Over the years, little, if any, has changed as far as cyber defense against ransomware is concerned. Fast forward to the coronavirus pandemic, and ransomware is causing significant challenges for hospitals and health care providers in particular.
Researchers involved in a recent Microsoft study on ransomware targets often observed how attackers got their initial network access by exploiting unpatched vulnerabilities in their target’s web infrastructure. In many of these attacks, the hackers had actually laid the groundwork months before the pandemic hit in earnest, and they were simply picking the best time to move—when their targets are most vulnerable (i.e., overwhelmed with patients requiring urgent treatment), and therefore most willing to pay.
But just because ransomware has a specific target doesn’t mean businesses and organizations in other fields and industries can let their guards down.
Responding to active attacks with your cyber defense
The Microsoft researchers strongly advise organizations to promptly check if they have any alerts related to the recent ransomware attacks and to investigate and remedy the situation at once. Specifically, data security defenders should pay attention to the following malicious behaviors relevant to the recent attacks:
- Malicious PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities
- Credential theft activities (e.g., suspicious access to Local Security Authority Subsystem Service (LSASS) or suspicious registry modifications, which can indicate new attacker payloads and tools for stealing credentials)
- Any tampering with a security event log, forensic artifact (e.g., the USNJournal, or a security agent), which attackers do to evade detections and to erase chances of data recovery
Cyber defense for internet-facing systems
Businesses and organizations need to review the security of their internet-facing systems.
To gain access to target networks in the recent ransomware campaigns, hackers exploited internet-facing systems that were vulnerable due to the following weaknesses:
- Remote Desktop Protocol (RDP) or Virtual Desktop endpoints without multifactor authentication (MFA)
- Older platforms that have reached end of support and therefore no longer getting security updates (e.g., Windows Server 2003 and Windows Server 2008), further weakened by the use of weak passwords
- Misconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers
- Citrix Application Delivery Controller (ADC) systems affected by CVE-2019-19781
- Pulse Secure VPN systems affected by CVE-2019-11510
The need for vigilant protection practices
Most of the ransomware attacks perpetrated in the past have been linked to poor data security practices by employees. As far as ransomware attacks go, these best practices apply:
- Use an online backup utility to keep an up-to-date backup of essential files.
- Use a reliable antivirus software and a firewall. Having a strong firewall in place and always running an up-to-date security software is critical.
- Ensure that all systems and software are up-to-date with relevant patches. Malware is commonly spread with the use of exploit kits hosted on compromised websites.
- Regularly patch vulnerable software to help prevent infection.
- Employ content scanning and filtering on mail servers. Inbound e-mails should be scanned for known threats and any attachment types that could pose a threat should be blocked.
- Ignore the ransom demand. Payment will only encourage and give these attackers resources to develop even devastating attacks. Also, paying the ransom does not guarantee restored access to the hostaged files.
- Restore any impacted files from a known good backup, since restoring your files from a backup is the fastest way to regain access to the hacked data.
- Withhold personal information when replying to emails, unsolicited phone calls, text messages, or instant messages. As this would invite phishing attacks, where the malicious actors will attempt to trick employees into installing malware, or gain intelligence for attacks by passing themselves off as IT personnel. Members of the staff should immediately contact their IT department if they or their coworkers receive suspicious calls.
- Block any access attempt by an unknown program if you get the notification out of the blue instead of from anything you did yourself
Ransomware typically targets files stored in the desktop, the Documents folder, and other common locations.
- If traveling, staff need to alert their IT department beforehand. Especially if virtual communication will involve the use of public wireless Internet. A reputable Virtual Private Network (VPN) should be used when accessing public Wi-Fi.
The COVID-19 pandemic is giving cybercriminals even more vulnerable targets, but there’s no need to one, especially not now.
Address vulnerabilities in your system with passwordless multifactor authentication to add extra layers to your defense against ransomware.
Explore TraitWare’s enterprise-class solutions for your business.