How to protect your organization from ransomware attacks

One thing that all CIOs have had on their minds the last couple of years is if their infrastructure and services are safe from ransomware attacks. So far in 2021 we have seen a surge of ransomware attacks that have targeted even large enterprises like Colonial Pipeline which supply 45% of the East Coast’s supply of diesel, petrol and jet fuel and ended up paying 5 million for getting back access to their data. The latest statistics show that there is a ransomware attack every 11 seconds, where the attackers utilize different attack vectors to try to get access. So how can we protect ourselves or at least reduce the risk from these types of attacks?

Attack patterns

First of all, it’s important to understand how most ransomware attacks are done. Initially, most ransomware up until now have been focused on getting access and encrypting the data and demanding a ransom. However, in the end of 2020, certain ransomware groups started to change their strategy to use triple extortion. What this means is that not only does your data get encrypted and exfiltrated, but if you do not respond to the original ransom, attackers may then also launch a DDoS attack against your services.

So, what kind of attack patterns do we see as most common? In most cases, there are only a few of these attack vectors which are used for initial attacks, but they are also used in combination to try to gain access as quickly as possible.

Most ransomware is aimed at infecting Windows-based environments running Active Directory. Attackers usually start with getting access to a compromised endpoint or directly to the infrastructure through brute-force or vulnerable external services. There has, however, also been an increase in attacks aimed at other operating systems and environments.

Usually when a computer or server gets compromised, the attackers apply logic to disable security and backup services, clear event logs and utilize scripts and other tools to both do reconnaissance of the local network. They also attempt to capture the username and password associated with the local computer with tools such as Mimikatz to dump the local user database but also find other local secrets to try to get further access to the infrastructure. As one example for one organization, the attackers gained access to a compromised endpoint using a phishing attack, then they utilized the Zerologon vulnerability to get full access to the Active Directory environment before they then started to deploy their executable to encrypt the data. This was all done under 5 hours from the initial compromise.

Countermeasures

To implement countermeasures, we need to understand and protect the different attack surfaces and ensure that we have guard-rails in place between systems to prevent attackers from being able to do lateral movement. There should also be mechanisms in place to ensure visibility and an automatic response when an attack occurs. The main principles to reduce the risk for ransomware are:

Assume breach and how to secure yourself for future threats

Much of the techniques attackers use to distribute their ransomware is possible because of the way Active Directory is configured and has historically operated, where end-users and devices have been part of a large trust-based architecture. Which means that if you are on the inside you can, based upon the architecture, get access and SSO to resources if you have access.

The way ahead and also to remove this risk is to start looking into moving your endpoints to use Azure Active Directory.

However, nothing is guaranteed to protect you 100% from attacks, and one thing that many CIOs and CISOs need to start to understand is that one day you will get attacked, so start planning your security and governance based upon if you have already been hacked. Also going back to the point that attackers now also use data exfiltration as part of their extortion techniques, it’s important to start looking into DLP options to ensure that information and data is encrypted and thereby not accessible for attackers, even if they managed to get access to the data.


Related:

Exit mobile version