In medicine, there is a saying that goes like this: “an ounce of prevention is worth a pound of cure.” When you are an enterprise or a small to medium sized business dealing with ransomware, prevention is really the best cure. According to a survey of over 250 managed service providers, the aftermath of a ransomware attack is so crippling for businesses that more than half of all affected clients experienced business-threatening downtime.
The Problem with Ransomware
The use of ransomware is an extremely lucrative venture for cybercriminals. Attackers are continually perfecting their exploits, techniques, and their marketing. In many ways, the evolution of this threat has led us to constantly re-think the traditional responses towards dealing with ransomware as a threat. Below are some questions and discussion points for us to consider to prepare against a ransomware attacks:
Reducing Risk with Backups
- How effective are your backup strategies? Have you established a recovery test to assess the effectiveness of your backup strategies?
- Who has access to your backups? Do your backups exist on the same network as your critical business data?
- What are the estimated costs involved while you restore from your backups versus paying the ransom?
- If every system accessible from your network was purged, how long would it take you to recover to regular business operations?
- How prepared is your organization in carrying out a disaster recovery plan?
It is estimated that the cost of business downtime is 7.5 times greater than the cost of the ransom requested. Ironically, in 2016, FireEye announced plans to lay off between 300 to 400 employees as a cost-saving measure. One of the reasons for this measure is because “ransomware infections have gone up, but they cost less to fix. For some context, this statement summarized two concerns.
The first one is that paying the ransom to get your data back is lower than purchasing a security vendor’s product. Secondly, those who have had products from FireEye still were affected by ransomware infections. While security professionals are keen to advise not to pay the ransom, sometimes this becomes the least expensive alternative. By paying the ransom, enterprises and businesses continue to fuel this multi-billion dollar that is ransomware.
Therefore, it becomes apparent that good security will prevent ransomware infections from happening in the first place. From this perspective, prevention is the best cure, so how do we secure ourselves from ransomware?
The Solution Starts with Security Controls
One of the most important things is to implement and test your security controls. One of the most referenced lists is the Top 20 CIS Controls and Resources. Often during engagement scoping, we find that few organizations have a robust asset inventory process. This is alarming because in order to protect what you have, you need to know what you have. This is summed up within the first two controls.
To build some context for ransomware in regards to the CIS controls (specifically Controls 3-16), please reference the table below.
- WannaCry: Externally exposed SMB that are not patched can MS17-010 and its variants affect them. Is also found to be delivered through email.
- Not Petya/Petya Family: The initial infection vector varies, but is commonly delivered through email.
- Bad Rabbit: Initial vector hosts malware on a malicious domain disguised as an Adobe Flash Player Update.
- Cerber: Delivered through Magnitude exploit kit and/or email phishing. Magnitude leverages the following vulnerabilities (CVE-2018-8174). This can be used to exploit IE and used in malicious RTFs. Additional CVE: CVE-2016-0189
- Dharma: Delivered through spam emails with malicious attachments that abuses double file extensions. May also mask malicious attachments as install updates. Most often than not, Dharma is delivered by brute-forcing external RDP.
- GandCrab: Infection vector is through phishing email with malicious word macros. Uses RIG exploit kit for delivery. This abuses adobe flash (CVE-2018-4878). Also used with Gandsoft exploit kit with abuses vbscript.dll in old IE (CVE-2016-0189). Remote code execution on public facing insecure software (e.g. Confluence) is also used to deliver GandCrab.
- Katyusha: Primary vector through malicious download on malicious website.
- Ryuk: Initial infection vector is through email spam with the Emotet malware. Emotet also spreads through a trojan called TrickBot which takes advantage of MS17-010 and the DoublePulsar impant.
In short review of the provided table detailing how ransomware gets into an organization, a pattern should become obvious. Unsurprisingly, the primary infection vector is email and browser exploits (Control 7). If the delivery method for attackers is most commonly exercised through phishing, it is critical for organizations to secure their email and web browser clients as well as configuring domain-based message authentication, DMARC, SPF, and DKIM standards. Furthermore, this table should serve as a complement to how does ransomware spread.
Another pattern to notice is that most ransomware propagates through SMB protocol and credential abuse. The CIS controls address these issues through Controls 4, 9, and 14. A third pattern is the amount of CVE identifiers within the table, which an organization can tackle through by implementing a continuous vulnerability management program (Control 3).
Security is not an easy task, and skilled IT professionals are few and far between. All small to medium sized businesses require a security minded perspective on their projects. Prevention is key, and while this post isn’t meant to be an exhaustive analysis of the Top 20 CIS Security Controls, it should serve as a step in the right direction for those responsible in building up a robust security program for their organization. If your organization already has security controls in place, remember it is also imperative to test the effectiveness of these controls.
Where We Come In
Packetlabs specializes in security testing services such as penetration testing, red team exercises, and purple team exercises to assess your organization’s risk level against ransomware and identify gaps in your incident response capabilities. To translate this into CIS Control terms, we specialize in Controls 17 through 20. For information on testing your security controls, or anything else you’ve read here, please contact us for more information on what we can do for your organization!