Ransomware has been a hot topic the past couple of years. The software is wreaking havoc on organizations that are not prepared for it. Before understanding how to respond to a ransomware attack, it is extremely important to first understand how the different strains spread in the environment they are unleashed in. Once understood, security controls can be implemented to limit the impact of the attack and reduce recovery times.
Ransomware Spreading: The Strains
New ransomware strains are continuously released. The current top eight have been selected below, detailing whether or not the data could be easily recovered through exposed decryption keys. While decryption keys may be available, the impact to your organization may still be high due to recovery time.
How is Ransomware spreading?
Each strain propagates through the system or network in a predictable manner. The predictability allows for the root causes to be identified to assist in future prevention. The table below was created to help visualize the root causes and how each misconfiguration or missing security patch allows for the specific ransomware strains to propagate.
Server Message Block (SMB) – Uses the SMB service to compromise hosts remotely without authentication through networks.
Windows management Interface Command (WMIC) – Used to modify security settings on remote machines after obtaining credentials.
Bruteforce – Uses hardcoded credentials to gain authorized access to more laterally
Powershell – Uses Powershell to issue sensitive system commands
Credentials – Uses credentials obtained by the system to laterally move
Limit Ransomware Spreading: Preventative Measures
By knowing the strains and how they propagate, preventative measures can be implemented to reduce the likelihood and impact of a successful ransomware attack. Below are the top measures that your organization can implement.
- Provide employees with regular security awareness training which includes phishing exercises. It only takes one employee to impact the entire business. The phishing exercise should also test the anti-spam and anti-virus capabilities of your email system.
- Have backups for all systems that would cause an impact to the business if offline.
- Check firewall rules for loose egress and ingress rules. If traffic is allowed to come in and out freely, the malware can exfiltration data more easily.
- Remove the ability to issue Powershell, psexec, wmic commands for users that would not need it.
- Remove local administrative privileges for non-IT staff. If users are unable to install software, ransomware will not work.
- Patch your systems according to risks. Patches related to addressing ransomware risks should take first priority.
- Review access control privileges to ensure users only have access to what they need. The principle of lease privilege should be implemented.
- Disable macro usage for office related files. Malware can be hidden within those macros.
How we can help
Packetlabs offers a ransomware simulation service that assesses your risk level against ransomware and identifies incident response capabilities. The service includes:
- Phishing to identify weaknesses in security awareness and perimeter defenses
- Propagating through the network identical to how ransomware would to identify vulnerable systems
- Identification of affected shares, and potentially impacted data
- A table-top exercise to identify if recovery capabilities are well documented
Contact us if you would like to assess your ransomware security controls.