Another week, another ransomware attack. This time an attack on JBS, the world’s largest meat processing company, whose computer networks were hacked, temporarily shutting down some operations in Australia, Canada and the US, with thousands of workers affected. The attack could lead to shortages of meat or raise prices for consumers.
Ransomware attacks can target critical infrastructure and create a national emergency. The recent Colonial Pipeline attack has just proved that point, by causing a weeklong shutdown of the 5500-mile long pipeline, leading to fuel shortages, a spike in fuel prices, impacting flight operations at airports, and creating panic at the gas stations across the entire US east coast. Indeed this cyberattack has gotten the attention at the highest levels, with the White House issuing an Executive Order on improving the nation’s cybersecurity.
According to the FBI, a relatively new ransomware group called DarkSide was responsible for this attack. Upon deeper examination, Krebs on Security reports that DarkSide is a Russian hacking group that offers a “ransomware-as-a-service” platform that helps vetted cybercriminals to carry out ransomware attacks with a variety of toolkits, and wraps in a “call service” to assist them in negotiations and payments from the victims.
A ransomware is a vicious type of malware that cybercriminals use to block access to business critical systems by encrypting data in files, databases, or entire computer systems, until the victim pays a ransom. It is a form of cyber extortion.
Some victims get two ransom notes. One ransom payment to prevent cybercriminals from disclosing the sensitive data they have stolen before encrypting it. The second ransom payment to get cybercriminals to hand over the decryption key, for the victim to gain back access to their data. This is a form of double extortion.
Why does Ransomware Matter?
The Internet Crime Compliant Center (IC3), a branch of the FBI that provides the public a trustworthy source of information on all cybercriminal activity in the US, received a record 2,474 ransomware incidents in 2020, which is a 60% increase over the number of attacks in 2018. Cybersecurity Ventures predicts that all types of small and large businesses will fall victim to ransomware attacks every 11 seconds, and the estimated cost to businesses globally will be around $20 billion by 2021.
The direct costs are attributed to the ransom demand, while the indirect costs are associated with the downtime, data recovery, lost revenue, cost of improvements to cyber defenses, and reputational damage to the company.
Typical Ways of Launching Ransomware Attacks
Cybercriminals primarily rely on the following techniques to infect systems with ransomware.
- Front Door: Cybercriminals can use Remote Desktop Protocol (RDP) to gain administrative access to the front door, using a brute-force method of trying various passwords (dictionary attack) or they can use stolen credentials purchased on the Dark Web. There are millions of computers with exposed RDP service online without any protection.
- Back Door: Cybercriminals try to enter through the back door, by gaining indirect access via phishing emails containing malicious attachments or links (URLs), which deploy malware binaries when a recipient (victim) unknowingly clicks on it. The malware can then compromise the victim’s system by encrypting all the files on their hard drive, and then post a ransom note to pay-up and gain back access to their files.
Protecting Against Ransomware Attacks
The following best practices focus on hardening access to the front and back doors of computer systems.
- Protecting Your Front Door:
Protect access points to all network services with multifactor authentication at the front door, before an intruder can gain access to your system.
- Do not publish unprotected RDP access points on the internet. If this is necessary, make sure RDP access points are secured by multi-factor authentication (MFA).
- Use RDP Gateways. Remote desktops should be protected behind a reverse proxy accessed over HTTPS (port 443), protected through TLS encryption.
- Apply MFA to access RDP Gateway. Even the strongest password can be compromised via brute-force attack. Multi-factor Authentication offers an extra layer of security, requiring users to provide at least two forms of authentication.
Protecting Your Back Door:
Protect your endpoints with the following capabilities to prevent malware from executing on your system, even after it gains access through the backdoor - phishing email or a vulnerable service.
- Application Whitelisting: You can block untrusted binaries (malware) from encrypting any file, by allowing system to execute a set of “trusted binaries” that are validated through a signature check by an agent running on the endpoint.
- Fine-grained Access Control: Enable specific Users/Groups to perform specific operations (encrypt/decrypt/read/write/execute) beyond the protection provided by the discretionary controls in the operating system. This prevents malware from escalating privileges to super user to gain access to all files.
- Data-at-rest Encryption: Encrypting sensitive data using “trusted binaries” makes the data worthless to cybercriminals, who threaten to expose it if a ransom is not paid. This prevents double extortion.
Ransomware Solutions from Thales
SafeNet Trusted Access offers multifactor authentication at all login entry points protecting enterprise IT, web, and cloud-based applications from internal and external threats at the front door. STA utilizes policy-based conditional access, rigorous single sign-on (SSO), and universal authentication methods, which prevent breaches, simplifies regulatory compliance and enables enterprises to migrate securely to the cloud. To learn more: click here
CipherTrust Transparent Encryption is one of the widely deployed data protection products within the CipherTrust Data Security Platform. It provides application whitelisting, fine-grained access control and data-at-rest encryption, enabling organizations to prevent ransomware attacks at the back door. It protects both structured and unstructured data with policy-based access controls to files, volumes, databases, containers, big-data wherever it resides on-premises and in hybrid cloud environments. To learn more: click here