NetworkTigers on how to stop a ransomware attack in its tracks.
Over the last few years, organizations in all sectors have been on guard as ransomware attacks have dramatically increased in frequency and severity. Cybercriminals wage constant war against private companies and government agencies aided by ransomware purveyors that operate like legitimate software companies, .
Keeping a low profile and assuming you are not on the radar is not a sound security position. Criminals probe for weaknesses through scanning and social engineering and are indiscriminate regarding their victims, simply pursuing whoever happens to leave the door ajar.
In our connected world, it’s not a matter of “if” you will be hacked but “when.” To that end, Jefferson’s dictum that “The price of liberty is eternal vigilance” holds for network security. It is important to maintain robust security measures that provide consistent defenses to stop a ransomware attack before it strangles your network and your business.
Best plan: prevent the ransomware attack
The best way to manage a ransomware attack is not to allow one to happen in the first place. Basic preventative measures should be employed to create a firm foundation for policies and employee training to help people identify phishing or social engineering scams designed to trick them into allowing unauthorized network access.
1. Start with endpoint security and manage by Zero Trust
Once a hacker has control of an endpoint device that can tap into your network, the next step is to deploy ransomware.
In our cloud computing and remote work world, it can be impossible to tell if the person attempting system access is authorized to do so without several layers of verification. Multi Factor-authorization (MFA) must be required across all devices connected to your network and employ a Zero Trust policy.
A network built with Zero Trust architecture assumes that every user is potentially hostile, even if they are already working within the system’s borders. A Zero Trust protocol also monitors and scans activity taking place on your network. If an action appears out of the ordinary, it is flagged as a possible threat.
If a hacker breaks through your first line of defenses, a robust and properly configured Zero Trust system limits how deep they can get into your network, decreasing the severity of the damage they can inflict and making it much easier to keep them isolated.
2. Patch and update. Then, patch and update again.
Hackers scan for and exploit vulnerabilities with incredible speed. This is because reputable developers are hot on their tracks, either releasing patches in response to exploits or preempting them.
Network managers are, by training and experience, somewhat hesitant to put in the latest firmware upgrade or patch. A new patch/upgrade is a software change that may affect how everything on the network works together. Putting in a patch on a Friday afternoon is always the scariest upgrade patch as it may cause a glitch that shuts systems down. To avoid this issue, build a test environment and run all patches there first.
A neglected network is vulnerable, and even one missed refresh can open the floodgates to a system-wide attack. Regular system updates are one of the most basic, foundational ways to maintain security. Automation that routinely pushes updates to your OS, apps, and firmware as they are released should be part of the network design and implementation.
3. Segment your network
Network segmentation is critical for breach mitigation. Divide your network into partitions according to business needs and see that each one has its credential requirements for access. A partitioned network, combined with Zero Trust architecture, builds an environment that makes moving laterally within the system extremely challenging and facilitates the process of isolating threats.
Placing firewalls, either in the form of hardware or software, between network segments creates a bottleneck that all traffic must pass through to move between partitions.
4. Develop a ransomware attack response plan
Create a well-defined plan that can be implemented swiftly in the event of a ransomware attack. Ensure that administrators and other employees know their role in a cybercrime situation. Run drills to ensure your process works efficiently and can be executed comfortably. A cyberattack that throws an organization into panic and chaos plays into the hands of the hackers.
5. Back up everything: data, code, scripts, config files, firmware, etc.
If a ransomware attacker sneaks through your defenses, you can minimize the disruption to your operations by maintaining backups of your data, network management scripts, config files, latest firmware versions, etc. Having everything backed up changes the power dynamic. You won’t need to pay up if you can wipe and restore your system on your own.
Security experts previously recommended using the “3-2-1 Backup Strategy.” Simply put, this technique requires you to have three copies of your system. Two copies should be onsite but on different devices, while the third is to remain offsite.
Hackers, however, are familiar with this strategy and often target backup data as part of their attack plan. As a result, the 3-2-1 Backup Strategy has lost relevancy as administrators turn to deeper backup structures that see even more redundancy and backups being saved in multiple offsite locations, on cloud service providers, and even on devices that remain offline to prevent any outside access whatsoever.
No matter which plans you choose, the core tenants of 3-2-1 remain the same: backup your data in multiple ways and keep it disconnected from your primary network.
How to respond to a ransomware attack
If a hacker breaches your network and deploys ransomware, there is still the possibility that the attack can be stymied before it becomes catastrophic. If nefarious activity is detected, the following measures should be enacted immediately to prevent further damage.
1. Isolate affected systems or segments
Once a ransomware attack has been detected, the affected systems must be isolated and taken offline immediately. The entire network should be taken offline if the attack impacts multiple systems. If this drastic measure is impossible, manually unplug all affected devices from the network or disable their wifi connection.
2. Discretion: loose lips sink ships
During this period, it is not uncommon for hackers to eavesdrop on an organization’s communications to determine whether or to what degree they have been noticed. Because of this, all communications regarding the attack should take place through off-network avenues.
Suppose the hackers are privy to the mitigations you are deploying. In that case, they can act strategically to stay ahead of you and maintain their presence within your system by moving laterally or deploying more instances of malware.
If you cannot disconnect the impacted devices from your network, you should power them down.
3. Involve authorities: make the call
Reporting the event to the authorities is advised, while not yet required by law in all instances. Law enforcement may be able to identify the party responsible for the attack and details collected about the breach are shared between federal agencies to further assist in the public’s battle against cybercrime.
4. Do not pay the ransomware attackers
Paying to make the problem go away is an enticing prospect for those who assume it will be a simple matter, but this is rarely the case.
Paying an attacker does not carry any guarantee that they deliver on their end of the bargain. Even if they do restore your access to your data, it may be corrupted, and it will almost definitely have been exfiltrated for a follow-up extortion or dark web sale.
Additionally, while not officially against the law at this time, there is an ongoing debate about the legality of paying off criminals, especially those originating from countries that are decidedly antagonistic towards the US and may use those funds to finance further cybercrime or even terrorist activities.
5. Recover with back-ups. Preserve infected systems for forensics
Restore your network based on priority. Integral devices and systems should take precedence. If you have maintained a robust backup of your data, completely wiping your system and restoring it ensures that it functions as it did before the attack.
Conduct a thorough forensic analysis of the attack with the assistance of a third-party security firm. Identify how the attack took place and what new measures need to be put into service to prevent any further intrusions.
