Cybersecurity News - August 2021

Ransomware: understanding and managing the imminent threat

A primary threat to any and all businesses and agencies is ransomware.

How it works

Typically, ransomware infects a system through phishing emails, attachments, and/or links. Prior to each attack, the cybercriminal analyzes the network and assets to identify weaknesses, assess traps, and determine whether the organization is worth attacking.

The ransomware malware attack encrypts data in the system or blocks access to it. Then, the criminal demands a ransom to decrypt the files.

Ransomware Categories

There are two types of ransomware and two tactics related to ransomware.

Crypto ransomware: Encrypts the most valuable files and prevents access until demands are met and the cybercriminals provide the data key. Without the key, the data cannot be recovered.

Locker ransomware: Locks an organization out of all systems until demands are met.

Scareware: Manipulates users into unfavorable actions like downloading and buying malicious software. It can be used to distribute ransomware and also fake law enforcement agency notifications.

Leakware (a.k.a., Doxware): Steals data and threatens to make it public until demands are met.

An ever-changing threat

Ransomware attacks are evolving continuously, which is part of what makes ransomware a powerful threat. For example, now that organizations often choose to recover data from backups rather than pay ransoms, many attackers employ a double-extortion strategy. They both encrypt files and prevent access, and also steal and threaten to make information public.

New variants surface routinely, but they typically rely on similar tactics.

Ransomware-as-a-Service (RaaS)

Developers employ the RaaS subscription business model that enables affiliates to deploy already developed ransomware attacks.

This drops the barrier to entry because the extensive coding knowledge previously required is no longer needed—anyone who meets the affiliate membership requirements can pursue victims. Affiliates receive high dividends for successful ransom payments with an elevated chance of success, and a low chance of discovery. RaaS adoption is on the rise, resulting in more targets.

Ransomware alerts, resources, and response guidance

The U.S. Government launched StopRansomware.gov to help public and private organizations defend against the rise in ransomware cases. The site provides threat information and guidance in order to mitigate the risks. It also provides a Ransomware Response checklist.

DarkSide ransomware

DarkSide is ransomware-as-a-service (RaaS) that enables the ransomware developers to receive a share of the proceeds from the cybercriminal actors who deploy it (i.e., affiliates). Since August 2020, DarkSide actors have targeted large, high-revenue organizations, resulting in the encryption and theft of sensitive data.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Federal Bureau of Investigation (FBI) provide DarkSide technical details and risk mitigations in their joint Alert (AA21-131A) DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks.

Defending against attacks

Develop a layered security posture to defend against ransomware.

• Maintain security awareness. Develop campaigns to remind employees of best practices (e.g., avoid clicking on unknown sender links and attachments).
• Set Group Policy Objects (GPOs) rules. GPOs control the execution of files on endpoints. Examples: block file execution from specific directories, disable attachment- based file executions, restrict control panel access.
• Provide multi-layered protection on endpoints. Layer protection that can include antivirus software, firewalls, endpoint detection and response (EDR), and an endpoint protection platform (EPP).
• Back up data. Separate backups from the system so that they are not affected as part of a ransomware attack. Consider all options because each comes with a degree of risk.
• Restrict administration rights on endpoints. Reduce user privileges to decrease the attack surface. As ransomware and security technologies advance, revisit the strong defense with maintenance and improvements.

Customized, measurable security awareness programs support a cybersecure culture

Enterprise security awareness programs typically train all employees the same way using phishing simulation exercises and online learning modules. They are not provided frequently enough to remain top of mind for employees and do not target the needs of at-risk users.

Take steps to implement a behavior-based, individual approach to effectively teach the correct conducts and establish a trackable, cyber-risk savvy culture:

• Take advantage of data, including each employee’s role, risk profile, and awareness level to personalize content.
• Include guidance on phishing, peer-to-peer software, personal cloud storage, public Wi-Fi, risky apps, and visiting compromised websites.
• Track and measure metrics (e.g., phishing and malware rates, two-factor authentication and password manager usage) to monitor employee behavior changes.

Embedding security in operations

As operations move from analog to digital, organizations need to productize security. This means that security is not driven by just the CISO and CIO, but engrained in the operational roadmap and planning and lifecycle management. Security convergence needs to occur for IT, operational technology, and physical security.

For suppliers, risk management goes beyond securing data and IT infrastructure to also include product security. Vendor risk policies need to be updated as supplier products and services become digital.

Instead of taking a static security approach, prioritize incorporating new security solutions to meet the demands of evolving threats.