Ransomware

Ransomware is one of today’s much discussed type of cyber attacks. Several business models around this attack type emerged during the last years. The schema boils down to a threat actor using malware to take control over personal or organizational assets with the aim of demanding ransom. That way threat actors seem to successfully target availability and confidentiality of the business values of many organizations around the globe. In fact, ENISAs recent threat landscape report on ransomware attacks states that employees’ personal data was included in more than 50% of data stolen in these kind of attacks during the last year [1].

Organizations of Every Size and From all Sectors are Affected

According to ENISA, Germany ranks #2 and Switzerland ranks #7 when it comes to the countries with the highest number of registered ransomware incidents. Heavy industry, information services and government are the top three sectors targeted.

ENISA also states, that organizations are often not aware of the attack path, especially how the initial access to the organizations was achieved by the threat actors. But initial access is just the start of such an attack. The federal office for information security explains which proactive and reactive measures can help organizations in every phase of the Ransomware Killchain [2]:

Killchain-path of an ransomware attack — Ransomware Killchain (Source: Federal Office for Information Security [2])

How can organizations protect themselves?

Keep your Asset Inventory up to Date

Organizations should implement proactive measures to strengthen the organizations Resilience. An essential element is an updated and complete inventory of assets. Only then will organizations have a chance to identify affected assets and isolate them in a timely manner.

Train your Employees for Awareness

According to Verizons Data Breach Investigations Report (DBIR), stolen credentials and phishing emails are the top two ways how ransomware finds its way into an organization. Desktop sharing software was involved in 40% of all breaches [3]. Training employees in regards to these social engineering patterns can raise the bar for threat actors significantly, not to mention locking down remote desktop and email protocols.

Harden your Assets

Ransomware infected systems via some kind of vulnerability in almost 10% of cases [3]. Often these vulnerabilities are already known and sometimes even fixed by the vendor. It is therefore crucial to keep all assets updated and patched. Remote access to assets (e.g. via VPN) should be limited to the bare minimum and especially secured (e.g. by 2-Factor-Authentication).

Keep 3-2-1 Backups

All personal data and business files should be part of a regular backup. The backup should be isolated from any network to prevent ransomware from infecting it. The 3-2-1 rule is best practice for implementing a backup strategy: Keep three copies of information on two different storage media, and keep one of these media on another location.

Do not pay Ransom

In case an organisation becomes victim if a ransomware attack, it is recommended to reach out to national information security authorities or law enforcement for help. The NCSC and FOIS, as well as ENISA strongly advise against paying ransom [4,5].

Recommendation

Check if your organization is well prepared for ransomware:

Is your asset inventory up to date?
Do all assets have the latest security updates applied?
Are your crown jewels backed up?

Need help gearing up for ransomware? Contact us for more information.

Sources

[1] https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-ransomware-attacks
[2] BSI – Top 10 der Ransomware measures (bund.de)
[3] Verizon DBIR
[4] Encryption malware – What next? (admin.ch)
[5] Umgang mit Lösegeldforderungen bei Angriffen mit Verschlüsselungstrojanern auf Kommunalverwaltungen (bund.de)