COVID-19 Update

The Evolution of Ransomware

8 proactive steps to help integrators find the proper solutions to secure a clients’ network during an unfortunate ransomware circumstance.

Stanley Louissaint Leave a Comment
The Evolution of Ransomware

ryanking999/ stock.adobe.com

Ransomware…you’ve heard of it and there is a high likelihood that one of your clients has already been held hostage. As the ransomware industry matures, it has evolved from its origins. Yes indeed, I called it an industry, and for a reason. If you can secure millions of dollars in payouts and create billions in losses for businesses, you have earned the right to be called an industry.

Ransomware is no longer about holding data hostage for a payment (or ransom). Now, ransomware groups are threatening to publicly disclose that the victim has been hacked. Even more damaging is the threat to release sensitive data to the public if the victim doesn’t pay.   

As an industry we have been focused on recovery of critical business systems in the event that one of our clients falls prey to a ransomware attack. What is our recovery point objective (RPO)? What is our Recovery Time Objective (RTO)? What is the cost of downtown? What is the cost of recovery? 

These are the questions that we have been asking to help businesses find the proper solutions to implement for recovery during an unfortunate circumstance. Armed with this information we would deploy a solution that would save our clients from having to pay any form of a ransom since we had the necessary data to get them back up and running. Up to this point in time, we weren’t concerned that the data itself was being ex-filtrated from the network. To our defense, we didn’t have to be because it wasn’t.   

Related: Six Ransomware Gangs Bank Up To $45 Million So Far This Year

As the ransomware industry has evolved the cybercriminals have had to get creative to construct a situation where even if we had the company data, we still had an incentive to pay. The goal of most businesses is to have clients hand over their cash or in this case some form of cryptocurrency payment. Enter data exfiltrate during intrusion or in other words double extortion. 

Instead of taking a reactive approach and focusing on how we will recover in the event of a ransomware, we have to be proactive in preventing the attacks. As a Managed Service Provider (MSP) we wear our proactive nature as a badge of honor and even use it to differentiate ourselves from a typical break/fix shop. 

Part of our value to our clients is to help them maintain a positive public persona. Through the proper protection of their computer and network systems we can help the image of our clients via these important steps: 

Security Awareness Training to End-Users:  I cannot stress enough how important this part of the puzzle is. End users are often our first line of defense. Educating users is highly important and will never go out of style. At a minimum you should run phishing tests or have end-user training quarterly.

Spam Filtering: Most ransomware enters a network through a phishing campaign. Cloud-based spam filtering has evolved greatly over time. We need a solution that will block spam, phishing attempts, malware, impersonation, and ransomware. There are many layers to having a successful spam filtering solution. Look for solutions that offer features such as sandboxing and malicious link protection to help protect against zero-day threats.

Next-Generation Firewalls: Make sure your firewall has built-in antispyware, malware, and ransomware detection. Application whitelisting/blacklist. Intrusion Detection and Prevention Systems (IDS/IPS).  

Endpoint Detection and Response (EDR): These systems help you to gain insight into end-user devices. During an attack these systems have the ability to isolate machines from the network to prevent the spread of ransomware. 

Multi-Factor Authentication (MFA): Usernames and passwords aren’t sufficient anymore. MFA is the new standard. Every e-mail account should have MFA enabled and critical business systems that are accessed from outside of the environment. All administrative access should have MFA turned on.

Software Patching: Vulnerabilities are found every day and having a proper patching schedule ensures that you are plugging up any holes that have been found in software.

DNS Filtering: Using third-party DNS filtering providers helps you to save your users from malicious domains that are trying to get them to input their user credentials.

Data Loss Prevention (DLP): With DLP solutions you will be able to help monitor the data that’s exiting your network. This can be a game changer if you notice sensitive data leaving the environment. 

A new security model that is continuing to be developed and introduced into environments is the Zero Trust Security model. Although this method requires the most support, it is beginning to gain more ground in our industry. The framework is that by default no device or user is trusted even if they are allowed on the network.

Download: Your Guide to Implementing a Zero Network Architecture 

This is a solution, when implemented automatically, keeps users in their corner of the world. To date networks have had implicit trust for devices and users if they were allowed on the network and/or part of the domain environment.

As you can see security will always be a multi-layered solution. There is never a one-size-fits-all approach. Every piece that you add into your security stack serves a different purpose, but as a collective, they are working towards the same purpose, protecting the organization. 

As cybercriminals become more sophisticated it is our duty to evolve as an industry to protect our clients. You must be proactive and not reactive to the world around you.