CIS Logo
tagline: Confidence in the Connected World

Ransomware Impacts and Defense Controls

ransomwareWhen data is the lifeblood of your organization, ransomware hits like a heart attack. Are you prepared? Ransomware is a type of malware that blocks access to or wipes a system, device, or file until a ransom is paid. Generally, this is done by encrypting the data (scrambling it) and requiring a decryption key to unlock it. This malware has been around for years as a tactic used by malicious actors. But it has exploded in the last few years. The cost of cybercrime, including ransomware, is expected to exceed $6 trillion annually by 2021 according to Cybersecurity Ventures. Not only is it expensive – it can lead to the loss of critical data and records.

A Look at Ransomware

Ransomware holds infected systems or files hostage until the victim pays the ransom demand, typically in the form of cryptocurrency (e.g., bitcoin) or gift cards. If the ransom is not paid, malicious actors may withhold decryption keys, permanently lock access to, or delete the files. Ransomware variants can target victims through suspicious emails, application vulnerabilities, and service exploits.

You’ve probably heard by now that you shouldn’t click links or open attachments from suspicious emails. This is good advice that all employees should follow. The attackers are getting smarter though. They utilize “social engineering,” wherein they claim to be someone or something else to trigger you to take action.

Ransomware takes advantage of vulnerabilities for common programs, such as Microsoft Word or Excel. Open Remote Desktop Protocol (RDP) and Server Message Block (SMB) ports are also exploited by ransomware variants. RDP is used for remote access to systems, while SMB is most commonly used for file sharing. It’s key for organizations to limit port access to authorized machines. One ransomware variant called WannaCry, for example, used the initial infection vector of an exposed vulnerable SMB port to spread through more than 230,000 computers in over 150 countries within a day.

Ransomware leverages these vulnerabilities to infect systems. Once ransomware is on the system, it will look to elevate its ability to access more of the network to spread the infection as far as it can go. This isn’t an instant process. In most cases, it requires three conditions: for the user to take an initial action, for the systems they’re using to have the vulnerability, and for access to the larger network to be available. This series of conditions is unfortunately fairly common as patching and access control across organizations can be challenging. Inadequate security authorization allows the ransomware to spread across workstations.

Arrow Security Primer: Ransomware

After the Infection Spreads

Once infected by ransomware, the choices an organization has are pretty slim: pay the ransom, restore from unencrypted backups, or wipe the network and start over. As many organizations require the data on their systems to operate, the last choice is often not ideal.

Good backups are incredibly important to thwart ransomware, but according to security firm Barkly, only 42% of ransomware infected organizations were able to restore from their back-ups. This is sometimes because the backups were incomplete, or they were left online and the ransomware variant specifically targeted the backups. It is imperative that all organizations have data recovery capabilities. CIS Control 10 provides guidance on this. Specifically, implement:

  • CIS Control 10.1: Ensure Regular Automated Backups
  • CIS Control 10.2: Perform Complete System Backups
  • CIS Control 10.4: Protect Backups
  • CIS Control 10.5: Ensure All Backups Have at Least One Offline Backup Destination

Paying the illegal ransom demand opens up other issues. It may lead to further targeting if cybercriminals learn that you will pay. It may be challenging for SLTT government organizations to procure and spend bitcoin (the preferred method of payment). Your organization also has to manage the legal issues with paying the ransom (such as the inadvertent support for illegal activities this effort funds). In the end, the keys you are provided are never guaranteed to work; and you’ll still have to address the malware on your systems.

Detection is Key

Once a system is infected with ransomware, it will download the encryption keys and begin locking a victim’s files. At this point advanced cybersecurity controls, such as Intrusion Detection Systems (IDS), can identify ransomware in its early stages and alert organizations to an impending disaster. For SLTT governments, Albert Network Monitoring is one cost-effective IDS solution. Albert helps identify ransomware infections in addition to malware, which may lead to ransomware.

In addition to having an IDS in place, it is important to implement several information security best practices. To protect against ransomware, your organization should take a  defense-in-depth approach to building a strategic security program. Rather than a “quick fix,” implement multiple layered defenses to succeed at defending against modern, sophisticated threats. Start with basic cyber hygiene such as the following CIS Sub-Controls from Version V7.1 Implementation Group 1:

  • Keep all systems patched. Effective patching requires:
    • Know what systems are on the network.
    • Implement:
      • CIS Control 1.4: Maintain Detailed Asset Inventory
    • Know what software is running on the network.
    • Implement:
      • CIS Control 2.1: Maintain Inventory of authorized Software.
      • CIS Control 2.2: Ensure software is supported by vendor
      • CIS Control 2.6: Address unapproved software
    • Patch your systems.
    • Implement:
      • CIS Control 3.4: Deploy Automated Operating System Patch Management Tools
      • CIS Control 3.5: Deploy Automated Software Patch Management Tools
  • Use anti-virus and anti-spam solutions.
    • Implement:
      • CIS Control 8.2: Ensure Anti-Malware Software and Signatures are Updated
  • Protect sensitive data.
    • Implement:
      • CIS Control 13.1: Maintain an Inventory of Sensitive Information
      • CIS Control 13.2: Remove Sensitive Data or Systems Not Regularly Accessed by Organization
      • CIS Control 14.6: Protect Information through Access Control Lists
  • Train all employees on how to identify and report suspicious activity and to not click on links or download files within any suspicious emails.
    • Implement:
      • CIS Control 17.3: Implement a Security Awareness Program
      • CIS Control 17.6: Train Workforce on Identifying Social Engineering Attacks
Arrow Download the CIS Controls

Solution Focus: An IDS for SLTT Governments

CIS’s Albert Network Monitoring is a cost-effective IDS that monitors for malicious activity, including ransomware. One organization using Albert noted that a system compromised with ransomware was identified so quickly that the victim organization could remove the ransomware from the network before the encryption process was even completed. This is key to stopping the spread of ransomware and protecting an organization’s data. Albert Network Monitoring uses a unique, SLTT government focused signature set combined with 24x7 in-depth review conducted by expert analysts in our Security Operations Center (SOC). To learn how Albert Network Monitoring works, download our Network Monitoring Guide.