Disrupting ransomware with security best practices

Ransomware attacks are a favorite tactic among cybercriminals, and it’s easy to see why. The payouts can be big and fast. Two cities in Florida, for instance, paid almost $1 million this past summer after their computer systems were paralyzed for several days, according to a New York Times report.

Cybercriminals have achieved massive success by locking access to important systems and/or data and demanding payment in return for access. A successful ransomware attack can lead to data exfiltration, extortion and sometimes the permanent loss of data. Attacks like this are on the rise, increasing over 350% since 2018, according to Trend Micro.

Ransomware presents major risks for organizations responsible for public data — especially state and local government and education (SLED) or state, local, tribal, and territorial (SLTT) entities.

Here’s what you should know to defend your organization from ransomware attacks.

How ransomware works

Ransomware typically starts with social engineering, exploiting the weaknesses in humans. It then takes advantage of vulnerabilities for common programs, such as Microsoft Word or Excel. Open Remote Desktop Protocol (RDP) and Server Message Block (SMB) ports are also exploited by ransomware variants. RDP is used for remote access to systems, while SMB is most commonly used for file sharing. Limiting access to authorized machines is key to stopping the spread of ransomware infections.

Cyber defense tip: Ensure all network devices, mail servers, and applications are securely configured. Implement consensus-developed guidelines like the CIS Benchmarks for defensive configurations that can help prevent the spread of ransomware.

WannaCry, a common ransomware variant used the initial infection vector of an exposed vulnerable SMB service to spread through more than 230,000 computers in over 150 countries within a day, according to a BBC report. Once ransomware is on the system, it will look to elevate its ability to access more of the network to spread the infection as far as it can go.

Key steps to defending against ransomware

While the effects of ransomware can be devastating, there are steps organizations can take to defend their systems and data. Four key security steps include:

1. Implement secure configurations, such as the CIS Benchmarks, before an attack in order to limit vulnerabilities that lead to open ports and privilege escalation
2. Implement a user awareness training program to help educate users about common attack methods such as phishing emails
3. Implementing an Intrusion Detection System (IDS) for early detection
4. Maintaining effective data backups in case of a successful ransomware attack

Following these best practices can limit the impact of a ransomware infection. An IDS can provide early detection and help you stop an infection in its tracks. Early detection provides major benefits to organizations targeted by ransomware; typically saving on downtime, replacement/upgrade costs, and ultimately, ransom payments. Secure, regularly-maintained data backups will be essential to helping your organization recover if ransomware strikes.

Hopefully, you’ll never need those backups – but what if you don’t have them?

“You’re really looking at rebuilding from scratch,” explains Brian Calkin, Chief Technology Officer at CIS (Center for Internet Security, Inc.) in the New York Times. Effective data backup management includes regularly updating and maintaining backup files and sequestering backups from other networks which may be impacted by ransomware. Sometimes, cybercriminals go after backup files intentionally, so the early detection provided by your organization’s IDS is key to preventing a successful attack.

Solution focus: Albert

CIS has developed a custom-designed IDS focused on monitoring SLTT government networks. Called Albert, this IDS leverages NetFlow traffic analysis combined with robust signature detection for identifying malicious intrusions. There are currently more than 400 Albert sensors deployed nationwide protecting networks and systems from ransomware and other cyber threats.

On average, organizations using Albert network monitoring receive ransomware attack notifications within six minutes of malicious activity. What’s happening in that time? Typically, it’s a three-step process:

1. Network traffic sent between computers and network devices, like routers/firewalls – is analyzed by the Albert sensor. The analyzed traffic is compared to thousands of known malicious signatures affecting SLTT government organizations. This happens fast by leveraging automation and cloud computing to analyze large volumes of data.
2. When a signature match is found and malicious activity is identified, CIS’ 24-hour Security Operations Center (SOC) reviews the alert. The activity is analyzed by experts with deep knowledge of government and public organization cybersecurity.
3. An analyst from the SOC eliminates false positives and confirms valid malicious activity. The analyst gathers any relevant cybersecurity resources to aid the affected organization, such as security primers and remediation steps. The organization is then notified of any confirmed threats.

Because all of this happens in just minutes, most organizations with an Albert sensor are able to mitigate a ransomware attack before it begins the encryption process on endpoints.

Security that goes beyond

Cybercriminals never let up; the CIS SOC processes approximately 10,000 security events per month. There’s a lot you can do to bolster your cyber defenses, however. Organizations should implement secure configurations before an attack in order to limit vulnerabilities that lead to open ports and privilege escalation. An IDS can help provide early detection of malicious activity, allowing your team to respond before escalation. And, if the ransomware succeeds, you’ll be thankful for up-to-date, secure backups.

There are other best practices your organization should consider that can help avoid an infection altogether. One example that’s often overlooked is security training for employees. By teaching employees how to spot and avoid suspicious email content, you can diminish an attacker’s ability to enter your network via phishing.

Configuration management, IDS implementation and phishing training are all connected – so it’s important for your organization to develop a holistic security program that can face multiple threats.

Download the Public Sector Cyber Defense Guide to learn how you can build a defense-in-depth cybersecurity program for your government organization.