Trustwave Blog

How to Outplay the Ransomware Playbook | Trustwave

Written by Darren Van Booven | Jan 13, 2022

Organizations across industries are increasingly concerned about their cybersecurity posture and overall ransomware preparedness – and rightfully so – with the 64% increase in attacks from 2019 to 2020 (304 million attacks worldwide in 2020). We have also seen a 2x increase in demand for ransomware preparedness assessments and exercises.

However, one of the biggest hurdles for cybersecurity practitioners to respond to ransomware is creating a response plan for the full life cycle of a ransomware attack. This should include the identity, protection, detection, response and recovery stages.

Security practitioners should work with the organization’s C-level executives to answer questions and develop a ransomware protection plan. Consider how ransomware is prevented and detected in addition to how your organization would respond. 

To develop a plan, organizations should ask themselves:

  • How do we contain the ransomware when an attack happens?
  • How can we identify what systems are being affected? What is our exposure?
  • Will we negotiate with the hackers? How can we respond?
  • What is our stance on the payment of ransom?
  • When would external response resources be leveraged?
  • Are there better solutions available to prevent ransomware from taking hold in the environment?

Today, ransomware attacks are more than just an adversary dropping encryption software into a system and letting it run across an environment. While cybersecurity experts have increasingly improved their ability to respond to ransomware attacks and decrypt the environment, hackers have a much more sophisticated and calculated playbook, moving from encryption to extortion. Adversaries can combine ransomware attack methods with malware tools to exfiltrate sensitive data and threaten to release the information to the public if a ransom is not paid.

Security administrators need to be prepared on multiple fronts. It’s not just about securing the endpoints but also ensuring a strong data loss protection plan and solid backup infrastructure in place.

The majority of ransomware incidents occur as a result of two issues. Either the patching cadence within the organization is weak or slow, or the organization has not deployed endpoint protection solutions across all systems. Without a full implementation, machines without EDR are often the foothold hackers need to attack the system. Organizations need to make sure systems are up to date and patched with an EDR tool installed on every device. 

DATA SHEET

Ransomware Preparedness Service

Ransomware attacks have continued to rise year on year, and it is estimated an attack occurs every 11 seconds, according to Cybersecurity Ventures. The threat of a ransomware attack is a high priority concern for both business and security leaders who are seeking assurance that their organizations have the appropriate controls to detect, respond and recover from a ransomware incident. 

 

Unfortunately, a lot of organizations are just not doing this holistically. Instead, organizations should run tabletop preparedness exercises to prepare for three common ransomware scenarios:

The most common is a ransomware incident resulting from a phishing attack. Organizations should reduce their risk of email-originated threats with organization-wide security awareness training. People still click on links in suspicious emails—it’s human nature. However, this behavior can lead to the attacker installing a remote access tool or a per-stage ransomware malware on a work machine. The hacker can then run automated discovery so the malware can start propagating itself and encrypting any data that is accessible. This activity can also lead to more lateral movement across the network.

The second scenario is often for organizations with separate networks—like manufacturers or medical facilities. Security practitioners should consider what happens if a system on the operational network gets compromised and the effect this might have on the entire environment. This situation then becomes a hostage scenario; the attackers are not holding data but instead taking hostage the availability of a system, which can significantly affect business operations.

The third scenario is related to the supply chain. Consider: If a key supplier or section of the supply chain has been affected, is it possible for that supplier to propagate infection into the organization’s network based on the connections they have with them? The impact of this type of attack can be two-fold. First, the breach could propagate into the network or render supplier systems inoperable, causing business continuity concerns.

For robust ransomware protection, organizations need to consider their overall security strategy, including data segmentation. Even with this segmentation strategy, organizations need to understand every way an attacker can breach a system across the environment. If you believe there is a risk of attack, consider how to minimize the impact of that breach across the environment. First, identify where you house critical data for everyday operations and administration. Then, segment your operational components from administrative components to prevent the spread of potential malware. Be sure also to consider the different access controls or permissions needed.

Organizations need security professionals and C-level executives on board to get ahead of ransomware attacks. Keep in mind the possible scenarios and where your environment might be vulnerable to attack and be prepared with a plan. The more prepared organizations are to detect and respond, the better.