Ransomware: Do you have a tried and tested strategy in place?

With the recent Garmin outage that is still ongoing, which has allegedly been caused by a Ransomware attack, a large number of Executives are going to be asking tough questions about how Ransomware could impact their own organisations, as there is a good chance that this outage has had a direct effect on their daily lives.

TL:DR – Ransomware attacks are preventable, however organisations need to have a tried and tested strategy in place to prevent these attacks. Breach and Attack Simulation provides the visibility needed to develop and test a Ransomware prevention strategy.

While my intention with this article is not to speculate on the Garmin outage specifically, the points below are important factors that YOUR business should consider as important attributes of your Cyber Incident Response Protocol.

  • Due to a lack of transparent communication with their clients regarding the outage, Garmin as a brand has lost a certain amount of respect and trust.
  • An effective disaster recovery plan does not appear to have been implemented by Garmin, influencing their business continuity.

Let’s start by looking at the different types of Ransomware. There are two main types of ransomware: crypto ransomware and locker ransomware [source: Kaspersky]

  • Crypto ransomware encrypts valuable files on a computer so that the user cannot access them. Cyberthieves that conduct crypto ransomware attacks make money by demanding that victims pay a ransom to get their files back.
  • Locker ransomware does not encrypt files. Rather, it locks the victim out of their device, preventing them from using it. Once they are locked out, cybercriminals carrying out locker ransomware attacks will demand a ransom to unlock the device.

According to Kaspersky, Ransomware examples, which include Locky, WannaCry, Bad Rabbit and Petya to name but a few, all propagate via email. Many organisations targeted in ransomware attacks become victims because employees click on links in emails, or they open infected attachments. In fact, CSO Online states that, 94% of malware is delivered via email and according to independent testing even by adding a Secure Email Gateway or making use of Microsoft and Google, one in ten malicious emails will still get to their intended target.

Once Ransomware has infiltrated an organisation it may move laterally either via internal email or as a Worm (WannaCry) or Trojan.  Ransomware doesn’t just target End User Workstations. Ransomware is also able to encrypt application, end user data and system files on Servers as well as the Master Boot Record.

Usual response scenarios from organisations include the shutdown of all workstations and all devices hosted in data centres in attempt to stop the propagation of the Ransomware, leading to in many cases a global outage of services.

So how can an organisation Protect, Detect and Respond to a Ransomware attack?

The first step would be to make use of the N.I.S.T. Cyber Security Framework and identify key assets or Crown Jewels. These could be classified as follows:

  • Workstations: call centres, finance departments, HR, etc.,
  • Public infrastructure supplying services;
  • Internal infrastructure, business applications and domain controllers;

With the use of Breach and Attack Simulation, various type of Ransomware attacks can be simulated providing the following results:

  • Gaps and weaknesses in security controls
  • Ability for Ransomware to propagate throughout an organisation
  • Co-ordinated response plans to ensure optimal results

As an example of the above here are some simple steps that can be tested and deployed:

  • Endpoint Detection and Response solutions that work on the principle of known good, which make use of technology that traps malware inside a micro-VM, hence negating all known and unknown Ransomware attacks.
  • Network Segmentation with Security Control that offer Protection and Detection not just access control lists. These include Firewalls and IPS devices. High Risk Workstation in the areas of Finance, Call Centre and HR are not able to communicate with Public Infrastructure Services even by moving lateral via other systems;
  • Formulating response plans that match the threat. While turning everything off to prevent the spread of Ransomware might appear to be a wise approach it shouldn’t be necessary if the correct controls are in place to ensure that any outbreak is contained locally.

Breach and Attack Simulation enables an organisation to perform all of the above and more. Therefore when the Executives ask on Monday morning: “Is our organisation susceptible to a Ransomware Attack” it is possible to provide evidence demonstrating which areas might be responsible, how the attack can be locally contained, what response will happen and what plan and infrastructure is in place to ensure business continuity all based on fact and real life simulation.

Using a Search Engine to list the names of well-known Brands that have become recent victims to Ransomware attacks include Cognizant, Garmin, Orange Business Systems, Blackbaud and many more.

For more information on Breach and Attack Simulation for your organisation contact the Elasticito Team. We will be glad to create a tailored solution to suit your business’ needs.