Ransomware: Risk Mitigation Strategies

Summary

Over the last several years, ransomware has grown in both scale and sophistication. Newer variants are advanced enough to specifically target online backups when they infect a network, and available decryption tools for these variants are few and far between. The roles of cyber threat actors in these incidents have expanded as well. Ransomware-as-a-Service (RaaS) is a popular option for many threat actors; developers sell or rent access to their ransomware, often making a profit off of the overall ransom amount. In addition, some threat actors sell access to potential victim networks to other threat actors. These services allow less technical and knowledgeable threat actors to more easily conduct a ransomware attack. This not only expands the pool of threat actors capable of initiating these attacks, but also makes attribution even more difficult. Furthermore, ransomware threat actors are increasingly using a double extortion tactic to convince victims to pay ransoms. In these cases, prior to initiating the ransomware payload, the threat actors exfiltrate data off the victim network. They hold this data hostage and threaten to release it if the ransom payment is not made. This can force some victims to pay ransoms even if they have usable data backups available.

While ransomware infections are not entirely preventable due to the effectiveness of their targeting - through phishing emails, remote access services, or exploitation of vulnerabilities, among other infection vectors - organizations can drastically reduce their risk by implementing cybersecurity best practices and strategies. The most effective strategy to mitigate the risk of data loss resulting from a successful ransomware attack is having a comprehensive data backup process in place; however, backups must be stored off the network and tested regularly to ensure integrity. Furthermore, organizations must conduct regular training exercises and awareness briefings with all staff to ensure understanding of current cyber threats and the part they play in preventing a cyber incident. The following is a comprehensive list of recommendations, though not exhaustive, to reduce the risk posed by ransomware infections:

Data Protection

• Schedule backups of data often and ensure they are kept offline in a separate and secure location. Consider maintaining multiple backups in different locations for redundancy. Test your backups regularly.
• If an online backup and recovery service is used, contact the service immediately after a ransomware infection is suspected to prevent the malware from overwriting previous file versions with the newly encrypted versions.
• Encrypt network data - particularly any sensitive and/or protected data - at rest and in transit to prevent an unauthorized threat actor from exfiltrating data off the network and releasing it publicly.

System Management

• Ensure anti-virus software is up-to-date with the latest definitions and schedule scans as often as permitted.
• Enable automated patching for operating systems, software, plugins, and web browsers.
• Follow the Principle of Least Privilege for all user accounts and enable User Access Control (UAC) to prevent unauthorized changes to user privileges.
• Implement application whitelisting to prevent unauthorized or malicious software from executing.
• Turn off unused wireless connections.
• Disable macros on Microsoft Office software.
• Use ad blocking extensions in browsers to prevent “drive-by” infections from ads containing malicious code.
• Disable the vssadmin.exe tool by renaming it to prevent ransomware from deleting Shadow Volume Copies. Instructions on how to rename this tool are included here.
• Disable Windows Script Host and Windows PowerShell.
• Disable Remote Desktop Protocol (RDP), Telnet, and SSH connections on systems and servers if it is not needed in your environment. Block inbound traffic to associated ports.
• If remote access is needed, audit access, ensure that login credentials are complex, and implement a 2FA solution to prevent unauthorized access.
• Use web and email protection to block access to malicious websites and scan all emails, attachments, and downloads and configure email servers to proactively block emails containing suspicious attachments such as
  .exe, .vbs, and .scr.
• Configure systems by modifying the Group Policy Editor to prevent executables (.exe, .rar, .pdf., exe, .zip) from running in %appdata%, %localappdata%, %temp% and the Recycle Bin. CryptoPrevent is a free tool that can help
  automate this process and prevent ransomware from executing. It can be downloaded here.
• Implement a behavior blocker to prevent ransomware from executing or making any unauthorized changes to systems or files.
• Consider utilizing a free or commercially available anti-ransomware tool by leading computer security vendors.
• To counteract ransomware variants that modify the Master Boot Record (MRB) and encrypt the Master File Table (MFT), Cisco Talos has released a Windows disk filter driver called MBRFilter, available on GitHub here.
• For Mac OS X users, consider installing the free tool, RansomWhere?. Information about this tool is available on the Objective-See website here and the tool itself can be downloaded here.

Network Management

• Ensure your firewall is enabled and properly configured.
• Close and monitor unused ports.
• Require multi-factor authentication (MFA) for all user accounts, particularly those with elevated privileges.
• Disable SMBv1 on firewall and all systems on the network.
• Block inbound traffic to TCP/UDP ports 139 and TCP port 445.
• Monitor for unusual/suspicious outbound data transfers that could indicate the exfiltration of data that may precede a ransomware infection.
• Block known malicious Tor IP addresses. A list of active Tor nodes updated every 30 minutes can be found here.
• Set a network performance baseline for network monitoring prior to an infection to make looking for anomalies and malicious activity easier after the infection.
• Keep network log files for a full year in the event a ransomware or other network intrusion incident leads to a criminal investigation.

Mobile Device Management

• For Apple iOS devices: ensure data is backed up on iCloud and two-factor authentication is enabled, only download media and apps from the official iTunes and App Stores, and avoid “jailbreaking” the device.
• For Android devices: disable the “unknown sources” option in the Android security settings menu, only install apps from the official Google Play store, and avoid "rooting" the device.

Additional Guidance

Limit the Impact of a Ransomware Infection:

• All employees should be instructed to immediately unplug the Ethernet network cable or disable Wi-Fi on the system if they suspect a ransomware infection has initiated. This will prevent the ransomware from spreading to other devices on the network or infecting backups that are stored on the network or in a cloud environment. Do not reconnect until the computer or device has been thoroughly scanned and cleaned.
• Alternatively, instruct employees to turn off the power or unplug the power cord from the system. Although doing so inhibits complete forensic analysis of the infected device, it stops the encryption process and may limit data loss.
• Employees should notify the appropriate information security contact within your organization as quickly as possible.
• Organizations should have established cyber disaster recovery and business continuity plans in place that have been tested/exercised. These plans can help to limit the impact of a ransomware infection as the relevant parties are aware of their roles in the recovery process.

Recovery After a Ransomware Infection:

• Are there complete backups for the affected data or system that predate the infection (to avoid restoring an infected instance)? If so, restore from backups and take steps to prevent future infections.
• If not, is there a publicly available decryption tool or remediation method? Refer to the NJCCIC’s Ransomware Threat Profile for a comprehensive list of ransomware variants and those with known decryption tools.
• If no decryption tool is available, the only remaining options are to accept the loss or pay the ransom. The NJCCIC discourages paying ransoms of any kind, as this perpetuates the crime and does not guarantee recovery of data.
• After removing the malware or restoring the machine, make sure to change all system, network, and online account passwords and implement the mitigation recommendations provided in this document.

Additional Resources

• Cybersecurity Best Practices (NJCCIC)
• Cybersecurity Practices for Industrial Control Systems (ICS-CERT)
• Ransomware Guides & Services (CISA)
• Ransomware Protection and Response (NIST)
• Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events (NCCoE)
• Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events (NCCoE)
• Data Integrity: Recovering from Ransomware and Other Destructive Events (NCCoE)

Reporting

We encourage recipients who discover signs of malicious cyber activity to contact us via the cyber incident report form by clicking here.