MegaplanIT

MegaplanIT

Security & Compliance

What Is Ransomware?

How You Can Protected Your Organization

Written By: Mark Repka – MegaplanIT Security Consultant LinkedIn_logo_initials 

The Dreaded Ransomware Cyber Attack

Today, there are many vectors of cyber-attack and methods to infiltrate network infrastructures. The attacks in question may have different motives behind them, as they can be malicious or for financial and market gain. Specifically, in this blog, we will address Ransomware and what occurs during an attack. Ransomware is defined as malware that limits users from accessing their systems or data while demanding payment of some form for the release of data or systems. In the traditional and most common example, ransomware encrypts user or company data. The data that is encrypted is still accessible but unviable to facilitate business function as the decryption key is unavailable. This presents businesses to decision to abandon the encrypted data or pay the ransom for the decryption key. It is possible to break the encryption used to encrypt company files, however, it is a business resource and time constraint. A common misconception about ransomware is that it mainly affects stored data, which may not be true in all cases. Malicious software or code that prevents users or administrators from accessing functions for a website, application, or service can also be defined as Ransomware if demands are apparent in the threat.

How Does Ransomware Work?

Ransomware works by infecting files or systems and locking them, to prevent use in a business-as-usual fashion. The objective of ransomware is to infect as many systems as possible before being discovered or enacting the encryption ransom plot. The purpose of ransomware is not to crash or completely render systems unusable, but to limit the access and business function of systems.

Regardless of what systems or data are locked, the ransomware will leave instructions on how to decrypt the data which is being held, hostage. Instructions may be wire transfers, bitcoin transactions, or other methods to send anonymous payments. This notification may be in the form of system pop-up windows, text files, background changes, or other notification services. Some r will also create a deadline as defined by where after the deadline the data will be erased.

Pros and Cons of Paying The Ransom

Instinctively, paying the ransom may seem to be counterintuitive, as there is no guarantee that the attacker will provide the decryption keys or release the system. However, if you analyze this from a business perspective, it would be a poor choice for the attacker not to unlock the system. The attacker or authors of the ransomware want it to be known that if a company decides to pay the ransom their data will be returned unharmed. If the opposite was true, there would be no incentive for companies to pay the ransom, and therefore, the authors of the ransomware would not turn a profit on their malicious code. This is not to state that this is how all creators of malicious code operate or think in this manner, but rather a unique perspective when it comes to the thought of paying for the data.

All data and production environment(s) have explicit value to the company. A cost-benefit analysis should be performed for the data which has been lost or locked. Ransomware authors may be demanding a higher price than what the data is worth, prompting the business decision to abandon the lost data instead of the financial loss suffered. In this circumstance, the method of a ransomware attack should be considered, the pathway it was delivered, and if it may be prevented in the future. It is ill-advised that if the origin of Ransomware is undetermined, there is little to no guarantee that the attack will not occur again.

 

What Can I Do During This Event?

 

Contact Appropriate Authorities

Governing bodies or local municipalities may have procedures that they would like businesses to take in the event of a cybersecurity attack. Knowing and following these mandates is paramount to successfully handling the event. Contacting police or federal governments may be necessary depending on the type of data or business involved with the attack, specifically if it affects protected data such as HIPAA or critical national infrastructure. The Cybersecurity and Security Agency provides a robust guide on how to handle ransomware and steps to prevent it. Furthermore, Cyber forensics may need to get involved in determining the severity of the breach, what information has been seized, and if it is pertinent to a criminal investigation.

Trigger Incident Response and Disaster Recovery

Companies As part of their information security governance, companies should have an incident response strategy and with it, methods to detect ransomware. Identification and containment of the malicious code are paramount in the preliminary stages of infection. For additional information on incident response, refer to our incident response plan blog. Actions taken during a disaster recovery should be formulaic and pre-defined before the cyber-security attack. This process should be reviewed at least annually and have approval by executive leadership as the appropriate course of action.

 

What Can I Do To Prevent This?

 

Threat Intelligence

The business of knowing your process and what is essential to protect can be the first step in determining the time and effort taken to prevent malware attacks. Organizations such as MITRE and NIST (CSF) have frameworks for such analysis. Specific procedures and methods to gain the appropriate access may be analyzed and preventative controls can be implemented to hinder the methods attackers use to gain access to business systems. Managed security service providers, security appliance vendors, or SIEM companies may sell threat intelligence as part of their package of services where industry professionals analyze current popular attack vectors and monitor business systems.

In-Depth Defense

The in-depth defense concept is a methodology where a single point of failure does not compromise an entire system. Security controls that are preventative, detective, or responsive to different system events can add layers to your cybersecurity stance and can deter attackers from compromising the system. An example of this would be implementing appropriate firewall rulesets (preventative) while at the same time, monitoring the network traffic as appropriate via an IDS/IPS system (Detective) to ensure the data being communicated is appropriate for the system. The IDS/IPS system may alert system administrators or block the suspected malicious traffic if deemed necessary (responsive).

Periodic Data backups

The customer or business data may be replicated to an offsite storage facility not directly connected to the main production system. In this case, data backups of the malware encrypted data can be recovered without the use of a decryption key, but from an off-system storage source. As with all mitigating controls, the cost and effectiveness of such a system should be considered along with Recovery Point Objective (RPO) and Recovery Time Objective (RTO) as appropriate for business processes.

