Remediant Blog

Ransomware keeps us up at night. It’s the worst-case scenario that hits companies where it hurts—their data. Ransomware locks us out of our data as the attackers threaten to destroy it, or worse, publish it if they don’t get paid their ransom for the decryption key. In 2021, we envision more destructive attacks that can cripple even well-resourced organizations.

A lot of things go through your mind when ransomware hits:

• Do you pay the ransom?
• Who are these people who have hijacked your data?
• How badly have you been hit?

But, not one of those questions is the one you should be asking right now. You should be asking how do we protect ourselves from ransomware before it ever hits?

Ransomware’s coming of age

Cyber attacks, ransomware included, are the newest disaster to rise to prominence in DRP/BCP (Disaster Recovery/Business Continuity Planning) spheres. We’ve still got to focus on hurricanes, earthquakes, and fires, but—just as important, and growing in frequency—are cyber attacks.

Cyber attacks have the potential to make a greater impact on your organization, even more than a natural disaster. Companies have spent so much time and resources over the years preparing for physical disasters. Many are now unprepared for cyber attacks that attack through wires and bytes and not by land, air, and sea. That doesn’t mean you shouldn’t prepare for them, however.

Don’t just insure away the risk

Cyber insurance sounds great, but it’s just a crutch. Cyber insurance can help us sleep at night, but it’s designed to react after you’ve been hit, not prevent you from getting hit in the first place. When you start filing a cyber insurance claim, you’re already trying to get your data back and gauge the damage that’s been done. It also creates the wrong incentive. Having cyber insurance does not mean you are exempt from having a core set of preventive security controls to protect your organization.

And cyber insurance is not always a foolproof firestop. In 2017, Merck learned that its cyber insurance coverage didn’t want to pay out on their $1.3 billion ransomware claims, claiming that acts of war were excluded. That didn’t make their ransomware attack any less real. It just made it much more expensive.

Many victims of ransomware attacks not only lose money in cyber attacks, they also sustain reputational damage as well as ongoing legal battles to recover their losses. And as attacks continue to surge in numbers and size, insurers may tighten coverage restrictions even more, not just on what they cover, but also on what you can do to recover your data after it’s gone.

It’s the pebbles that lead to a landslide

Major breaches often start with minor incidents, like a phishing attack. Someone phishes login credentials. Then, they sell those credentials to big-time cybercriminals who can come in and do real damage. These individuals may lurk on your network for a while, watching you, learning your architecture, and figuring out which servers are the most important.

Admin users have a lot of power—and there are a lot of them. A recent Remediant study found that 480 admin users had 24x7 admin access to the average employee laptop. That kind of stat generates a lot more angst when you don’t know who’s on the other side of the screen logged in as any one of those admin users. Compromised admin credentials form a core part of the strategy that allows the lateral movement in any type of advanced persistent threat (APT), not just ransomware. The perfect example is the recent SolarWinds  . Even as the extent and impact of the data stolen in that attack are still being assessed, it’s rapidly becoming clear that the effects will be far-reaching, potentially including the Pentagon and other US intelligence agencies as well some of the nation’s top educational institutions and largest corporations.

When the login credentials of your trusted users have been hacked, even solutions like EDR (Endpoint Detection and Response) start to offer a lot less confidence in protecting your data and stopping the spread of lateral movement in your networks. Indeed, lateral movement through the use of compromised admin credentials has emerged as a key strategy in cybercriminals’ tool chests and not just in this recent SolarWinds attack.  

When cyber criminals hit with ransomware, they encrypt all the files on your servers and desktops and then wipe out your backups so you can’t recover your data without their help. They don’t have to hit all of your servers. They might just hit your domain controllers and file servers. By the time you learn you’ve been hit and you’re reading their ransom notes, you’re waking up to the reality that you’ve lost days or weeks of email, files, and the ability to run your business in the 21^st century.

Even if you pay the ransom, there’s no guarantee you’ll get the decryption keys, that they’ll work, or that the criminals won’t label you an easy target and attack again.

Prevention - the best protection

The best protection against data theft and ransomware is basic blocking and tackling. It comes down to:

1. Patching – Keep your security software up to date
2. Back-ups – Perform regular, secure backups
3. Access control – Limit access to what’s needed and nothing more.

Ransomware and many other types of malware often enter systems when unauthorized users break into approved accounts. By implementing methodologies like Zero Trust access, you limit the damage cyber criminals can do with hijacked accounts because you limit where they can go with the access they have compromised. Zero Trust comes down to sound access control, which is one of the most efficient ways to protect against attacks.

Conclusion

Ransomware is today’s new disaster in the evolving DRP/BCP frameworks. It’s not going anywhere and as more companies resign themselves to paying ransoms to recover their data, this criminal industry grows, encouraged by quick profits. With emerging technologies like Ransomware as a Service (RaaS), attackers no longer need vast technical skills to set up their toolboxes. Many just buy the technology from rogue developers for a small fee and a promise to share the profits.

Savvy cyber attackers know where most organizations are vulnerable. They know how to target vulnerable users or software vulnerabilities to break in and use admin credentials to expand their reach. Many companies don’t adequately monitor or secure admin access to their laptops and are therefore easy targets. In the long run, our best offense against these attacks is a strong defense. That comes down to a control environment that embraces Zero Trust access and administration that delivers just-in-time access, not one that’s built on just-in-case administration. The best defense, as the fallout from the SolarWinds attack unfolds, is to understand the strategy that the attackers employed, why the attack worked, and controls that could have helped, as our CEO Tim Keeler detailed in his blog post yesterday.

Convenience may save time in the short-term, but the price of good intentions and wishful it-won’t-happen-to-us thinking costs much more over time. If your company may have been hit by the SolarWinds attack, Remediant can help. Contact us today and our rapid-response teams can help you quickly assess or restrict a lateral movement vector.