Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/1/2017
01:30 PM
Jeff Schilling
Jeff Schilling
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Best Practices for Lowering Ransomware Risk

The first step is to avoid falling prey in the first place. That means teaching your entire organization - from IT staff to executive management - how not to be a victim.

In recent months, ransomware campaign activity has increased exponentially. Over 27,000 incidents surged on the scene in early 2017 when a commonly misconfigured setting on open source database called MongoDB made hundreds of thousands of databases vulnerable to ransom. Threat actors logged on to victims' databases, backed up data offsite, deleted it, and offered to return it for .2 Bitcoins, which translates to $200. 

While this might seem like a minuscule amount, there is logic behind it. If too much is asked, the propensity to pay declines. Plus, the volume of the attack yields serious dividends. Regardless, for those afflicted, losing access to important information to operate a business is extremely disconcerting, creating desperation and making them prone to pay up.

The Mechanics
There are two primary vectors into a commercial IT environment. The first is to assume remote access to a user's computer and traverse the network until administrator credentials to databases and data stores are gained. This is accomplished by sending an employee a phishing email that entices them to open an attachment or visit a compromised website that loads malicious code on their computer terminal. Once the computer is compromised, threat actors scan the environment and try to find a computer terminal used to access network data. After a foothold on an administrator’s computer is established, they can remotely encrypt or wipe data and then issue ransom demands. 

The second method is more of a frontal assault on the database servers. Most companies have public-facing websites and, as a result, threat actors will find a server with a vulnerable application, then exploit it to get a foothold in the data center. If an IT staff has not properly separated public-facing websites from database servers and file shares -  a common mistake with small staffs -  a threat actor can use that access to pursue the database. While this vector requires more sophistication, ransomware actors are increasingly pivoting in this direction, implying that more skilled actors are getting into the game.

The Response
With all of these new techniques in play, what can security teams do to mitigate the threat? The good news is that your IT staff is probably already doing many of the things needed to protect your environment. Here are a few best practices to help lower the risk further:

User Vector:

  • Establish a third-party user education program on how to identify a phishing email.
  • Shut down the ability for user terminals to share resources peer-to-peer.
  • Implement a back-up strategy for personal data on external drives or virtual drives.
  • Install a reputable antivirus program that will block a majority of known ransomware attacks.

Website Vector:

  • Never host an external-facing server on the same hardware as a database or data store.
  • Ensure proper segmentation between web servers and database servers. 
  • Track vulnerability patch status of critical data servers and file shares.
  • Make sure IT staff has a data back-up strategy for databases and file shares,
  • Consider using secure third-party cloud or virtualized services for critical data storage and files shares offsite.

Advanced Planning & Outside Resources:

  • Have an incident response plan in place before an incident occurs. Having a plan in place allows for the immediate documentation all of the possible decisions and communication plans that need to be applied under the pressure of a real-life incident. 
  • Visit the NoMoreRansom.org website to seek assistance. This non-profit website is a partnership between antivirus vendors, international law enforcement, and cybersecurity threat researchers. This resource has helped thousands of victims decrypt data, complete with recommendations for what to do in the event of an attack. 
  • Pay or not pay? A final consideration that enters the mind of many is whether or not to pay the ransom. The majority experts’ view is consistent with those of the Federal Bureau of Investigation – do not pay. However, this is an easy decision for third-parties to make because it is someone else’s data being ransomed. 

At the end of the day, the decision will come down to the impact of the attack on your company's business. While ransomware actors in many cases return the data as promised, they may leave backdoors to return for more money, time and time again, or may not return data at all.

These present very unattractive options, so it is best to avoid falling prey in the first place. To be successful, advance preparation and applying proven best practices will be the most effective way to avoid a ransomware scenario completely. Having an entire organization aligned on how to avoid being a victim, from the IT staff to executive management, is essential to maintain the sanctity of data.

Related Content:

Jeff Schilling, a retired U.S. Army colonel, is Armor's chief security officer. He is responsible for the cyber and physical security programs for the corporate environment and customer-focused capabilities. His areas of responsibilities include security operation, governance ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Shantaram
50%
50%
Shantaram,
User Rank: Ninja
3/8/2017 | 4:57:17 AM
Re: 192.168.l.l
Great article! It was nice to read this information. Thanks
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16275
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
CVE-2020-16276
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16277
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16278
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
CVE-2020-15139
PUBLISHED: 2020-08-10
In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Mes...