State of Ransomware and How to Remediate it

It broke my heart the other day to hear a company named Dolly.com that provides a platform for freelance services from individuals to help customers move heavy objects around 45 states in the US become a victim of a ransomware attack. Just to make things worse the company paid partial amount of the ransom in hopes of getting their data back and the ransomware gang did not like the amount sent because it was not ” generous enough” and opted to post the data on a Russian criminal forum instead! There is no ethics among criminals no more these days they even target hospitals, schools, etc! Like the saying goes, “There is no honor among thieves.”

That’s why organizations must do whatever it takes to prevent it in the first place. It will 100 percent prove to be cost effective than sending thousands or even millions in payment to get your data back!

What can we do to prevent ransomware attacks?

Attacks on your network is inevitable, but its dependent on your security team on what you’re going to do about it. No business should be forced to pay a ransom or losing their sensitive data. Fortunately those aren’t the only options. The best way is to instill preventative measures in the first place! How?! You may ask. Well I am glad you asked :D. The first approach is to get your organization completely onboard if it isn’t yet. I’ve heard there are organizations out there that don’t give much thought into their IT department let alone their IT security. Do whatever it takes to get them on board even if your a small team or good lord a one man team! Once you explain it to them in layman terms and understand that IT security is a big deal. We can install a layered security model approach to our organization that includes network, endpoint, edge, application, and data-center controls powered by actionable threat intelligence. Now that we got everybody on board we can proceed on simple step by step process on how to mitigate ransomware attacks.

Preparing for Ransomware and Data Extortion Incidents

1. First, we want to stop by implementing a system of data encryption and backup of all sensitive data. If your organization decides to only prioritize critical data that’s okay too depending on your situation but it’s recommend to safeguard all data. It’s also crucial to test out periodically your back up and it’s integrity in disaster recovery simulations on a regular basis. It’s very important to maintain backups offline using the 3-2-1 time tested strategy or whichever strategy your organization sees fit but the important thing is ensure diversity in the way you store your backups. Cloud storage options are great for increasing redundancy. Especially multi cloud solutions but it”s up to your organization as a whole to decide what’s best.
2. Create, maintain, on a regular basis a Incident response plan. It is important to ensure your organization knows how to respond in the case a ransomware or data extortion incident occurs. You and your organization know exactly what to do! Here’s a great research paper from NIST guide. They have tons of recommendations in there for you and your organization to implement.

We want to make sure worst case scenario we are prepared because it can happen to anyone. We DO NOT want to panic in these situations. An employee might fall for a phishing attempt or allow access to the systems because they decided to go on a malicious site while at work when they weren’t supposed. This goes into next what we must do to prevent these incidents.

Preventative Measures to stop Ransomware and Data Extortion

1. First, things first install a employee cybersecurity awareness program. According to the 2023 Verizon Data Breach Investigations Report, 83% of data breaches involved human interaction. It’s hyper critical you create user awareness across your company as a whole to take proactive measures when performing simple tasks like checking emails or logging in from a public WiFi via VPN they make sure to take proper precautions via the training they receive. Here’s a great starting point in creating your education program. They should be able to spot and report suspicious activity from the program.
2. Good IT Cyber Hygiene is key! Employees should take extra steps to make sure their personal devices and home networks are secure. Especially, remote employees since they are the most susceptible. It’s important to make sure all systems are properly patched and updated as well.

