The 2020 cyber attacks on the Healthcare Industry are a foretelling reminder that ransomware can happen to anyone at any time.
Ransomware attacks are on the rise. Attackers are adapting their tactics and demanding increased payments while continuing their focus on small businesses and expanding to more lucrative prizes such as government and healthcare organizations.
All industries should be on alert.
Organizations that are underfunded and unprepared when it comes to cybersecurity should take proactive measures immediately.
Hopefully, you are here reading this guide as a proactive defense. We’ve included commonly needed items to start improving your security posture and your IT hygiene.
If you haven’t already, be sure to read our ultimate guide to cybersecurity.
Immediate concerns? Ask us anything.
Get our Ransomware Prevention & Response Guide
Here’s what you need to know and how to get started.
What is ransomware
Ransomware is a form of malware that locks critical business data by using strong encryption and demanding a ransom payment in order to restore your data. In recent cases, the attacker may threaten to destroy or release your data to the public by a set expiration date.
How does ransomware infect a network?
#1 Reason = Unaware Actions.
Most commonly, a friendly user unintentionally gives system access to an attacker who will ultimately deploy ransomware. This occurs when an employee falls victim to one of several common threats that can lead to ransomware infection.
Phase 1: Attacker Gains Initial Access
During the first phase, an attacker attempts to pierce your corporate defenses and gain any level of access to your network. We commonly refer to this as an “initial foothold”.
There are two primary ways in which this occurs.
- A user unknowingly runs a malicious program
- An attacker gains access to your username and password
Phase 2: Attacker Elevates Privileges and Spreads
Now that they are in, these attackers have many ways to increase their access to your environment. It is important for the attacker to get to the highest level of permissions to allow them to spread their ransomware to the most critical systems.
Usually, a ransomware attack will not just target your main technology, it will also attempt to breach your backup system so you have limited options for recovery.
Phase 3: Ransomware Deployment
Once ready, the attacker quickly spreads the ransomware throughout the environment while also executing other actions; for example, deleting any discovered backups.
The attack will be coordinated, swift, and disruptive.
Common threats to look out for
These are the common methods attackers use to achieve this goal:
Email Phishing
Email can be used to distribute a malicious program or attempt to trick you into providing your credentials. If the sender’s name or email address seems “off,” it probably is, so trust your instinct!
Additionally, beware of emails from known addresses that seem suspicious; your coworker, vendor, or customer’s email may be compromised. If you are unsure, give them a call. At the very least, they’ll appreciate your vigilance.
Links / URLs
Malicious links are deceiving, and they’re not just in your emails.
They’re in social posts, articles, and ads.
Anywhere you can add a link, there’s a possibility that an attacker could plant a malicious link for you to click.
Malvertising
Cybercriminals do their best to blend in. Malvertising is a method where cybercriminals use the same advertising tools regular marketers use to display legitimate ads online.
Typically the ad encourages the user to download free software that is actually malicious.
Internet Exposed Services & RDP
Remote desktop protocol (RDP) is a popular method used for connecting to a computer over a network connection. Unfortunately, it’s also a popular entryway for cybercriminals to gain access to your network.
IT Hygiene Checklist – Are you safe?
Are you proactive against ransomware? Compare how your IT environment stands up to this checklist and start making immediate improvements to your security posture.
IT Environment Hygiene Checklist
- Multi-Factor Authentication (MFA)
Are you using multi-factor authentication for all user accounts? Check all externally facing systems and ensure MFA is set up. Common systems include email, VPN, cloud services, or other critical applications. - Strong Credentials
Ensure your users are setting strong passwords, making it much more difficult to fall victim to password spraying attacks. In most systems, password policies can be used to require strong credentials. - Backups – Isolated/Offline
Identify critical assets and data. You will want to create and store backups of these systems offline and separated from the network. This will ensure you always have an unaffected fallback.
Remember to set scheduled backups of these assets to prevent the loss of any newer, unsaved business data. - Patching
Keep your operating systems, software, and firmware up-to-date. Make it a standard to apply new patches as soon a manufacturer releases an update. - Least Privileged Access
Ensure user accounts are appropriately configured and are given only the necessary access privileges. - Endpoint Defense
Defense starts at the endpoint since networks no longer have traditional boundaries. The use of a modern antivirus solution is essential in protecting your environment.
