Is there anything that you can do to reduce the threat of a ransomware attack? And what should you do in case you're the victim of one? These were some of the questions that were answered by a group of cybersecurity experts who spoke about the topic of ransomware during a Reddit AMA. The discussion was organised by the California-based Institute of Security and Technology (IST), a non-profit organisation, and included Jen Ellis and Bob Rudis of the cybersecurity firm Rapid7, Marc Rogers of the IT services firm Okta, James Shank, of the computer security company, Team Cymru, and Allan Liska of the cybersecurity firm, Recorded Future .
Over the last year, ransomware attacks around the world surged by 150 percent according to a study by Singapore-based security firm Group-IB. Ransomware attacks occur when hackers use an extortion software to lock your system and then demand a ransom for its release. Such attacks have seen an exponential rise, with the ransomware breach at the Florida IT firm Kaseya during the first week of July being the last major one. This single attack affected up to 1,500 businesses worldwide.
Prior to the attack on Kaseya , a Russia-based group's ransomware attack forced the shutdown of Colonial Pipeline, the largest oil pipeline in the eastern United States. The attack crippled fuel delivery for several days in the US Southeast. This incident was followed by another on the world's largest meatpacker JBS SA. This string of attacks has prompted the US Department of Justice to elevate investigations of ransomware attacks to a similar priority as terrorism.
As the ransomware threats keep mounting, IST, a non-profit organisation, recently hosted an Ask Me Anything (AMA) session on Reddit where users could raise any questions related to ransomware and cybercrime, and what people can do to make themselves or their organisations a little safer.
What can you do to protect yourself or your business?
One of the things that we need to understand first is how ransomware infects a computer. “It really depends on the type of ransomware,” explained Rogers, of Okta. “In most cases it is a malicious application that takes control of your system before spreading laterally into any and all connected systems. Sometimes it can be an actual person that takes over your account and uses it to pivot into other systems to take them over also. Ultimately it ends with the same couple of things - your data gets stolen and an application, a locker, encrypts what's left behind and makes the demand for payment.”
“Most ransomware attackers don't need advanced tooling to accomplish their goals. The Pipeline was ransomed because of plain credential use on a VPN. Not exactly rocket science,” Rudis, of Rapid7, added.
Actually protecting yourself or your company can be challenging because of both high-tech ways to beat security — and the very strong chance that as humans, we all make mistakes, as Rudis pointed out. Liska, of Recorded Future, suggested employing multi-factor authentication, patching, endpoint protection and monitoring, scanning of remote infrastructure, and threat hunting for attackers. Rudis pointed out that there are many safe configurations for workstations and servers that organisations either do not know about or have been reluctant to deploy.
“Just shoring up configurations on Active Directory and SMB (Server Message Block) servers alone can do wonders to help thwart attackers from being able to move laterally and encrypt or lock-out at scale,'' he said.
Liska also added that there isn't a single software solution that will solve the problem of ransomware or other types of attacks. “Tackling such threats requires a holistic approach to security. Not just software, but the right policies, people, and protocols in place to quickly identify and stop threats (are needed),” he said. Rudis added to the opinion saying, “There is no path to purchasing your way into ransomware defense.”
What should a regular person do?
But while many of these suggestions seem geared towards large organisations, individuals are also often targeted. In fact, a recent report by Daniel Benes, malware researcher at Avast, showed that gamers are increasingly being targeted by ransomware attackers. What should people do in this situation?
Shank suggested three basic things anyone could do to ensure greater safety for themselves, and also for the companies they're working for:
1. Use strong passwords that are unique to each site/ service that you visit.
2. Keep good backups, and consider using more than one backup device where both devices are never plugged in at the same time.
3. Be vigilant! If something strikes you as odd, alert your corporate security team. Did you click a link and think it might be bad? Report it. Most ransomware actors take time to inventory networks after the initial compromise, so there may be time to still protect your network and your device. Time is of the essence here though.
Can we put an end to the ransomware attacks?
The AMA also discussed the likelihood of a state or a rogue group taking down a critical infrastructure for a long period, thus severely disrupting life. Ellis, of Rapid7, said that such a scenario doesn't feel far-fetched at all. “We've already seen infrastructure be a target in several countries, and this is only likely to increase without intervention. Even when the attacker offers up the keys as they did with the attack on the Irish healthcare authority (HSE), it can take a long time to get operations fully back up and running. HSE is saying they think full recovery will cost them $600 million (roughly Rs. 4,480 crores),” Ellis said.
The cybersecurity experts are also a part of the Ransomware Task Force Report by IST on combating ransomware. The report gives a comprehensive framework for actions that can be taken to fight ransomware and makes recommendations of steps that can be enforced by governments, institutions, and organisations.
The major recommendations include suggestions to the governments to establish Cyber Response and Recovery Funds to support ransomware response and other cybersecurity activities, mandating that organisations report ransom payments, and increased regulation of the cryptocurrency sector. Coordinated, international diplomatic, and law enforcement efforts are also encouraged to proactively prioritise ransomware through a comprehensive, resourced strategy.