Ransomware Risks and How to Mitigate Them
Posted by Andrew Ogilvie in SecurityA ransomware attack involves criminals gaining unauthorised remote access to a company's data and holding that data hostage by encrypting it. The data becomes inaccessible without a decryption key held by the criminals. A ransom payment is demanded in return for the decryption key. Often, the ransom is to be paid using cryptocurrency such as Bitcoin, giving the criminals some degree of anonymity. In addition, threats may be made to leak all or part of the data publicly, with the objective of causing reputational damage and/or impacting the business's clients. Tactics include setting a short response timescale in order to exert additional pressure.
Even if a ransom is paid there is no guarantee that the criminals will be honourable criminals, they rarely are. Indeed, paying up may mean you are marked as a soft target and result in an increased likelihood of being targeted similarly in the future.
So what makes a business vulnerable to a ransomware attack and how do attackers gain access to data in the first place?
Typical methods used to gain access to data are:
- Phishing. Sending fake emails to employees to trick them into clicking through to links that will infect their laptop with malware. That malware then might spread across the company's internal network, jumping from one computer to another.
- Tricking employees into divulging their passwords, for example by sending a bogus "password reset" link via email.
- Exploiting system vulnerabilities in operating systems or software that haven't been patched regularly.
- "brute force" attacks whereby commonly used, easy to guess passwords, are tried repeatedly.
New attack vectors in 2022
Gone are the days where PCs are exclusively sat on desks, maintained by the IT department and cabled to the network. Employees are increasingly mobile, often working from home or out and about connected to wi-fi. These workers are prime targets and often soft targets for attack. Areas of concern are:
- Home wi-fi and public wi-fi in cafes or public areas may be insecure. Connections might be made to unknown and insecure computers on these networks.
- Mobile phones. If remote access is permitted to company email or files, another "attack vector" is opened.
- And make no mistake, SMEs are a target. There is some evidence that ransomware gangs are moving away from "big game" such as PLCs and on to small and mid-size victims.
What preventative measures can you take to reduce the risks of a ransomware attack?
All normal good IT practices and "hygiene" apply:
- Restrict your public attack surface. The world (in the form of the public Internet) should ideally only see a firewall or VPN concentrator device and your public websites. Keep what is publicly exposed to an absolute minimum. It is preferable to have websites on separate externally hosted infrastructure.
- Firewalling. Close off ports that are not needed. Restrict access to specific lists of IPs where possible. Connect remote offices via private leased lines that are not part of the Internet.
- Remote access via secure VPN only.
- Centralised authentication. Use a centralised authentication system such as Active Directory, so employees are not juggling multiple passwords for different systems. Limit employee access to only the specific systems and data that they need access to.
- 2FA - two factor authentication. 2FA is currently a focus of attention because banks are starting to make it a requirement for card and banking app payments. This means that in addition to a password an additional one-off form of authentication is required. This could be a one-off passcode being sent by text to a registered mobile phone number; generating a one-time code from an app on your smartphone; using a card and card reader to generate a one-off passcode. This extra layer of authentication means a stolen password alone is not sufficient to gain entry to your systems.
- Applications that are not needed should be uninstalled.
- Enforce minimum password standards. Reject repeated password attempts from the same source.
- Regular patching. For some systems such as employee laptops enforcing automatic updates might be desirable. For production systems such as database servers, the testing of patches, with ability to "roll-back" updates will be necessary.
- Maintain a register of all hardware and software in use across the business (including systems in "the cloud") and register to be sent alerts for available new patches and vulnerabilities for those systems, at a minimum by email alerts, for all software used across the business.
- Staff training for everyone to understand the risks from "phishing".
Monitoring for Breaches
- Anti-virus everywhere with automated updates and alerts managed from a centralised IT management system, so you know what is patched and what is vulnerable.
- An Intrusion Detection Systems (IDS) system can monitor your network for malicious or unusual activity.
- Vulnerability scanning involves running a regular scan (at least daily) looking for known vulnerabilities and exploits in your systems.
- Centralised security management system. All the data from the above needs pulled into a central system that gives you an overview of all alerts and activity.
How should you report an attack?
UK companies should report incidents to the National Cyber Security Centre (NCSC-UK) via report.ncsc.gov.uk and/or Action Fraud, the UK fraud and cyber reporting centre, via actionfraud.police.uk .
However it has to be said the reality is that such reporting is unlikely to bring much in the way of assistance with resolution. Reporting the incident to authorities is however likely to be a requirement for any insurance claim.
Backup Strategies - your first and final line of defence
But if the worst does happen then undoubtedly the quickest way to restore your data is from a trusted backup.
Backups are automated and typically these days stored in a third party "cloud" or datacentre.
Continuous Data Protection (CDP), is a modern backup system that backs up data on a computer system every time a change is made. CDP maintains a continuous journal of data changes and makes it possible to restore a system quickly and relatively easily to a fully operational normal state.
An incremental backup can be used to speed up the backup process and reduce the amount of data that needs to be transferred. This method means only data that has changed since the last full backup is copied.
Immutable backups. An immutable backup is a backup with a lock to make it permanent. This can be suitable for a secondary backup as an archive which cannot be tampered with. It is a permanent "write only" backup.
Extraordinary can help
We have been backing up customer data for over two decades now. Our experience and expertise allow us to design solutions that work reliably. We are pragmatic and have a strong customer focused ethos based on long term customer relationships and trust. We are agile and able to respond to your needs in a crisis. Services we can provide include:
- Managed regular backups of your data with backups held in our London and/or Edinburgh UK datacentres to ISO27001 security standards.
- Hold your core data and software systems in a centralised secure datacentre with secure access via VPN gateways or leased lines.
- Continuous Data Protection for servers, virtual machines, network attached storage and desktops.
- Managed security and vulnerability scanning for hosted services.
- Immutable backup options.
- Independent backup of Microsoft 365 data including Exchange Online, Sharepoint Online, OneDrive for Business and Microsoft Teams