Laptops, desktops, phones, servers, and virtual environments are all considered endpoints. How well are your endpoints secured? - Vulnerability Scanning
Knowing where your security is lacking is the first step to improvement. Vulnerability scanning will help identify holes in your defenses, allowing you to take action before an attacker does. - Review Admin Accounts
Avoid providing unnecessary authority to accounts that do not need it. You should also audit all your user accounts, especially those with administrative privileges, to ensure they are legitimate and do not have any unwarranted access. Ensure admin accounts are separated from accounts used for day to day purposes. - Network Segmentation
Isolate network segments so appropriate security can be placed on communication across devices. This can be done through a network or host-based firewalls, the latter being a great way to keep this segmentation active, even when not in the corporate network.
A ransomware attack happened. Now what?
Most likely, you’ll be dealing with career criminals looking for an easy score. These large groups are professional, well organized, well funded, and well versed in cyber operational security (OpSec).
Ransomware attackers research how much your business can reasonably afford to pay and whether you have cybersecurity insurance coverage to defray the ransom cost.
If you decide to pay, you’ll receive a decryption key to rescue your files. Instead, you might choose to restore your information systems from backups. Depending on the size of your IT infrastructure, that could take days, weeks, or even months of lost productivity.
When ransom attacks go wrong
Ransomware as a Service (RaaS) and the abundance of exploit kits available on the dark web has introduced a new layer of disarray into an already chaotic situation. 2021’s cyber attack landscape is like the wild west, and standard “rules” no longer apply.
Even if your organization agrees to pay the ransom, newbie hackers with eyes on a big payoff can complicate the process in many ways. Some, fearing law enforcement, get cold feet and break contact completely.
These types often re-negotiate the ransom amount or demand payment in an obscure cryptocurrency—not the standard BitCoin. This back-and-forth can significantly increase lost productivity.
Paying the ransom doesn’t guarantee that your files will decrypt correctly. New for 2021, many criminal syndicates offer “helpful customer service” to help with decryption efforts.
Double-extortion ransomware
Some companies choose not to pay for a decryption key if they know they can restore systems from backups quickly. Attackers employ double-extortion to increase the likelihood of getting paid.
They download sensitive information from the victim’s systems in advance of encrypting their files—intellectual property, customer information, financials, and the like.
The threat actor can now make an additional ransom demand to prevent broadcasting sensitive data to the public. More and more often, attackers are seeking payment before agreeing to show what data they exfiltrated.
How to respond when a breach occurs
Preparation and response are key!
If you believe you are experiencing a breach, here are the six steps you need to take.
6 Stages of Incident Response
- Preparation
Preparation addresses how businesses can avoid being underprepared in the face of security emergencies. The more time lost to a cyber attack, the greater the loss that will be accrued.
Start by tracking all baseline traffic patterns for all of your technological assets. Then create an emergency communication plan to be followed in the event of a suspected attack, determining which events must lead to an investigation.
Build a solid blueprint for what to do when an event takes place, and make sure all employees know what part they play in the response plan. - Identification
Identification requires your designated team to gather all available data on this particular situation and then analyze it.
Your security team then determines the entry point of the breach, how it spread, and works to identify the infected entity’s precise location.
The next three steps happen in rapid succession…! - Containment
Contain the threat by patching its entry point. - Eradication
Eradicate the threat by removing it. - Recovery
Recover all systems to get them operational again to avoid disrupting your business for a greater length of time than necessary. - Lessons Learned – “The Forgotten Step”
The final step is perhaps the most important, and, unfortunately, the most widely neglected. This leads to businesses making the same mistakes and opening themselves up to the same vulnerabilities again.
Lessons learned is about taking a step back to document the entire process. Log every facet of the situation to be used as part of future preparation plans.
Not every scenario can be predicted, so documenting the situations can help establish patterns to help companies improve on system weaknesses so that incident response can move much more quickly in the future.
Once you have gone through these steps, remain vigilant and aware of where your information is going and the purpose of sending it. For tips more on how to prepare for a cyber attack, read our previous post on how to handle a cyber attack.
Be proactive and protect your organization
If you want to protect your business against attacks, being proactive is a must. And, it’s not difficult to do once you have the right systems and standards in place.
We can help immediately secure your data and endpoints.
If you are missing items on the above IT hygiene checklist or have other concerns, we’re available to share our expertise.
