Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/1/2017
01:30 PM
Jeff Schilling
Jeff Schilling
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Best Practices for Lowering Ransomware Risk

The first step is to avoid falling prey in the first place. That means teaching your entire organization - from IT staff to executive management - how not to be a victim.

In recent months, ransomware campaign activity has increased exponentially. Over 27,000 incidents surged on the scene in early 2017 when a commonly misconfigured setting on open source database called MongoDB made hundreds of thousands of databases vulnerable to ransom. Threat actors logged on to victims' databases, backed up data offsite, deleted it, and offered to return it for .2 Bitcoins, which translates to $200. 

While this might seem like a minuscule amount, there is logic behind it. If too much is asked, the propensity to pay declines. Plus, the volume of the attack yields serious dividends. Regardless, for those afflicted, losing access to important information to operate a business is extremely disconcerting, creating desperation and making them prone to pay up.

The Mechanics
There are two primary vectors into a commercial IT environment. The first is to assume remote access to a user's computer and traverse the network until administrator credentials to databases and data stores are gained. This is accomplished by sending an employee a phishing email that entices them to open an attachment or visit a compromised website that loads malicious code on their computer terminal. Once the computer is compromised, threat actors scan the environment and try to find a computer terminal used to access network data. After a foothold on an administrator’s computer is established, they can remotely encrypt or wipe data and then issue ransom demands. 

The second method is more of a frontal assault on the database servers. Most companies have public-facing websites and, as a result, threat actors will find a server with a vulnerable application, then exploit it to get a foothold in the data center. If an IT staff has not properly separated public-facing websites from database servers and file shares -  a common mistake with small staffs -  a threat actor can use that access to pursue the database. While this vector requires more sophistication, ransomware actors are increasingly pivoting in this direction, implying that more skilled actors are getting into the game.

The Response
With all of these new techniques in play, what can security teams do to mitigate the threat? The good news is that your IT staff is probably already doing many of the things needed to protect your environment. Here are a few best practices to help lower the risk further:

User Vector:

  • Establish a third-party user education program on how to identify a phishing email.
  • Shut down the ability for user terminals to share resources peer-to-peer.
  • Implement a back-up strategy for personal data on external drives or virtual drives.
  • Install a reputable antivirus program that will block a majority of known ransomware attacks.

Website Vector:

  • Never host an external-facing server on the same hardware as a database or data store.
  • Ensure proper segmentation between web servers and database servers. 
  • Track vulnerability patch status of critical data servers and file shares.
  • Make sure IT staff has a data back-up strategy for databases and file shares,
  • Consider using secure third-party cloud or virtualized services for critical data storage and files shares offsite.

Advanced Planning & Outside Resources:

  • Have an incident response plan in place before an incident occurs. Having a plan in place allows for the immediate documentation all of the possible decisions and communication plans that need to be applied under the pressure of a real-life incident. 
  • Visit the NoMoreRansom.org website to seek assistance. This non-profit website is a partnership between antivirus vendors, international law enforcement, and cybersecurity threat researchers. This resource has helped thousands of victims decrypt data, complete with recommendations for what to do in the event of an attack. 
  • Pay or not pay? A final consideration that enters the mind of many is whether or not to pay the ransom. The majority experts’ view is consistent with those of the Federal Bureau of Investigation – do not pay. However, this is an easy decision for third-parties to make because it is someone else’s data being ransomed. 

At the end of the day, the decision will come down to the impact of the attack on your company's business. While ransomware actors in many cases return the data as promised, they may leave backdoors to return for more money, time and time again, or may not return data at all.

These present very unattractive options, so it is best to avoid falling prey in the first place. To be successful, advance preparation and applying proven best practices will be the most effective way to avoid a ransomware scenario completely. Having an entire organization aligned on how to avoid being a victim, from the IT staff to executive management, is essential to maintain the sanctity of data.

Related Content:

Jeff Schilling, a retired U.S. Army colonel, is Armor's chief security officer. He is responsible for the cyber and physical security programs for the corporate environment and customer-focused capabilities. His areas of responsibilities include security operation, governance ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Shantaram
50%
50%
Shantaram,
User Rank: Ninja
3/8/2017 | 4:57:17 AM
Re: 192.168.l.l
Great article! It was nice to read this information. Thanks
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now this is the worst micromanagment I've seen.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.