Best practices for protecting your organization.
by Adam Laub, CMO, Stealthbits
Over the last two years, ransomware outbreaks have held companies, municipalities, hospitals and organizations of all kinds hostage. One recent coordinated attack brought 22 separate communities to a full digital stand-still and the average number of days a ransomware incident disrupts operations is climbing. Experts estimate that the average attack now lasts 16.2 days – up from 12.1 days in the third quarter of 2019.
One of the latest organizations to be hit is Visser Precision, a supplier to aerospace and automotive corporations such as Lockheed, Tesla, SpaceX and Boeing. A spokesperson confirmed that it was “the recent target of a criminal cybersecurity incident, including access to or theft of data” and that it “continues its comprehensive investigation of the attack.”
Experts believe Visser’s ransomware attack was carried out using a new type of malware — DoppelPaymer ransomware – that takes a two-pronged approach. DoppelPaymer exfiltrates a victim’s files and also encrypts them. Then, rather than simply rendering a company’s data useless if ransom demands aren’t met, the threat actor threatens to actually make public the stolen, often sensitive files.
Fortunately, a company spokesperson confirms that Visser is operating normally. Too many organizations aren’t so fortunate.
Many if not most enterprise organizations have worked hard to protect their networks in an attempt to address the Ransomware threat and prevent their sensitive data from being stolen or destroyed. These perimeter and similar defenses – which typically include firewalls, data loss prevention and intrusion detection systems – can protect against exfiltration, but cannot address the underlying structural vulnerabilities that ransomware readily exploits. That is because they’re targeted to a different mission: exfiltration prevention rather than file protection. While some Ransomware variants may also seek to extract data, the main thrust of all ransomware attacks is extortion: data is encrypted and the attackers threaten to throw away the key, permanently rendering that data useless, unless a ransom is quickly paid.
There are of course many pathways a ransomware threat actor can take to enter a victim organization’s network, from phishing to exploitation of no-longer-used, forgotten-but-still-online digital assets. Once in, the malware propagates across the environment by leveraging network vulnerabilities and the organization’s own lax practices. In fact, some recent ransomware variants like Trickbot/Ryuk and LockerGaGa are sophisticated enough to spread laterally on their own through embedded versions of Metasploit and Mimikatz, allowing them to pull passwords out of memory and escalate privileges to critical systems such as Active Directory Domain Controllers. On the opposite end of the spectrum, variants like DopplePaymer exploit an organization’s lack of alignment with Least Privilege principles, needing only “Read”-level access to begin copying and exfiltrating files outside a business’s walls.
The important thing to remember is this: how much damage, if any, that a ransomware attack causes is something every organization can control. Preventing or minimizing ransomware’s damage takes some consideration and adjustment of rote processes, but the relatively minor investment of time can pay off substantially if your organization is targeted, and especially if the threat actors throw away the encryption key even if the ransom’s paid, which has been known to happen.
Today’s ransomware variants have moved beyond the spray and pray approaches of early iterations. Modern threat actors are targeted. They focus on high value assets and mission critical data pools, and they conduct reconnaissance to understand exactly where and what everything is in the environments they have compromised. With these specific targets in mind and a lay of the land, they move laterally looking for privileged credentials and security exploits that will allow them to persist within these environments for months or even years undetected.
They leverage this “Dwell Time” both to ensure a broad scale and devastating blow once the payload is unleashed, and also to maliciously alter an organization’s failover and recovery processes, rendering them useless in response to the attack.
Five Approaches for Thwarting Modern Ransomware Attacks
Detection & Response
Detecting modern ransomware requires much more than early insight into data encryption activity. Once that level of activity is detected, an organization is already at sharp risk. Approaching detection and response for modern ransomware is somewhat like the way many organizations approach credential theft attack vectors today, such as password spraying, credential stuffing, lateral movement, reconnaissance activities, and modifications to sensitive configurations and access rights. It’s essential and actually critical to detect behavioral and known threat indicators, as is alignment to each phase of the attack kill chain.
The ability to respond to detected threats swiftly and effectively is equally crucial. Whether fully or partially automated, the development and documentation of response playbooks are important to shutting down and blocking compromised users and computers. The use of a highly prevalent technology like Multi-factor Authentication in response to detected threats is an excellent way to verify suspected threats that may look like legitimate activity otherwise. It’s also worthwhile to aggregate alerts and threat info into a single place such as a SIEM platform for correlation.
Some of the quickest and biggest impacts on risk and overall exposure are achieved by proactively identifying and remediating known vulnerabilities and weaknesses that modern ransomware variants are known to exploit like SMB version levels, an overabundance of system-level administrative access rights, and overprovisioned permissions to data. Attackers tend to leverage tools that rely on a lax state of security to work properly. When their usual avenues are shut down, attackers either seek easier prey or are forced to leverage riskier tactics, techniques, and procedures that are more likely to get them caught.
In the context of ransomware or otherwise, it’s no secret that privileged accounts are among the most sought-after prizes for an attacker. Luckily for them, many privileged accounts maintain “standing privileges” on the systems and applications attackers have compromised, making the threat surface massive. Removing standing privileges with a just-in-time approach to privileged access management eliminates a large portion of that threat surface, as does monitoring and recording privileged user sessions and forcing multi-factor authentication whenever privileged access is used.
While there’s growing awareness of the damage that easily guessable passwords and password reuse can do, the fact remains that truly unique, tightly managed and frequently updated username and password combinations are the most effective way to defend again the credential stuffing and other password-guessing attacks that allow attackers to so easily compromise troves of user accounts in the first place. Eliminating weak, well-known, shared, or otherwise easily guessed passwords from an environment is one of the easiest solutions to implement from a technical perspective, but also requires end user education and embracement.
Depending upon how far an attacker is able to progress, they may have invoked a substantial tally of changes within a given environment during their progression. Rolling back, recovering, or otherwise restoring configuration to desired states is step one in eliminating the backdoors an attacker may have made in the event they’re identified.
Each of the above steps is helpful. When used together, they form an effective strategy for organizations to help defend themselves against sophisticated, disruptive, destructive modern ransomware variants. While some steps require a commitment of time and effort, defending and strengthening the organization’s overall security posture makes the ROI well worth it.
About the author:
Adam Laub is CMO of Stealthbits, a cybersecurity software company focused on protecting an organization’s sensitive data and the credentials attackers use to steal that data.