How to Defend Against the Increasing Trend of Ransomware

Image provided by cloudally

Ransomware is a form of malicious software that encrypts a victim's data and demands payment to decrypt it. In recent years, the frequency and severity of ransomware attacks have skyrocketed, causing significant disruptions to businesses, governments, and individuals worldwide.

This isn't a history lesson, but I do want to mention a few of the most notorious ransomware incidents.

WannaCry: In 2017, WannaCry Infected over 200,000 computers worldwide, including hospitals, government agencies, and businesses by exploiting a vulnerability in Microsoft's Windows operating system and spreading rapidly through email attachments and network shares.

WannaCry caused significant data loss and disruption, leading to financial losses for businesses, governments, and individuals. The attack had a particularly severe impact on healthcare providers, disrupting medical appointments, surgeries, and access to patient records. Organizations incurred financial losses due to downtime, data recovery costs, and reputational damage. For example, the NHS in the UK estimated its losses at £92 million.

2019 Ryuk: Targeted healthcare organizations, encrypting patient records and disrupting critical systems.

Ryuk attacks had a severe impact on healthcare organizations, compromising patient data and disrupting critical healthcare operations. This put patient safety at risk and resulted in substantial financial losses for healthcare providers. The attacks also damaged the reputation of healthcare providers, as patients lost trust in their ability to protect their sensitive information. In addition, the average organization affected by this attack was $1.27 million, affecting around two thousand organizations.

Rather than continuing with additional examples such as Colonial Pipeline, but I'd like to shift the focus toward us and what we can do to protect ourselves.

Given this information, we can see that the impact of being affected by these attacks is more than paying a large sum for access to the data, but additionally reputational damage, loss of public trust, compliance risks, business disruptions, and so on.

Image provided by mobisoftinfotech

Healthcare organizations provide essential services that cannot tolerate long downtimes without risking patient care. This is incredibly unfortunate because it potentially puts human life at risk, which is more valuable than any monetary figure.

Attackers exploit this urgency, knowing that these entities are more likely to pay a ransom quickly to restore access to critical systems and patient data.

In addition, many healthcare providers operate with a complex mix of old and new technologies, integrating medical devices with legacy systems. This diversity can lead to security gaps, making it harder to uniformly apply security measures and updates.

The dependence on legacy systems does not help in the defense of this type of attack; however, we can leverage the use of compensating controls to provide a greater level of security assurance.

Now that the risk has been identified, let's discuss methods for mitigating the risk. First and foremost, the number one thing that any person or organization can do to protect against ransomware is to have backups.

It may seem like an odd place to start because we aren't preventing this malware from affecting systems but rather increasing availability through redundancy.

The reality is that no matter how many precautions or controls we put in place to prevent these attacks, given enough time and persistence, eventually they can and will happen. Time is continuously infinite, so it is inevitable.

Feel free to call it pessimism; however, when we assume that the breach will occur, we can take steps to ensure that the business impact is minimalized. With up-to-date backups in place, if and when it occurs, we can ensure that you or your organization still have access to the data needed to carry out normal business functions and ensure continuity.

With that being said and in place, we can move on to hardening our systems and environment from these attacks to make it as difficult as possible for these attacks to be carried out. This is where we introduce defense-in-depth. Using established information security frameworks such as the NIST CSF, Cybersecurity Framework, and CIS DiD (Center for Information Security Defense In Depth).

Image provided by mobisoftinfotech

Examples of controls or precautions that can be put in place to mitigate the risk of ransomware are the use of network segmentation, isolating networks with sensitive information away from less or untrusted networks using routing protocols and technologies such as firewalls, VLANs, or virtual local area networks. The use of this strategy is very effective in containing or limiting ransomware as it traverses the network. The intent here is to prevent the spreading of the malware across organizational departments and functions.

Another control mechanism that can be used is patch management. After all, ransomware, which is malware, affects systems that are commonly known to be affected.

For example, the WannaCry malware we discussed still affects systems to this day due to the use of outdated or unsupported software, such as Windows 8 and older. Even older versions of Windows 10 are vulnerable to this attack. Of course, the malware may be engineered to affect other systems, such as Linux distributions.

In addition, other effective precautions we can take to protect against this type of attack include performing access reviews, auditing credentials, and strengthening password complexity.

To go one step further, the use of 2FA/MFA, or multi-factor authentication, can significantly limit the effectiveness of malicious user intents by making it more difficult to acquire access to the system for the malware to traverse the network. When a user logs into the system, they're automatically trusted, even if their credentials have been compromised by malicious parties. Thus, strengthening the security around this login process is crucial to making it tougher for attackers to gain unauthorized access.

A variety of additional controls that can be used to mitigate the risk of ransomware are:

Strong Password Management:

Enforce strong password policies and utilize multi-factor authentication to prevent unauthorized access.

Software Updates:

Regularly update software and operating systems with security patches to fix vulnerabilities that ransomware can exploit.

Endpoint Protection:

Deploy robust endpoint security solutions to detect and block malware before it can encrypt data.

Cybersecurity Incident Response Plan:

Develop and practice a comprehensive incident response plan to quickly detect, contain, and remediate ransomware attacks.

Role-Based Access Control:

Implement role-based access control to restrict access to sensitive data and systems, minimizing the risk of unauthorized encryption.

What you should notice is that these security concepts aren't new or unique. You'll come across controls, safeguards, and requirements that align with these ideas in published authority documentation, such as the HIPAA Security Rule, HITRUST CSF (Cybersecurity Framework), CIS Controls, PCI DSS, and so on.

This is to say, by complying with industry standards, regulations, and frameworks, a large portion of these risks are addressed for us; we just have to be able to understand and translate these controls and apply them to our organization.

Outside of the precautions that we mentioned earlier, I believe that the next best thing one can do to protect against ransomware is to develop a threat model.

Example threat model from the Microsoft Threat Modeling Tool

By understanding the mechanisms of how our assets interact, we can look at the big picture and determine what our weak points are. If we're using a domain controller, such as Active Directory, LDAP, or other directory servers/services, we can log into those systems and review our administrative configurations, such as rate-limiting login attempts and changing passwords at a defined period. If we're storing sensitive information in a database such as MySQL or AWS Aurora, we can isolate the database and apply data masking, truncation, tokenization, and strong encryption. If the attacker doesn't have access to the data, they can't use the data against you.

What I mean to say is that without knowing what and where your assets are, it is impossible to think ahead and develop a plan to defend against attackers and their plan of action.

Last but not least, perhaps one of the most important precautions we can take is user awareness and training. How do your users know what links not to click on? Or how do they know not to write their passwords on a notepad and hide them under the keyboard?

We, as people, are prone to error. Having staff who understand their roles and responsibilities and the role that they play in security and data protection through the overarching process is critical in protecting data, whether it be protected health information (PHI / ePHI), personally identifiable information (PII), cardholder data (CHD), controlled unclassified information (CUI), or anything else.

To wrap up, the increasing trend of ransomware poses a significant threat to cybersecurity and GRC, but more importantly, to businesses and people like us. Organizations must implement comprehensive strategies that balance protection, detection, and recovery measures.

Strong passwords, regular backups, software updates, endpoint protection, network segmentation, incident response plans, access control, and employee training are essential for mitigating ransomware risks.