Five steps to preventing a ransomware attack

For years, ransomware has been a scourge for Australian businesses, causing extensive disruption and financial losses.

The problem first gained attention in the 1990s when it appeared as so-called ‘scareware.’ Attackers would cause a pop-up to appear on a user’s screen telling them their system was infected. Thankfully, these attacks did little actual damage and were easy to remove.

The next generation, dubbed Locker Ransomware, then appeared on the scene. It involved malware locking users out of their systems but doing no damage. Users with sufficient technical skills could remove the lock and resume normal operations.

A third wave subsequently appeared that involved data encryption. In these attacks, the attacker compromised a system and encrypted data, demanding payment for the key.

The latest wave, known as Multifaceted Extortion Ransomware, involves attackers encrypting data but also stealing a copy, then threatening to make this data public if the victim does not pay the ransom.

Defending against attacks

Businesses faced with this ongoing threat of attack need to undertake five essential steps to improve their IT security level. These steps are:

  1. Implement MFA:
    Multi-factor authentication (MFA) adds a layer of difficulty for an attacker aiming to compromise a user’s account. If attackers gain access to a system and extract usernames and passwords, they could gain widespread access to an organisation’s broader IT infrastructure. However, if the organization has implemented MFA, compromised accounts are not accessible without the chosen second form of authentication.
  2. Protect identity systems:
    While MFA helps protect user accounts, it is ineffective if the attacker takes a different route into an organisation’s IT infrastructure. MFA only covers the initial interactive login. If a user clicks on a phishing email with a malicious link, a malware attachment targeting an unpatched system, or an unknown vulnerability utilising exploit code, then MFA becomes useless. Attackers have many other MFA-bypass techniques they can use.

    Using any of these tactics, the attackers have effectively bypassed the need to obtain a password to gain access. Once inside, they can check memory and applications for stored credentials, target Active Directory, elevate privileges, and move laterally to find new targets.

By protecting identity systems with Identity Threat Detection and Response solutions, organisations can detect an attack in progress, derail an attacker before they can steal critical data, and gather valuable threat intelligence.

  1. Undertake network segmentation:
    If an IT team separates their organisation’s network into different segments, it significantly increases protection against ransomware. The team can then place traps, decoys, baits, and other tripwires to help detect attackers and keep them away from critical systems. Having a simple, flat network makes life much easier for the attacker since they don’t have to evade detection tools or navigate very far to find the data. Segmenting the network overcomes this situation.
  2. Implement a Zero-Trust strategy:
    Zero-Trust involves a never trust, always verify philosophy, requiring users to be authenticated, authorized, and validated for security configuration and posture before gaining or keeping access to applications and data. Before any user or device can connect to IT resources, they must first prove their identity and permission to complete the interaction, making it very difficult for an attacker to reach resources, even if they have managed to enter the network.

 

  1. Deploy Active Defence:
    IT security teams need to be on alert for attacks at all times. Many are achieving this by following a strategy of Active Defence. MITRE, a not-for-profit corporation that operates research and development centres that strive to solve cybersecurity challenges, has developed a helpful program in this area called Engage, which focuses on deception and engagement to take the attacker’s advantage away.

    The strategy involves placing baits within an infrastructure designed to lure attackers away from assets and towards decoy systems, triggering alerts for the IT team to follow up and precisely determine what has occurred. They can then take steps to neutralise the attack and repair any damage the attackers have caused.

By following these steps, organisations can prevent a ransomware attack or quickly recover should one occur. The ransomware threat will not disappear anytime soon, so taking these steps now is the best approach for an IT security team.

 

Jim Cook is ANZ Regional Director at Attivo Networks, an award-wining leader in cyber deception and attacker lateral movement threat detection. Cook has more than 20 years’ experience in the IT industry in both Australia and the UK and was previously ANZ Regional Director at Malwarebytes. Prior, he was Country Manager at Fortinet and also worked at Check Point Software Technologies for nine years in several sales positions.