What is Ransomware?
Before we delve into 2.0, let’s refresh on what we mean when we’re referring to ransomware.
Ransomware, as defined by the NCSC is: a type of malware which prevents you from accessing your device and the data stored on it, usually by encrypting your files. A criminal group will then demand a ransom in exchange for decryption.
As mentioned in the NCSC definition, established practises of ransomware deployment include the encryption of data, typically demanding Bitcoin in exchange for the decryption key to regain access to the stolen information.
Why Ransomware 2.0?
So, why 2.0? Increasingly, we’re seeing a trend within the criminal fraternity that is moving away from the established practice of encrypting your data to demand Bitcoin, and more towards simply stealing the data and extorting a fee (usually still in a cryptocurrency of their choosing).
From an attackers perspective, this makes sense. The end result remains the same, they hold your/your customers’ data. But from an execution flow standpoint, much less work is involved as encryption is not required. For a successful data encryption, attackers must gain access and encrypt every copy of data, including backups, while attempting to remain undetected. The new and far more efficient way of conducting ransomware attacks only involves accessing a single account, stealing the data and demanding a fee.
How does this impact victims?
For the victim, little changes except for the marginal advantage of avoiding mass downtime and lost productivity due to no data through mass encryption. The victim still find themselves with the conundrum of paying the ransom and avoiding the reputational nightmare of a data breach. Or avoiding paying the ransom and potentially being faced with large data and privacy violation fines as well as the cost of reputational damage.
We anticipate that along with data corruption, this will become the new norm when talking about Ransomware as criminal entities strive for more ‘bang-per-buck’. It makes sense from an attackers perspective, but sadly makes the risk of a ransomware attacks for all businesses sizes much higher.
What does this mean for the detection of Ransomware?
We’ve talked about the nightmare of post-breach but what about prior to a theft taking place? Does this mean a change in defensive practice, do we need to re-evaluate our response options, is there now a requirement to do more? The answer is not a straightforward Yes or No, but a mix of both which we’ll attempt to unpick here.
In terms of defence, you should have already ticked off the fundamentals:
- 2FA/MFA implemented on all accounts.
- A solid patching regime.
- Tested backups following the 3-2-1 principle (three copies of your data, two different media formats and at least one preferably Cloud but definitely off-site copy).
- An interactive EDR solution.
- A well-rehearsed Incident Response Plan (IRP).
- Regular user awareness training for anyone who touches a connected device.
We cannot stress the importance of the final point enough, from the C-Suite to the Cleaner’s cupboard. One of the main vectors for a ransomware attack to succeed is by delivering malware embedded in or linked from a phishing email. Train your users to spot these and give them the confidence to report them without fear of ridicule or castigation (we’ll cover this in a later article) and you’ve won half the battle.
Up to date patching
The other main vector is by exploitation of legacy or unpatched Internet-facing assets, which is why having an up-to-date network map and asset register are also critical make or break factors – you cannot protect what you cannot see. Ensure that devices such as routers, firewalls and Internet-facing switches are patched immediately, sign-up to vendor security alerts or those from providers, such as e2e-assure, to ensure you receive timely notification prior to exploits being weaponised.
If it’s a critical security alert, then it’s better to plan out-of-band patching rather than waiting for the next scheduled run. Overall, it’s better to have some downtime that’s under your control than a whole load that’s not. If it’s truly legacy and end-of-life then it’s time for an upgrade, the cost of which may take a chunk of your annual IT budget, but this cost is insignificance when viewed in comparison to the costs arising from data loss.
Don’t forget what you may have forgotten – as companies grow, gaining and losing staff along the way, systems get forgotten and overlooked, that once busy SFTP server used to exchange files with a ceased customer is still poking a hole through your DMZ and looks very inviting to an attacker, only now it’s three firmware versions behind, is vulnerable to publicly-disclosed exploits and is not visible to your monitoring.
Arrange weekly scanning of your public IP space with a proper configuration that looks across all ports and protocols and ensure this is reviewed and actioned. Talk to your accounts or finance teams, if there’s a legacy analogue line that happens to have a domain-joined fax server hanging off it, they’ll be paying the bill for it.
What to do when you’re doing it all
You’re already doing all of the above; you have a mature and dynamic cyber-security posture with tried & tested policies. Great, you don’t need to do anything differently, but could you do more?
As cyber-criminal and other threat actor activity increases exponentially and unabated, it is no longer sufficient to rely solely on passive defence. That is not to say we’d recommend hacking back, but with the proper application of cyber threat intelligence (CTI) you can develop Active Defences and discover ‘chatter’ in dark web forums that reference your organisation, identify threat actors by their infrastructure & TTPs and ‘shift left’ across the ATT&CKTM chain to foil attacks before they fully execute.
Threat Detection & Response
e2e-assure’s Threat Detection and Response services offer seamless integration into your existing defensive strategy (through a Hybrid model) or as part of our monitoring service. You gain access to our extensive intelligence databases which benefit from real-time updates of breaking threat intelligence coupled with intelligent automation that identifies, correlates and blocks a threat at source with minimal human interaction required.
We say minimal because our bespoke technologies are backed by a team of some of the brightest and well-trained analysts in the business and they love nothing more than keeping the bad guys out! Sat alongside our SOC is the dedicated CTI team who are expert in open-source intelligence (OSINT) techniques and will emulate an attacker at the reconnaissance phase to discover your electronic and real-world footprints, feeding this back for awareness and action. We are passionate about turning information into actionable intelligence to make your portion of the Internet an assured place to do business.
We hope you’ve enjoyed this article and found it informative, please get in touch with any questions or requirements –