Coveware: Ransomware Recovery First Responders

View Original

Reduce the Risk of Ransomware by 90%, for Free, in One Day

A common misperception about ransomware is that we are helpless to prevent it. Attackers are always several steps ahead of our defense mechanisms and we are in a constant game of whack-a-mole. This mantra may certainly apply to other types of cybercrime, but is not true of ransomware. Ransomware is an economics-driven industry, and currently, those economics are skewed to favor the attackers. Buckets of low hanging fruit / cheap targets make these compelling economics possible and continue to fuel the growth in the ransomware industry. 

Successfully defending your data from the ransomware industry requires that you make yourself an expensive target. When you are an expensive target, an attack does not make economic sense. Attackers won’t bother and will target cheaper targets. So how does a company make itself an expensive target? Won’t that require a massively expensive overhaul of IT security? 

The answer is no!

Most companies can reduce their risk of a ransomware attack for free in one day. We will repeat that. You can achieve a 90% reduction of risk, at no cost, with one day’s worth of work. Here is how.

Secure Any Remote Services to Lower Risk by 50%

As of Q3 2019, 50% of ransomware attacks originated from compromised Remote Desktop Protocol (RDP) services. Remote desktop is a common feature in operating systems, allowing users to log in and control one system using another system. Adversaries will use one of two ways to gain access to an organization using Remote Desktop. 

  1. Attackers often search the internet for systems that allow Remote Desktop logins and use software to guess weak passwords. 

  2. Attackers obtain access to accounts with known or leaked credentials allowing them Remote Desktop access. 

Once inside an organization, attackers will likely gather more credentials to escalate their privileges and move laterally within your network. Once attackers have escalated privileges inside a network, they often seek to destroy backups. If backups are not properly partitioned, the company will likely be crippled by the attack. 

Prevention and Mitigation Strategies for RDP

  • Disable or remove remote services whenever possible;

  • Do not allow remote access directly from the internet. Instead, enforce the use of remote access gateways along with a VPN that requires multi-factor authentication; 

  • Require separate credentials for any remote access services;

  • Whitelist the IP addresses that are allowed to connect via RDP so that only trusted machines can connect;

  • Deploy password lockout provisions to prevent brute-forcing attempts.

The above recommendations are configuration settings available on all RDP services. Changing these settings is free. You just need to spend a few hours making updates and training users on how to connect under this new security paradigm. 

Congratulations! You have just cut your risk of getting attacked by ransomware in half. The total costs so far are about half a day’s work.

Deploy Multi-Factor Authentication on All Administrative Accounts to Reduce Risk by 40%

Requiring end-users to login with multi-factor authentication (MFA) is a good policy, but IT security professionals get a lot of pushback because of the perceived reduction in worker efficiency. As deeply flawed as this view is, let’s set it aside for now and focus on securing administrative account access with MFA. 

Least privilege principals need to be deployed in parallel to ensure that every user on a network does not have administrative access to critical pieces of infrastructure. Why is MFA so important on administrative accounts vs regular user accounts?

It is a safe assumption that attackers will gain SOME foothold in your network. The key to preventing a systemic ransomware attack, is to ensure they can’t get ALL the way into the nerve center. The use of credential harvesting tools such as Mimikatz, or credential-stealing malware is extraordinarily common these days. Even if these administrative credentials are harvested, a strong authenticator application or physical key-based MFA will prevent attackers from successfully using these credentials to access domain controllers or back up systems. 

MFA is generally a free option on most software and hardware services, it just needs to be turned on! Using it JUST on the administrative accounts used by the IT security team limits the perceived inefficiencies of deploying it across every user. While MFA can’t prevent phishing emails from being clicked on or executed, it CAN prevent a successful phishing attempt from turning into a systemic ransomware incident via escalated privilege. 

In addition to deploying MFA on your administrative accounts, it is important to understand how email can allow an attacker to gain a foothold in your network. Limiting the amount of bad guys that DO get a foothold inside obviously helps us lower the odds of one of them getting through. 

How Email Attachments Allow Ransomware Attackers to Gain Access to Your Network

Using an attachment is different from other forms of spear phishing in that it employs the use of malware attached to an email. All forms of spear phishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, attackers attach a file to the spear-phishing email and usually rely upon employees attempting to open the attachment in order to gain execution.

There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the payload exploits a vulnerability or directly executes on the user's system. The text of the spear-phishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. 

The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Attackers frequently manipulate file extensions and icons in order to make attached executables appear to be document files. In other scenarios, files exploiting one application appear to be a file for a different one.

How Links Within Emails Allow Attackers to Gain a Foothold in Your Network

Threat actors will often create a link to use within an email and employees receiving the email simply click on the link to become infected. This is different from other forms of spear phishing in that it employs the use of links to download malware contained in an email, instead of attaching malicious files to the email itself, allowing the email to avoid defenses that may inspect email attachments.

All forms of spear phishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click on the link or copy and paste the URL into a browser, leveraging

Preventing and Mitigating Email Risk

  • Force regular password rotation so credentials change for perimeter users

  • Use security awareness training tools to help employees identify social engineering techniques and spear-phishing emails with malicious links.

  • Use restrictions such as blocking external emails and/or attachments to only those that are necessary for business operations and consider blocking access if the activity cannot be monitored well or if it poses a significant risk.

 Congrats, you have just dropped your risk of a ransomware attack by an additional 40%. Our total risk reduction now stands at 90%. Not bad for a single day’s work and no additional security budget!