The business of Ransomware is flourishing, boosted by anonymity of the attackers, limited number of criminal cases being prosecuted, automation of attack methods and huge profit for low risk. The groups behind the ransomware are more and more powerful and operate like a professional enterprise company. They are regrouping their forces – knowledge sharing, techniques – with a direct effect of extending the number of their targets and victims. All companies should consider this threat as one of the most immediate and serious their organizations are facing.
Understanding the ransomware threat
Common patterns can be recognized in the ransomware attacks. In many cases, the visible part of the attacks is when an encrypting program is executed making the file systems of the workstations and servers unreadable. This stage is the last and visible one. In many cases the networks have been compromised for days, weeks or months before.
Standard antivirus software is not efficient against customized malware and let networks and computers be compromised by phishing or exploiting unpatched software vulnerabilities – even both in some cases.
A ransomware attack usually has 3 stages:
Once hackers have entered the company network, they begin by discretely exploring, using stolen identities, the IT network, jumping from workstations to servers, collecting information about the organization, the users, the databases, etc. This first stage of the attack demands high expertise and state-of-the art technology to be detected.
Once they have mapped the system, they export data to their own servers in order to resell it and/or blackmail their victims.
Once hackers have stolen the data they wanted, sometimes during entire months, they launch the malware that will encrypt all file systems of all computers of the attacked network.
Protecting against ransomwares
Traditional antivirus defences are no longer enough. Ransomwares and malwares come with the capability to change their code to bypass traditional defences. Hackers also know how to race ahead and customising them to each organisation system profile. In this context it exists technological solutions such as EDR and MDR to help you detect intrusion attempts (Read more here). Because having an effective EDR or MDR solution will not be sufficient to address all the security challenges, we would like to share with you few other security practices that have been implemented at Atos and that have been demonstrating being valued protections against Cyber threats and ransomware attacks. We do not intend to cover all security practices in an exhaustive manner; hence we still have room for improvement of our own security framework.
Before upgrading security systems, it begins by governance and company culture. Password management, patch management, and all recognized practices, along with continuous information and training of the people. Apply and maintain good cyber security practices across all your organization, IT, Development IT, Production IT perimeter in a Defence-in-Depth approach.
Make your Active Directory (AD) a fortress by following Microsoft’s recommendations. Active Directory is the most attacked infrastructure (as well as Microsoft deployment tools like GPO, SCCM). Once compromised, it virtually grants access to everything. It is paramount to highly protect your active directory: identification and enforced control of all privilege accounts and groups, lockdown of admin domain account, two-factor authentication, use of dedicated privilege admin workstations (PAW), monitor your AD, etc. The operations to secure an AD are complex but they are critical.
Build an advanced anti-phishing strategy. It associates policies, human practices and tools so that everyone in the organisation is aware of being a potential target and properly react when targeted (identifying rogue mails having escaped automatic filtering for example), most phishing attempts be automatically identified. It will significantly reduce the threat surface and allow security measures to be more effective. It’s usually considered that the right strategy divides the risk of phishing attempts getting unnoticed by 5.
Make a continuous review of the protected perimeter, verifying that no infrastructures are missing. The attackers have time and resources to map your infrastructure it is important to not give them a competitive advantage. An IT organization is a living system, exposed to constant changes. New software, new devices, new apps, with a growing part escaping the IT organization and let to the end-user. Real-time monitoring capability of Internet interfaces of your network is particularly important as being the most exposed part of the network.
The shadow IT you have in your organization represents another significant threat. You need discovery and control capabilities, Network Access Controls and Zero trust solutions to master your own ground.
The fight against malicious groups is a never-ending technology and innovation race. Your backups are your best ally in case of an issue arising. You should review that you have backups in place as well as the associated processes, security incident response, disaster recovery procedures, crisis management plan … and regular tests. Doing backups on a regular basis is not enough anymore, as attackers know how to hit them as well. They need their own protection.
Replace password authentication with two factor authentication, using PKI cards and alternative app for mobiles. Deployed in the user environment, the remote accesses and extended to internal central applications, or production environment, it significantly reduces the risk of password and access violation.
Remove administrator privileges from user accounts. They are rarely needed by legitimate users, very often by attackers. Considering the risk of initial compromise of user workstations, such measure should be systematic.
Implement network segregation. Isolation of corporate environment from production environment with different domains. The network isolation (firewalls) will slow down an attack and reduce likelihood of an impact across all your organization.
None of the above can be successfully implemented without management sponsorship. The risk is so high and spread that the answer requires board sponsorship.
Finally, constantly challenge your defences. No security can be 100% bullet proof against the malicious threat actors. Challenging your existing defences with red teaming, bug bounties are more and more important. This will show benefit and weakness of your security measures, permitting to activate the improvement loop of your security management system.