Ransomware is a type of malware attack that blocks access to important files or your device until a ransom is paid. A ransomware attack is usually conducted through social engineering, such as a phishing attack, that convinces the victim to click on a malicious attachment in an email. The malicious attachment then downloads the ransomware on the device and encrypts the victim’s files.
CrowdStrike has written about a number of very effective security controls and practices that you can put in place to drastically reduce your risk of a ransomware infection.
Ransomware Protection – Tips to Prevent Ransomware Attacks
The following tips are supported by what the CrowdStrike has found to successfully prevent and combat ransomware:
- Practice Good IT Hygiene
- Improve Resiliency of Internet Facing Applications
- Implement and Enhance Email Security
- Harden Endpoints
- Ransomware-Proof Data with Offline Backups
- Restrict Access to Virtualization Management Infrastructure
- Implement an Identity and Access Management (IAM) Program
- Develop and Pressure-Test an Incident Response Plan
- Know When to Ask for Help
Tip #1. Practice Good IT Hygiene
Minimizing the attack surface is critical for every organization — it’s crucial that you gain visibility into every endpoint and workload running in your environment and then keep any vulnerable attack surfaces updated and protected.
IT hygiene’s primary benefit is to give you complete network transparency. This perspective provides a bird’s eye view, as well as the power to drill down and proactively clean out your environment. Once you achieve this level of transparency, the understanding of “who, what and where” that IT hygiene provides has tremendous benefits for your organization.
Tip #2. Improve Resiliency of Internet-facing Applications
CrowdStrike has observed eCrime threat actors exploiting single-factor authentication and unpatched internet-facing applications. BOSS SPIDER, one of the initial big game hunting (BGH) ransomware threat actors, routinely targeted systems with Remote Desktop Protocol (RDP) accessible from the internet. Less sophisticated threat actors operating ransomware variants such as Dharma, Phobos and GlobeImposter frequently gain access through RDP brute-force attacks.
Tip #3. Implement and Enhance Email Security
Gaining an initial foothold into a victim organization through a phishing email is the most common tactic for BGH ransomware groups. Typically, these suspicious emails contain a malicious link or URL that delivers the ransomware payload to the recipient’s workstation.
Tip #4. Harden Endpoints
Throughout an attack lifecycle that ultimately culminates in a ransomware deployment, threat actors will often leverage a number of endpoint exploitation techniques. These exploitation techniques vary from exploiting poor AD configurations to leveraging publicly available exploits against unpatched systems or applications.
The list below includes some key system-hardening actions for defenders to implement. It is important to note this is not an exhaustive list, and system hardening should be an iterative process.
- Ensure full coverage across all endpoints on your network for endpoint security products, and for the endpoint detection and protection (EDR) platform. Each endpoint security platform should have strict anti-tampering protections and alerting in place if and when a sensor goes offline or gets uninstalled.
- Develop a vulnerability and patch management program. Doing so will ensure that all endpoint applications and operating systems are kept up-to-date. Ransomware actors leverage endpoint vulnerabilities for many purposes, including but not limited to privilege escalation and lateral movement. Existing Falcon customers can leverage CrowdStrike Falcon Spotlight™ vulnerability management for a near real-time way to understand exposure to a particular vulnerability across the environment, without the need to deploy additional agents and security tools.
- Follow Active Directory security best practices. Based on some of the most common AD downfalls observed by CrowdStrike Services during ransomware engagements, we recommend these steps:
- Avoid easy-to-guess passwords with weak authentication methods.
- Avoid having regular domain users with local administrator privileges, and local administrator accounts with the same passwords across the entire enterprise or large portions of the enterprise.
- Limit workstation-to-workstation communication. While this can be achieved using group policy objects (GPOs), it can be also achieved through a number of micro-segmentation software options.
- Avoid sharing privileged credentials. Poor security practices include shared administrative accounts and using administrator accounts for personal or day-to-day business activity that does not require administrator privileges.
