Jul 20, 2021
Ransomware 101: What Is It and How Do I Prevent an Attack?
After high-profile breaches at major US organizations, ransomware should be on the mind of every CEO. But what can you do to mitigate the risk of attack?By Boyd White, Director of Technical Solutions Engineering, Tanium
Ransomware incidents are on the rise, and as we’ve seen in the headlines — no industry is exempt.
The U.S. federal government has urged agency and business leaders to protect themselves by implementing foundational cyber hygiene best practices.
Getting back to the basics of IT operations and security is the first step in helping your organization avoid the worst-case scenario.
Watch this short webcast to learn more about ransomware attacks and how to help prevent them.
What is ransomware?
Ransomware is a type of malware designed in most cases to encrypt data and files on victim networks. Organizations hit by ransomware are effectively given an ultimatum by their attackers: pay up and receive the decryption key or lose your business-critical data forever.
As many organizations respond to best-practice advice by backing up data offline, their extorters have recently taken to stealing sensitive information before they encrypt it. This puts extra pressure on them to pay up or have customers’ and employees’ personal data or trade secrets published online. Some groups have even extended their extortion tactics to include DDoS attacks and contacting customers, shareholders and others to turn up the pressure even further.
The challenge facing organizations today is that the ransomware-as-a-service (RaaS) model has lowered the barriers to entry significantly for “affiliate” threat groups. As long as victims continue to pay, often reimbursed by cyber-insurance policies, the number of cybercriminals joining the fray will only increase.
How do attacks happen?
Although different threat groups have different preferences, there are several key stages to a typical ransomware attack. These are:
1. Ransomware enters the corporate environment.
This often happens via a phishing email that makes it past your gateway provider. Another popular tactic is to scan for open remote desktop protocol (RDP) ports and then hijack remote servers with previously breached logins or by brute forcing the passwords.
2. Ransomware is executed.
This often involves a user clicking a malicious Microsoft Office document with macros.
3. Ransomware exploits the endpoint and/or network with some level of permissions.
If the targeted user/machine does not have enough permissions to support broad lateral movement, it will greatly limit the potential impact of the attack. That’s why the threat actor will typically try to elevate privileges, usually by exploiting a system vulnerability. Lateral movement is often achieved using legitimate tools and “living off the land” binaries to stay hidden.
4. Time for IT security to respond
If an attack has successfully breached corporate security, the onus is on incident response teams to quickly limit its impact. A well-designed and frequently tested incident response plan can make a huge difference here.
How can I prevent ransomware?
If your organization has prepared for the above steps well, it will be in a good position to mitigate the cyber risks stemming from ransomware. The earlier in the execution phase you can stop the attack the better.
Here’s a brief checklist covering the administrative, process and technical measures that can improve your organization’s resilience.
- Maintain offline backups
- Maintain gold images of critical systems so they can be rebuilt
- Maintain and test an incident response plan
- Regularly update and run security awareness programs for staff
- Conduct regular vulnerability scans
- Ensure your endpoints are always patched and up-to-date
- Block SMBv1, and use only SMBv3+
- Block external connections to SMB ports
- Safeguard internet-facing RDP endpoints
- Deploy up-to-date AV everywhere
- Consider application whitelisting
- Manage third-party vendors through a supplier risk management program
- Use multi-factor authentication (MFA) wherever possible
- Use strong, unique passwords
- Know what assets you have and where they are, with updated network diagrams
- Restrict use of PowerShell; use the latest version (5.0)
- Secure and patch domain controllers
How Tanium can help
According to Verizon data from 2021, 10% of data breaches involved ransomware, double last year’s figure. Fortunately, Tanium offers a range of capabilities to improve your organization’s resilience to attacks, enhance visibility and control and accelerate incident response. Here’s how:
You cannot manage what you can’t see. Even one vulnerable host can provide ransomware attackers with an entry point into the network. Tanium helps you find those systems.
Tanium helps your organization ensure its endpoints are patched, reducing the corporate attack surface. If threat actors exploit new vulnerabilities, as was the case with the infamous WannaCry “ransomware,” Tanium can patch at speed and scale to restrict their opportunities.
Ransomware often takes advantage of open shares or misconfigurations. Tanium can proactively help you identify and remediate these issues, while Tanium Enforce can limit exposure by helping to ensure endpoints are hardened against attack and in line with corporate policy.
Limiting lateral movement
Tanium Impact helps organizations limit lateral movement in an environment. Impacted systems, including off-premises devices, can be quarantined from the endpoint layer without the need for specific firewall technology. We also integrate with network devices to block via Cisco ISE or Palo Alto. Tanium Enforce can help limit network access by configuring host firewalls.
Limiting/uncovering sensitive data
Tanium Reveal helps you identify where sensitive data lives in your environment—enabling additional actions to reduce exposure to ransomware.
Tanium Signals can identify potential ransomware activity and alert administrators to begin action.
Tanium Enforce can perform allowlisting using Applocker to prevent unauthorized executables from running on endpoints.
If ransomware has already infected your organization, Tanium can identify how many files have been encrypted and limit any further damage via Tanium Live Response and Tanium Index.