Backup System or Alternative Sites

In the event of high need for availability, entire production systems may be backed up and recovered at alternative sites. This method of protection is costly, as essentially,  the business is operating two sites simultaneously (about the hot site) while having a throughput of only a single location. However, the availability of such data and business processes may rationalize the cost when dealing with service-level contracts, sensitive data, or lost revenue when handling a ransomware attack.

Security Awareness Training

Appropriate cybersecurity awareness training for business staff members is a cost-effective and reliable method to aid in preventing ransomware attacks. Physical space can be incorporated into the defense concept where methods, policies, and procedures that employees enact can avoid the infection of business systems with malware. Cybersecurity awareness training will not only aid employees in choosing appropriate passwords but can prevent them from introducing ransomware/malware into systems. A popular vector to gain access to systems is Ransomware key drops, where attackers will mail or drop malware-infected USB drives to or near the target in attempts to have an employee plug them into the system. If found, these USB drives should be returned to the cyber security department to be handled appropriately.  

Cybersecurity Insurance  

Cybersecurity insurance is a viable option to mitigate the risk when dealing with Ransomware attacks. To summarize, cybersecurity insurance is a newer concept of insurance that protects data used within a business. The level of coverage is dependent on the insurance provider and the type and amount of data needing to be protected. Cybersecurity insurance companies will base rates on business practices, backup/recovery efforts and controls, and risk posed to the data. Insurance may also come into effect when dealing with regulatory bodies and fines that may be leveraged for s disclosure. For additional information on Cyber Insurance reach out to (ISC)2 for additional details.

The Aftermath

As stated earlier in this article, Ransomware is a type of malware that inhibits? a business from accessing data or the system. Typically, the malware installed for ransomware will not be the only tool or program associated with the attack. Different types of malware will be installed alongside the ransomware software to allow the attacker other tools to survey or probe the system. IAs part of a business’s information security governance, the threat of a ransomware attack should be discussed, mitigated to acceptable levels, and approved by senior management. The reality is, Ransomware is a real and potentially destructive threat to businesses operating in today’s climate. 

 

 

MegaplanIT Ransomware Preparedness Assessment

MegaplanIT’s Ransomware Detection and Prevention Assessment Solution can help your company improve your overall security posture by increasing your entire network’s detection and prevention capabilities. Take the proactive approach to shore up cyber vulnerabilities and know the risks of a ransomware attack in a safe, simulated environment.

Looking for a knowledgeable partner for your cybersecurity and compliance efforts? We're Here To Help!

We look forward to talking to you about your upcoming Security Test, Compliance Assessment, and Managed Security Services priorities. Our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. Set up a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!

Share this post

MegaplanIT's Ransomware Preparedness Assessment

How It Works

Preparing For A Ransomware Attack

What if your company could simulate a ransomware attack without the devastating consequences? MegaplanIT’s Ransomware Detection and Prevention Assessment Solution does just that. Our comprehensive approach emulates a ransomware intrusion through our Agentless Asset Discovery and Vulnerabilities Exposure process. The tool moves across your network, conducting tests that include initial exploitation proprietary payload, encryption, and data exfiltration.

Once MegaplanIT Ransomware Detection and Prevention Assessment Solution discovers critical assets on the network vulnerable to exploitation, the tool initiates a complete ransomware attack simulation. MegaplanIT’s Ransomware Detection and Prevention Assessment Solution reporting output provides a guided step-by-step remediation process that is prioritized based on the actual risk to the business. Implementing the remediation suggestions dramatically reduces the risk of a future ransomware attack.

Assessment Inclusions

What's Included?

Ransomware Readiness Assessment against up to 50 systems included

This is a service that is performed on your on prem environment

Expose vulnerable assets in your network and uncover weaknesses leveraged by disruptive ransomware strains

Understand security controls effectiveness and reduce risk with guided remediation

Industry Leading Certified Experts

Subscribe

Subscribe To Our Newsletter & Stay Up-To-Date

Cybersecurity Insurance Program

The importance of utilizing personal information and technology in business is both an opportunity and a risk. Cybersecurity insurance can help protect yourself from the liability of cyber attacks. Inquire Today!

Explore Our Blogs

Whitepaper | 10 min Read

Developing An Effective Compliance Program

This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business. We will also outline critical steps towards developing and implementing a useful and effective Compliance Program.

New Service Offering | Contact Us

Ransomware Preparedness Assessment

As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? If not or if you are unsure, MegaplanIT is offering a Ransomware Readiness Assessment free of charge for up to 50 Systems. 

ResourceGuide | 8 min Read

Cybersecurity Roadmap For 2022

Companies need to be aware of their current state, where they need improvement, and how to be proactive moving forward. Dialing in on the key elements your organization will need to succeed is a great starting point to having a full-fledged plan in place, and it all comes down to the fundamentals. 

We're Here To Help

We look forward to talking to you about your upcoming Security Testing, Compliance Assessments, and Managed Security Services priorities. We are ready to help and discuss more information with you on our comprehensive list of services. 

Make Our Team, Your Team!

Our innovative IT security and compliance solutions are designed to deliver customized, cost-effective service on time—because your priorities are our priorities. With a highly qualified team of PCI-DSS QSAs, Penetration Testers, and Information Security Consultants here at MegaplanIT, we will assess your unique company and business environment and design a path to security that will fit all of your needs.

Ransomware Assessment Preparedness

Cybersecurity Roadmap For 2022

Developing And Maintaining An Effective Compliance Program

As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? 

A Cybersecurity Roadmap details priorities and objectives to drive progress towards security goals. The roadmap follows a data-driven path based on answers to critical questions

This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business