Ransomware is an active and growing threat, affecting many government agencies and private companies. Costs of a ransomware attack (including loss of capability, restoration of data, preventing further attacks, and cleaning up the damage due to the ransomware) frequently run from hundreds of thousands to millions of dollars, over and above any payment of ransom, which is not recommended and may open the organization up to sanctions. Organizations wanting to avoid this damage face a daunting issue: where to start their defense. This blog post, the second of three dealing with ransomware and defending against it, covers three initial efforts that will make it more difficult for attackers and less costly to organizations. These three efforts are organized around the acronym SEE:

• Spoil the phishing.
• Ensure effective backups.
• Encourage collaborative defense.

Many network attackers employ phishing for their initial compromise. Phishing is malicious unwanted email, typically imitating communication from a trusted partner, authority figure, or financial institution. Embedded in the email is a link to a malware hosting site, disguised as a trusted connection, or an attachment containing malware. Organizations can reduce the likelihood that their personnel will click the link or open the attachment in several ways:

• Develop and inform personnel of organizational policy regarding email communication. Include details such as when (if ever) system updates or critical binaries will be distributed by email, how to validate the source of an unexpected document or message, and how to report suspect email.
• Make the dangers of phishing apparent to personnel. Include user stories (perhaps from other organizations) of how responding to a phish leads to compromising the network. Train your employees about how to tell if a message is a phishing attempt. Provide reasonable positive consequences (e.g., verbal recognition or an award certificate) for resisting and reporting phishing, as well as reasonable corrective ones (e.g., further training or increased testing) for succumbing to phishing.
• Implement technological solutions to identify incoming phishing attempts and outgoing responses to phishing. Where possible, discourage use of outside unprotected email accounts. If possible, deploy these technological solutions to employee home computers to reduce cross-infection from unprotected systems.

By using these strategies, an organization can mitigate against a common initial compromise. These strategies will also promote awareness of attempted attacks, and thus support an increased diligence from users and network defenders.

For any data corruption or data availability threat, backups are the key line of defense, especially for dealing with ransomware. The ability to restore data that is encrypted or corrupted by ransomware is the most cost-effective and reliable path to recovery. One complication is that ransomware may not strike immediately when inserted on a target computer. Some ransomware deliberately waits, so that recent backups may be corrupted. Ransomware may also exploit backups to exfiltrate data, threatening to publish confidential data unless the ransom is paid.

The ability to restore data depends on backups that are current, present, and reliable. Current backups are those taken either continuously (via a change detection system) or often enough that significant work will not be lost. Present backups are those that are validated to contain the desired content, stored in a location that staff can reach when needed, and formatted in a way that permits rapid restoration. Reliable backups are those where part of the backup process involves actively suppressing malware before storage, where encryption is used to prevent unauthorized use (blocking the disclosure threat), and where the backup media is physically protected, which often means off-line storage of backup media against loss or damage.

These backups, then, can become a strong basis for recovery from the local effects of a ransomware attack. Dealing with the broader effects across organizations requires further efforts.

Ransomware is not just a threat to a single organization in isolation. Modern organizations have complex interdependencies with other organizations, and these interdependencies have been exploited by attackers. Vendors have been attacked and used as vectors for attacking more broadly. Subsidiaries have been attacked and used to access organizations. Peers that share information have been attacked and propagated from. Given this history, it makes sense for organizations to build proactively collaborative defenses that share warnings and observations. There are several efforts that support such collaborative defenses, including the Cyber Fraud Task Force and the National Cyber-Forensics and Training Alliance.

Building collaborative defenses is a natural outgrowth of existing operational relationships. Organizations that collaborate in other aspects need to protect those joint activities by defending them. The organizations need to agree on what can be shared (and how to protect shared information), and what reactions they expect to see from each collaborator. One factor that defeats such collaborations is the lack of equal value for each participant. The expected reactions are one means to assure such value. Commonly useful items to share are indicators of attempted compromise (checksums of attachments, wording of phishing, or other observable characteristics), any specific targeting characteristics (e.g., role of targeted individuals, falsified addresses, or connection to trade events), and insight into protective measures.

As organizations build defensive collaborations, they will also need to gain confidence in the communications between collaborators. Exchange multiple contact methods (e.g., email addresses, phone numbers, public keys for encryption or signing). Contact each other enough that relationships to the key individuals are formed. Provide for appropriately scheduled meetings where defense can be discussed in a protected environment. Consider including law enforcement in the collaboration, where permissible by policy.

As long as ransomware remains profitable for the attackers, its use against organizations will continue. While there are many possible further measures that can be taken to defend against ransomware, these three initial strategies will provide a basis for selecting and taking those measures.

Other efforts, as discussed in a prior blog post can further reduce an organization's risk. Recent SEI white papers Current Ransomware Threats and An Updated Framework of Defenses Against Ransomware provide more thorough discussion on protection against ransomware.

A future blog post will discuss how to prioritize further defenses against ransomware.

The blog post, Ransomware-as-a-Service Threats by Marisa Midler, explores the economics behind why ransomware remains a top tool for cybercrime and presents the current active ransomware variants that utilize ransomware as a service (RaaS), a change in the ransomware business model that could lead to a significant upswing in ransomware activity.

The SEI white paper An Updated Framework of Defenses Against Ransomware by Timothy Shimeall and Timur Snoke, which is loosely structured around the NIST Cybersecurity Framework, seeks to frame an approach for defending against Ransomware-as-a-Service (RaaS) as well as direct ransomware attacks.

The SEI white paper Current Ransomware Threats by Marisa Midler, Kyle O'Meara, and Alexandra Parisi discusses ransomware, including an explanation of its design, distribution, execution, and business model.

The SEI blog post Ransomware: Best Practices for Prevention and Response by Alexander Volynkin, Angela Horneman, and Jose Morales outlines several best practices for prevention and response to a ransomware attack.

The SEI blog post Defending Against Phishing details technical controls that organizations can implement alongside a user education program to prevent successful phishing attacks.