April 29, 2022
Ransomware attacks are one of the most difficult of all the cyber security attacks to recover from.
Organizations hit by ransomware suffer loss of critical data, financial damage, reputational damage, prolonged downtime, potential legal damage, and more. Ransomware is also increasingly popular amongst cybercriminals who find it not only extremely profitable, but also easy to launch thanks to the growth of ransomware-as-a-service.
This popularity amongst cyber criminals, coupled with the type of devastation it can cause, create a lethal cyber security threat to organizations that are unprepared for a ransomware attack. And PurpleSec reports that “ransomware costs businesses more than $75 billion per year”.
Conclusion? Ransomware protection for your organization is more urgent than ever. Thus we start here.
With the rapid evolution of ransomware and its immense disruptive power, organizations need cybersecurity warriors who have the cyber security skills and ability to triage and rapidly respond to a ransomware attack to prevent its spread, and who can use their knowledge of attacker behaviors to get and stay ahead of the attack. These are the professionals who also know how to work with shadow copies, file backups, and other tools to restore data without paying the ransom, giving executives valuable time and information to determine their course of action.
Canary files can help defend against the more sophisticated and stealthier forms of ransomware that are designed to encrypt as many files as possible before detection. Like the canary in the coal mines that was used as an early warning signal about the presence of toxic gases, canary files help detect and identify a ransomware infection as immediately as possible and rapidly inform users if their network has been infiltrated. The canary files appear to ransomware as files that it would want to infect; however, they are not actually valuable to the business. They exist for the sole purpose of providing quick notice of a ransomware infection, a honey-port of sorts. Anti-malware software watches the canary files and looks to see if they’ve been changed, which would indicate a high chance of infection. Because monitoring a small number of canary files is much faster than monitoring the entire operating system and all the files on the operating system, canary files speed up the detection process and facilitate early threat notifications.
Bringing these resources together to share knowledge would create an almost high-definition picture of cyber threats in real-time. We have seen this happening in some countries, for example, the United Kingdom National Cyber Security CiSP, but this is only a start. More initiatives are needed worldwide to help both sides build trust and become happier to co-operate in the future.
The importance of backups cannot be overstated. Ideally, companies/organizations should create several backups a day, so that they have several restore points. And at least one of those backups should be offsite, offline, or on a gapped network so that, in case of an incident, cyber-criminals cannot access and destroy all their data.
Macro-based malware can manipulate or delete files on hard drives or download malware from the Internet. To prevent this, macro execution should be disabled entirely for organizations that have no need for macros and restricted for organizations that do need them. To restrict macro execution, only approved files in trusted locations should be allowed to be executed and only specific applications should be allowed to execute them.
Organizations must adopt a zero-trust architecture. A zero-trust architecture requires organizations to authenticate and authorize all users and devices, whether inside or outside of the organization’s network, before they are granted access. In addition, a zero-trust environment requires that user and device privileges and attributes be continuously monitored and validated. The zero-trust approach essentially turns the traditional “trust but verify” policy on its head.
Rather than “trust, but verify”, zero trust says that all users and devices cannot be trusted and must be monitored and verified repeatedly. – “One of the most effective ways to prevent ransomware attacks is through the adoption of zero-trust architecture, the modern alternative to perimeter-based security.”
Strong passwords are crucial, but no longer enough. Today, businesses need a more advanced credentials defense. Enter biometric authentication, which relies on unique biological characteristics of users to identify and verify that they are who they say they are. Examples of biometric authentication include fingerprints, voice or speaker identification, and iris recognition. Biometrics do not typically change over time and are not transferable (excluding the deranged individuals who would amputate someone’s appendage in order to access biometrically protected devices or networks). In other words, biometric authentication provides irrefutable proof that you are you.
Companies can no longer treat cybersecurity as an afterthought. Cybersecurity pros need to be invited to the table for all the business talks, not just the technology discussions. These are the cyber generals who will not only quickly respond and implement the best practices listed above, but who can also understand which data was ransomed, determine the extent of the attack, estimate how long the network will be down, and provide the complete picture and do it all in real time so that the executive team can make decisions that protect their organization’s integrity and are aligned with its purpose.
Next week we’ll be chatting about the adoption of Artificial Intelligence techniques and automated cyber-activities, from malicious software to advanced and active threat vectors.