Ransomware – some recent thoughts

Cybersecurity technology and information security company, Cisco Talos, recently published some interesting information on the tactics, techniques, and protocols (TTPs) used by the top 14 ransomware groups. Let’s see what we can learn from it.

Firstly, they looked at the steps in a ransomware attack, which won’t come as a surprise. The steps were:

• Gain access to the targeted entity. Different techniques can be used, but the most common is social engineering, which usually involves sending emails containing malicious files or links that will run malware on the targeted system to targeted people. The malware allows the attacker to deploy more tools and malware to reach their goals, even bypassing multifactor authentication.
• Scan Internet-facing systems for vulnerabilities or misconfigurations. Unpatched or legacy software is a particularly high risk.
• Gain persistence. If the malware is identified and removed early on, the attack has failed. So, steps need to be taken to ensure permanence. With an attack on Windows, registry keys can be modified, or the malware can be auto-started at boot time. Local, domain, and/or cloud accounts can be created. On a mainframe, multiple copies of the malware might be stored, allowing a second copy to be activated if needed.
• Network scanning to understand the infrastructure. This is where valuable data is identified. In addition, privilege levels need to be raised to administrator levels. On a mainframe, the order these two sub-steps would probably be reversed.
• Data exfiltration. The valuable data, usually personally identifiable data, eg names, address, social security numbers, bank account details, etc, is then stolen. That might be the end of the attack.
• Data encryption. Encrypting the data allows the bad actors to send a ransom to the organization that has been attacked. Unless the ransom is paid, the target organization won’t get the key to decrypt their data.

I would suggest that the attackers might also look for links to other organizations. These supply-chain attacks allow the bad actors to use one attack to get into the systems of multiple organizations.

Cisco Talos does offer some suggestions of how to mitigate the threat of ransomware. These are:

• Apply patches and updates to systems and software to reduce the risk of exploits being used to access a system.
• Implement complex and unique password policies and multifactor authentication.
• Harden the attack surface by disabling unnecessary services and features and limiting the number of public-facing Internet services as much as possible.
• Segment networks using virtual local area networks (VLANs) or similar technologies. Isolating sensitive data and systems from other networks prevents lateral movements from an attacker.
• Monitor endpoints using a security information and event management (SIEM) system, and use endpoint detection and response (EDR) or extended detection and response tools.

One of the big problems facing the IT security team is the number of people working from home. Indusface, an application security SaaS company, has suggested nine ways to protect company data for people working remotely. Here are their suggestions:

1. Provide company devices. This allows organizations to fully manage and secure the devices used to access company data. The devices should be updated and encrypted with SSL certificates. If that’s not possible, home-workers should be given everything they need to secure their own devices, eg anti-malware software.
2. Scan and penetration test applications. Pen testing protects against data breaches by simulating real-world attacks on systems and highlighting vulnerabilities including privilege escalation attacks. Where vulnerabilities are identified, appropriate defensive measures can be taken.
3. Utilize virtual private networks (VPNs) across the business. VPNs are easy to implement and protect data that could otherwise be vulnerable to attacks over an open public network.
4. Deploy a web application firewall (WAF). This will protect web applications from attacks. An AI/ML based WAF should detects anomalies and block illegitimate requests even if they are made through compromised employee credentials.
5. Employ encryption software. Encrypting sensitive files means that were someone able to steal the files, they would not be able to access the data or content. Security policies should ensure that all remote workers know how to encrypt files and when it is necessary. Routine checks should ensure the policy is being followed.
6. Strict password management. Hackers rely on weak passwords when brute forcing point of sale (PoS) terminals. Use automatic password generators to create safe and secure passwords, and ensure that passwords are unique and never duplicated across multiple accounts. For sensitive data, employees should always implement multi-factor authentication (MFA), requiring users to provide multiple methods of verifying their identity.
7. Rigorous access controls. Organizations should apply the principle of least privilege when it comes to access control, ie allowing users access to only the specific assets that they require for their work. Access to files should be revoked as soon as it is no longer necessary, such as when an employee leaves, or a person’s involvement in a project is over.
8. Provide employees with what they need. To make their jobs easier, remote workers may implement tools, systems, or habits that are not sanctioned by the company. This shadow IT could include using risky apps and tools, sending files through unsecure channels, or storing assets somewhere unprotected. Provide remote workers with all the tools they may need to do their job effectively and ensure that they are aware of all the approved platforms that they have access to.
9. Fully prepare and train remote workers. Organizations can implement security strategies, but efforts will be futile unless remote workers fully understand what the procedures are and why they are important. Training staff regularly and testing the effectiveness of the training (eg phishing email simulations) is important.

There are some useful hints and tips there. Although they are mainly PC-based ideas, accessing the Windows infrastructure may be just a short-step away from accessing an organization’s mainframe.