- Note that the first two points above can be accomplished using AD with little to no additional costs. At an additional cost, a privileged access management (PAM) solution can provide a much more scalable and robust solution to the same problem and is discussed more later in this blog post.
Tip #5. Ransomware-proof Data with Offline Backups
In recent years, and since the emergence of ransomware as a top method of monetizing attacks, the developers behind malicious code have become very effective at ensuring victims and security researchers cannot decrypt affected data without paying the ransom for the decryption key. Further, when developing a ransomware-proof backup infrastructure, the most important idea to consider is that threat actors have targeted online backups before deploying ransomware to the environment.
For these reasons, the only sure way of salvaging data during a ransomware attack is through ransomware-proof backups. For example, maintaining offline backups of your data allows for a quicker recovery in emergencies. The following points should be considered when developing a ransomware-proof offline backup infrastructure:
- Offline backups, as well as the indexes (describing which volumes contain which data) should be completely separate from the rest of the infrastructure.
- Access to such networks should be controlled via strict access control lists (ACLs), and all authentications should be performed using multifactor authentication (MFA).
- Administrators with access to both offline and online infrastructures should avoid reusing account passwords and use a jump box when accessing the offline backup infrastructure.
- Cloud storage services, with strict ACLs and rules, can also serve as offline backup infrastructure.
- Emergency situations such as a ransomware attack should be the only time the offline infrastructure is allowed a connection to the live network.
Tip #6. Restrict Access to Virtualization Management Infrastructure
As mentioned earlier, threat actors engaged in big game hunting ransomware campaigns are continuously innovating to increase the effectiveness of their attacks. The most recent such development includes the ability to attack virtualized infrastructure directly. This approach allows for targeting of hypervisors that deploy and store virtual machines (VMDK). As a result, the endpoint security products installed on the virtualized machines are blind to malicious actions taken on the hypervisor.
Tip #7. Implement a Robust Identity Protection Program
Organizations can improve their security posture by implementing a robust identity protection program to understand on-premises and cloud identity store hygiene (for example, Active Directory, Azure AD). Ascertain gaps, and analyze behavior and deviations for every workforce account (human users, privileged accounts, service accounts), detect lateral movement, and implement risk-based conditional access to detect and stop ransomware threats.
Tip #8. Develop and Pressure-test an Incident Response Plan
Organizations sometimes become aware of threat actor activity within their environment, but they lack the visibility to address the problem or the right intelligence to understand the nature of the threat. Recognizing the threat and responding quickly and effectively can be the difference between a major incident and a near miss.
Incident response plans and playbooks help facilitate that speedy decision making. Plans should cover all parts of the response effort, across the organization. For the security team, they should provide aids to decision-making so that front-line responders don’t overlook important details while triaging alerts. They should also outline the extent of the security team’s authority to take decisive actions — such as shutting down business-essential services — if a ransomware attack appears imminent.
Tip #9. Know When to Ask for Help
In the event that you believe your organization may be impacted by ransomware, calling in experts to help investigate, understand and improve the situation can make the difference between a minor incident and a major breach. In some instances, organizations become aware of threat actor activity within their environment but may lack the visibility to address the problem or the right intelligence to understand the nature of the threat. Getting educated about the latest threats and seeking help by activating an incident response team or retainer, such as those offered by CrowdStrike Services, may allow for detection and remediation before the threat actor is able to deploy ransomware or exfiltrate data from the environment.
It’s better yet to seek out expert assistance before you truly need it. A technical assessment can help you to proactively identify and understand factors about your organization’s network that could make future ransomware incidents more or less likely. It may take different forms, depending on your current needs and security maturity. For instance, if you experience an intrusion that was confined to a specific network segment or specific business unit, an enterprise-wide compromise assessment can give confidence that the attacker did not move into parts of the environment that were beyond the scope of the initial investigation. Alternatively, an IT hygiene assessment can identify weak passwords, Active Directory configurations or missed patches that could open the door to the next attacker.