search menu icon-carat-right cmu-wordmark

3 Ransomware Defense Strategies

Marisa Midler
• SEI Blog
Marisa Midler

Ransomware is evolving. Not only are there more attackers due to ransomware as a service (RaaS) threats, but ransomware attack strategies are changing with data exfiltration extortions, which I will explain in more detail later in this blog post. Backing up your data is the first action to take against ransomware. After you have established data backups, the next priority is defending against the top three ransomware attack vectors: Remote Desktop Protocol (RDP), email phishing, and software vulnerabilities. Since defense against email phishing was covered in a previous blog post, this blog post explores strategies to mitigate the other two main attack vectors, RDP attacks and software vulnerabilities, as well as how to protect against data exfiltration.

Strategy 1: Reduce Complexity and Patch

The first priority should be to reduce your organization's potential attack surface, which consists of the assets exposed to the outside world that an attacker can reach and potentially exploit. The wider your attack surface is, the more opportunities you are providing to attackers to exploit. It is in your organization's best interest to minimize your attack surface.

To start minimizing the attack surface, you should first map the network. You cannot protect resources you do not know about. Over time undocumented assets can make their way onto your organization's network through company acquisitions, hardware upgrades, and many other operations. It is crucial to identify these assets so that you can update them. Likewise, work on removing unnecessary systems, hardware, software, and services, thereby reducing the complexity of the attack surface to defend. RDP is the top attack vector for ransomware; if you do not need it for business operations, disable it.

Another important way to reduce attack surface is to ensure that systems have security updates applied as quickly as possible. The WannaCry ransomware attack on May 12, 2017, cost approximately $4 billion in losses and infected more than 230,000 systems in 150 countries in the span of a day. WannaCry uses the EternalBlue exploit, and Microsoft released a security update for the vulnerability used by EternalBlue on March 14, 2017. The EternalBlue exploit was publicly leaked one month after the Microsoft Security Update on April 14, 2017. Organizations had nearly two months before the attack to install MS17-010, the critical Windows update that protected systems against WannaCry.

Software updates can be inconvenient to the business, but maintaining software and operating system updates on all your systems is critical. Your organization should create a patching policy and plan for regular updates, remembering that both the operating system and third-party software can be vulnerable to exploits. Conduct updates during off-peak hours, adhere to the scheduled updates, and do not postpone patching. These updates mitigate known software vulnerabilities and can prevent ransomware variants that use existing known vulnerabilities to get a foothold on your network.

Active ransomware variants such as Sodinokibi, Maze, DoppelPaymer, and Nemty are known to utilize preexisting exploit kits such as RIG, Fallout, Spelevo, and Radio, to make their way onto the network. Most exploit kits abuse known software vulnerabilities to compromise a system. The continued success of exploit kits suggests that organizations are still not regularly patching their systems, because these kits remain successful using publicly disclosed vulnerabilities.

Strategy 2: Layer Security Controls

In addition to reducing your attack surface, a layered approach to security using antivirus software, firewalls, and multi-factor authentication is also an effective defense strategy that can thwart ransomware. Antivirus software detects and blocks known exploits trying to gain a foothold on the network. Effective use of antivirus software requires regular updates to maintain its library of malware signatures and other identifying information used to detect the ransomware and other threats from being deployed on the network.

Firewalls block traffic based on structural characteristics, such as IP addresses or TCP/UDP ports. Your organization should identify and block ports for all services not required for business operations, which fortuitously further reduces your organization's attack surface. As mentioned above, RDP is the most common attack vector for ransomware; if the RDP service is not being used, block it.

Firewalls are also helpful for disrupting ransomware command and control (C2) servers. C2 communication is a critical step in ransomware's functionality. It is primarily used to store encryption keys, unique identifiers of victim machines, and the victim's exfiltrated data. Blocking this communication can sometimes stop a ransomware attack. If you are engaging in a collaborative defense strategy, you might be able to obtain threat data, such as addresses of C2 infrastructure from your collaborators. Putting known C2 servers on firewall block lists will prevent ransomware from connecting to those servers. If possible, an allow list that restricts a host's communications to a set of authorized addresses will provide even better protection by prohibiting communications even to unknown C2 addresses.