Network Hardening Steps

1. Improve Resiliency of Internet-facing Applications like RDP that is accessible from the Public internet. Multiple ransomware gangs like to take advantage of these vulnerabilities. Make sure to check your ports and connections. If the service is not essential consider closing it. If for example RDP is necessary for employees to remotely login make sure their credentials are properly secured and stored away adequately.
2. Next, is to check on your external security hardware or software technology; for example web application firewalls (WAF) they protect web apps by filtering and monitoring traffic to and from a service. It’s a crucial security measure because it acts as the first line of defense for attacks to occur. As organizations expand their initiatives they also increase their attack surface as well. New web apps and APIs (Application Programming Interface) can be exposed to malicious traffic due to web server vulnerabilities, server plugins, etc. A well configured WAF prevents ransomware attacks and data extortion by helping keep these applications and content stay secure.
3. Traditional antivirus tech can’t keep up with this every evolving environment where malware strains constantly evolve and improve. Thus, some malware might slip through the cracks. It’s important for organizations to constantly monitor and protect their end point devices and EDR (Endpoint Discovery and Response) solutions and other solutions. In today’s age advanced attacks can take over a EDR in minutes or even seconds. Which causes already over strained cybersecurity teams massive volume of alerts they can never get to. Luckily, next-generation EDR solutions deliver advanced, real-time threat intelligence, visibility, analysis, management and protection for endpoints before and after infection from ransomware. These newer tools can detect and respond to potential threats in real-time to proactively reduce the attack surface. It’s highly recommended to upgrade to the latest and greatest if your budget allows it.
4. Network Segmentation is increasingly important as well. Especially with cloud adoption increasing, especially if your environment is multi-cloud or hybrid. With network segmentation, what organizations basically do is grant RBAC (Role based access ) via a identity and access (IAM) program to users. Those requests are then monitored and granted access according to the users trust status. This is extraordinarily beneficial because it prevents lateral movements from attackers to gain complete access to your network. It’s important you do implement Network Segmentation to your most sensitive areas of your network to increase resiliency. There are various tools that can aid in your effort like Active Directory or EntraID.
5. This is leads us to zero-trust implementation. For even better security authentication of users it assumes anyone or anything attempting to connect to a network is a potential threat. This methodology insists no chances will be taken on anybody these must prove who they are. Zero trust knows both internal threats and outside threats are a omnipresent factor. The verification methods used is MFA (Multi-factor authentication) which requires users to input two forms of identification before they are granted. Zero trust goes hand in hand with NAC (Network Access Control) tool to restrict unauthorized users from gaining access to our corporate networks. It ensures that only authenticated users and their devices are allowed within their security policies. In turn helps to prevent ransomware threats and Data Extortion.
6. Email is a excruciatingly important part of hardening our networks. It’s a popular attack vectors for a reason. A secure email gateway solution provides advanced multilayered protection against the variety of attack types, and sandboxes them to provide an extra layer of security. Basically what a sandbox is if a email contains unknown links, senders, or file types attached it will segment it in a test environment and test it before your email server. Sounds like a fantastic idea to implement such a tool alongside user education your organization would be highly secured!
7. Threat Intelligence of what is occurring in your organization is crucial in helping mitigate threats. Sharing intelligence within your organization’s security layers and products to ensure a proper defense against the threat. In addition to your organization you may seek the help of outside organizations such as CERTs (Computer Emergency Response Teams, Information Sharing and Analysis Centers (ISACs), and industry coalitions like the CTA (Cyber Threat Alliance). Sharing this information is the best way to respond quickly to attacks to break the cyber kill chain before takes over your organization or potentially others. It’s okay to ask for help. Sometimes, it’s best to seek beforehand you see some suspicious activity your team can’t handle and decide to seek expert advice before things get completely out of hand. It instills a better safe than sorry precaution and can prove to be cost effective in the long run saving your business from a ransomware attack or data extortion attempt.
8. Learning how your adversaries work is also a good idea in protecting your network. Developing such an environment mimicking the actual servers, apps, and data so the bad actors are fooled into thinking they have infiltrated and gained access. You can then document how it was done and further patch and test those vulnerabilities to continue hardening your network. This method is called a Honeypot. Soon on this blog we will demonstrate how this is done 🙂
9. Last but not least if your organization can afford it is to have vulnerability assessment tools and pen testers take a crack at your network regularly to find out first hand what holes there actually are on your environment. You would then use that information to harden your network even further! Open source tools like OpenVAS, NMap, and Cloudsploit can help your small business. For enterprises paid tools might be better options like Rapid7, Nessus, and Qualys to a name a few. Check out my introductory blog post on Vulnerability Management to get started!

These would be the way I would go about securing my organization. There is so much more in depth that can go into each step but your job as an organization is to dive deep for what your business needs and make a wise decision on what that may be. This guide is meant to give you a good idea. Another guide that also might be of great help is this guide from CISA as well that goes in great depth that your organization needs to implement to best secure your network as best as possible. Please feel free to leave any questions or comments down below if you feel this guide can be improved or need any help 🙂 I will be happy to get back to y’all as soon as possible but this is it folks!

Remember, to always be legendary! Cheers! ~EAR