The battle against ransomware: Lessons from the front lines
Ransomware is arguably the most significant cybercrime innovation in recent history. The ransomware business model is so effective that it is now the most common and devastating threat to organizations of all sizes. As a provider of cyber insurance, we have the misfortune of responding to ransomware attacks across tens of thousands of organizations, and the trends are worrying.
Ransomware attacks made up the largest source of cyber insurance claims for many insurers in both 2018 and 2019, with reported growth rates in excess of 100% year-over-year. All told, ransomware claims cost insurers hundreds of millions of dollars, and would have totaled into the billions if not for the low adoption of cyber insurance policies. Instead, those costs are often shouldered by individual companies that are the unfortunate victims of ransomware.
Perhaps more worrying is that as ransomware attacks become more frequent, they have also become more severe. At Coalition, we’ve seen extortion demands jump from an average of less than $10,000 across earlier strains of ransomware including SamSam and Dharma, to over $100,000 in 2019 with the introduction of Bitpaymer and Ryuk, and higher still alongside newer variants such as Sodinokobi. The highest demand witnessed year-to-date totaled over $6 million.
Ransomware infections are so disruptive that, even with insurance, the only true cure is to never catch it in the first place. It is for this reason we offer our lessons from the front lines, so that CISOs and security professionals can take steps to avoid a similar fate for their own organizations – and contain loss should the worst come to pass.
Lesson 1: Avoid criminal targeting
In an analysis of our claims data, we discovered that organizations were almost never targeted for who they are — they were targets of opportunity, not targets of choice.
The two most common opportunities to attack organizations are through phishing and remote network access points, among which the most commonly targeted is Microsoft Remote Desktop Protocol (RDP). Any organization that operates RDP on the public Internet, whether on its standard port (3389) or an alternative one, can be assured they are now the target of a criminal hacking group. The easiest way to avoid becoming a target of opportunity is to avoid using RDP entirely. If that’s not possible, we recommend that remote access be limited to only the required IP addresses, and paired with other protective measures (such as a VPN and multi-factor authentication).
By denying attackers visible points of remote entry on the Internet, or by upsetting the progression of a successful phishing campaign, organizations can reduce their risk dramatically. Although the majority of ransomware campaigns were observed to target Windows environments, there were also successful attacks against Linux environments.
Lesson 2: Disrupt the kill chain
Ransomware attacks are “noisy”: once the ransomware runs, files become inaccessible, often with a new appended file extension, and a ransomware note is often found in a text or HTML file alongside the encrypted files. In some cases, the attackers will lock the bootloader itself. To prevent a ransomware attack, you need to be able to spot the precursors quickly, before the ransomware is deployed.
Phishing is one such precursor, and one of the most frequently observed techniques for initiating ransomware attacks. Phishing emails generally included a macro-enabled attachment or link labeled as an invoice, voicemail, or unpaid bill with a .doc, .docx, .xml, or .pdf file extension. When opened, and provided the user enables macros, the malware uses the VBA AutoOpen macro for executions and the file loader uses the WebClient.DownloadFile method to install a banking trojan such as Emotet or Trickbot. While these banking trojans were traditionally used to harvest user credentials, they are now also frequently used as malware loaders for ransomware.
If you spot a phishing attempt, a user enabling macros, or an Emotet or Trickbot infection, ransomware is likely to follow. Fortunately, there is also a window of opportunity to disrupt a ransomware attack. The time between infection and ransomware has been observed to be between 30 minutes and 1 year, with an average hang-time of 30 days.
Lesson 3: Prevent attacks from happening in the first place
The best way to prevent a ransomware attack is to eliminate remote access and administration interfaces that are connected to the primary network environment. If you must use these services, ensure that any such interface is secured with multi-factor authentication, that access to it is limited to specific external IP addresses, and that it’s on a separate network segment to further isolate systems with critical data. We also encourage all organizations to implement anti-phishing solutions and regularly train employees to spot and report phishing attempts.
Basic hygiene remains important as well. Regularly patch systems and software, do not give local administrator access to employees that do not require it, and regularly audit domain users and disable any inactive accounts.
Domain Administrators should consider using Group Policy to prevent users from enabling Excel and Word macros by setting registry keys as follows:
Computer\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\VBAWarnings to “data:2” to disable macros with a notification to the user
It is important to change this setting for both Excel and Word in the GPO Registry Policy.
Incidentally, searching system registries also offers another opportunity for CISOs and network admins to disrupt the kill chain. Any system with the above value set to “1” for Microsoft Word or Excel may already signal an active compromise, and network admins should consider investigating that system.
Lesson 4: Back it up
The best way to recover from a ransomware attack is by having good backups. However, not all backup methods are created equal. We regularly observe attackers navigating to an organization’s backup files and corrupting or deleting them to improve the likelihood of an organization paying the ransom.
We recommend using offline backups, so that critical data is stored separately from the primary network. Cloud backups with a username and password combination not associated with an organization’s domain are another alternative. Our claims data suggests that onsite software backups are, by far, the least effective. Attackers are familiar with many of onsite backups methods and know exactly how to corrupt or delete backups made through them.
Lesson 5: Do everything to avoid needing Lesson 5
If you find yourself the victim of ransomware, with no means to recover data and facing existential loss, you may have no choice other than to negotiate with an attacker. Whatever you decide to do, bring in a dispassionate, expert third-party. If you carry cyber insurance, these resources are generally available as part of your insurance policy.
Involving a team who specializes in ransomware response can be the difference between getting your organization up and running again and forever losing everything. Having familiarity with attackers and their tools, tactics, and procedures is critical. We’ve witnessed organizations take matters into their own hands, then allow anger to shut down negotiations or fail to understand the depth of the attacker’s knowledge (e.g., they pretended to be unable to afford a ransom when the attackers already had access to the organization’s financial statements).
In any interaction with attackers it is important to get straight to the point, use simple language that is more likely to be accurately translated using online translators, be kind (do not beg), use language to minimize your size (I/me and not us/we), and be responsive. Negotiation is possible, but it’s an art.