This is often referred to Malware-as-a-Service (MaaS) or Ransomware-as-a-Service (RaaS). Any insider in your organization is capable of carrying out a professional data breach or ransom operation.
Preventing insider caused ransomware attacks
Given that most attacks are successful as a result of negligent employees (insiders), now would be a good time to start securing your company from the inside out. Security is not simply a technology solution. There must be consideration for about current processes in place and most importantly the human vulnerabilities present. Below are some of the ways you can address insider threats and help to deter your exposure to ransomware:
Ransomware is just like any other malware, and will often make its way into a system by way of email attachments and general web browsing. It is for this reason that you should develop and conduct a cyber security training program. This will mean that you need to provide more than PowerPoint slides, but simulations as well. Ensure that your employees are engaged in the material.
Many organizations usually hire training professionals to help ensure there is a consistent and relevant training program in place. The costs may vary, but simply having employee understand the dangers of downloading attachments from unknown accounts on the company network may prevent the next ransomware attack.
As stated earlier, email is one of the primary methods of ransomware transmission. It is for this reason that email security needs to become priority if you seek to prevent insider threats. More specifically you may need data loss prevention or insider threat mitigation software to develop automated processes that support your internal policies. You would have the ability to for example not allow any email attachment downloads. Another aspect of email security is tracking communications. With the rise of Ransomware-as-a-Service business models, insiders who have no experience with programming could successfully carry out an exfiltration campaign by working with a hacker. You want to track if there are any suspicious communications happening.
Mentioned above, backups are a critical component of mitigating damage done from a data breach. If you manage your own servers then you have more ability to control to frequency of when your system is backed up. This is straightforward, but as stated earlier this is not the end of ransomware security. You want to prevent insiders from causing them in the first place. Backups will at minimum help you continue operations after the attack and should be included in your continuity planning or incident response plan.
Prevent user code execution
Ransomware usually operates within temporary folders, such as the folder created when you “open” a document as opposed to downloading it. Establishing network policies, you can prevent anything from running from those folders. This would be an effective barrier to operation. Given the array of options available for file sharing now, such as cloud storage, emailing attachments is not as necessary as it used to be.
Ransomware relies on gaining access to accounts that have power over the device or system. By implementing strict access controls and terminating all default system admin accounts on employees’ computers you remove the power of attacks to use an insiders account to seize a whole network. You can also use this to control what folders are allowed to be read, written, and copied from. Access controls can also be used to block all email attachments. Ransomware needs free access in order to be successful. It is better for you if one device with limited data is seized rather than your whole network.
If you are the victim of a ransomware attack, not all hope is lost. First off, do not pay the ransom. NotPetya was a demonstration of a ransomware attack that not only encrypted files but also deleted them, so there was no actual way to recover the data.
Second if you see your computer restart and a disk check happens out of nowhere, shut your device down immediately. That disk check is often a mask for the active encryption of your system, by shutting down your device you prevent the encryption and seizure of your data from happening any further.
Third try to figure out what happened to cause the attack. Did you visit an unfamiliar or unauthorized website? Did you download a suspicious attachment? Go over everything, IT forensics software helps here. Try to block network access to any backdoor connection and unfamiliar servers that are connected to yours. Those are often command-and-control servers that can remotely coordinate the attack in real time.
Lastly, contact law enforcement and if possible a cybersecurity team for assistance with the investigation and overcoming the issue.
Ransomware is increasing rapidly as a form of cyber attack because it is so effective as a means of high financial reward. Insiders have a financial incentive to work with a hacker to help make a ransomware attack happen. Business models have appeared on the Darknet that offer to split the profits of ransomware attacks. Often this means hundreds of thousands in income at once. While external hackers will always exist, those closest to us can cause the most severe damage.