Multi-factor authentication uses two or more credentials to authenticate a user's identity; this security control helps defend against attackers logging onto your organization's systems using stolen or weak credentials. Ransomware attackers usually target vulnerable systems or services to infect a horde of hosts in the hopes of collecting the highest financial reward through the easiest methods. Two easy methods attackers use are purchasing inexpensive RDP credentials or brute forcing credentials to get access to an organization's system. Depending on the compromised RDP account's user privileges (e.g., standard user privileges versus administrator privileges), attackers then proceed to disable security controls on the compromised system. After making the system and network as susceptible as possible, the attackers deploy the ransomware payload. RDP credentials paired with cheap ransomware kits or RaaS create an easy and economical attack strategy for attackers. Additional authentication factors, however, considerably raise the cost of using the credentials because the attackers must now compromise the additional authentication factors, as well. This complication all but negates the economic value of stolen passwords.

Strategy 3: Know Your High Value Assets and Data

So far in this post, we have discussed ways to prevent ransomware from ever getting on the network. However, how do you protect yourself if ransomware does find its way onto your network? Backups are paramount, but in today's climate when protecting against ransomware attacks, you must also protect against potential data breaches. In November 2019, criminals using the Maze ransomware exfiltrated data from security staffing firm Allied Universal and sent a ransom demand for payment or they would publish the data online. The payment deadline came and went, and the attackers followed through with the threat and published 700 MB of Allied Universal's data online.

This attacker behavior is becoming more common; even if your company has data backups and is able to recover and respond to a typical ransomware attack that encrypts your files, without proper data encryption measures, organizations are still vulnerable to a data exfiltration attack. At this time, the only reasonable mitigation is to strongly encrypt data at rest that might, for your organization, justify paying a ransom.

The DHS Cyber Infrastructure Security Agency (CISA), Multi-State Information Sharing & Analysis Center (MS-ISAC), and FBI recommend against paying the ransom to the attackers, and it is worth noting that paying a ransom carries risks. Paying the ransom is not guaranteed to enable you to recover your data. The U.S. Treasury Department is now exploring financial penalties for organizations that facilitate ransom payments to the cybercriminals because paying ransoms encourages future ransomware attacks. Moreover, depending on the information that was stolen, your organization may incur fines because of data breach notification laws. By implementing data backups and encrypting data at rest, you can avoid these precarious situations and avoid dealing with cybercriminals if your organization is hit by a ransomware attack.

Encryption of data at rest prevents this problem. By incorporating strong data encryption on sensitive data, the stolen data is unrecognizable and not usable. However, data encryption protects your organization's information against only the data exfiltration portion of ransomware attacks; ransomware can still encrypt your encrypted data. Likewise, be careful to keep decryption keys inaccessible to ransomware attackers and ensure that decrypted copies of sensitive data are not kept in caches or system RAM.

Ransomware Continues to Expand and Evolve

Due to RaaS, there are now more attackers using ransomware. Data backups usually enable organizations to recover their data without paying attackers. However, data exfiltration introduces a new and concerning strategy for attackers to receive payments. Applying security controls to the main attack vectors and encrypting important data are good preventive measures in addition to the SEE preventive actions. Ultimately, however, even with these preventive measures, successful ransomware attacks should be expected.

Additional Resources

The blog post Three Places to Start in Defending Against Ransomware by Tim Shimeall covers three initial efforts to defend against ransomware that will make it more difficult for attackers and less costly to organizations.

The blog post Ransomware as a Service Threats by Marisa Midler explores the economics behind why ransomware remains a top tool for cybercrime and presents the current active ransomware variants that utilize ransomware as a service (RaaS), a change in the ransomware business model that could lead to a significant upswing in ransomware activity.

The SEI white paper An Updated Framework of Defenses Against Ransomware by Timothy Shimeall and Timur Snoke, which is loosely structured around the NIST Cybersecurity Framework, seeks to frame an approach for defending against ransomware as a service (RaaS) as well as direct ransomware attacks.

The SEI white paper Current Ransomware Threats by Marisa Midler, Kyle O'Meara, and Alexandra Parisi discusses ransomware, including an explanation of its design, distribution, execution, and business model.

The SEI blog post Ransomware: Best Practices for Prevention and Response by Alexander Volynkin, Angela Horneman, and Jose Morales outlines several best practices for prevention and response to a ransomware attack.

The SEI blog post Defending Against Phishing details technical controls that organizations can implement alongside a user education program to prevent successful phishing attacks.

About the Author