During the course of the Covid-19 pandemic, cyber attackers from every corner of the globe sought to take advantage of the chaos caused by international disruption. No one was safe, as hackers targeted governments, companies, critical infrastructure, and individuals. The UK was the second most-attacked country in the world last year when it came to ransomware, costing businesses here a total of £365 million over the course of 2020. In response, a recent report from information security giant NCC Group, showed two in three UK-based organisations are likely to increase their cybersecurity spending in 2021, despite many having been hit financially by the pandemic.
Threats remain a growing challenge, as attacks become more sophisticated every year. The SolarWinds incident highlights how cybercriminals are using multiple techniques in a single attack now too. The supply chain attack against the organisation turned it into a distribution channel for malware, that was then used to attack other companies across multiple supply chains.
From corporations to governments the message is the same. Act now before you suddenly find your devices locked and data encrypted. Here are five steps that organisations can take in 2021 to prevent and avoid ransomware attacks:
- Keep your backups current – and separate
Since our school days, we’ve been told to save our work as we go in case anything goes wrong. Organisations must regularly back up their critical data under the same principal. The frequency of how often ‘regular’ is depends on the nature of the data. In some cases, organisations might need snapshots every hour, but for other information, they may only need to back up once a day.
Data and applications that are needed to ensure the organisation can operate must take priority. You should assume that any on-network data can become compromised. Therefore, companies must separate those backups from the rest of the network, so they won’t get locked down along with other data and devices if they become infected with ransomware.
- Incorporate segmentation
I can’t emphasise this enough. Segment your networks. Segmentation divides a computer network into smaller parts and controls how traffic flows among these. Organisations can choose to stop all traffic in one part from reaching another or can limit the flow in certain parts. If one segment gets hit by ransomware, organisations can cut it off from the rest of the network to prevent it from spreading.
It’s also important to segment Active Directory (AD), making it harder for ransomware to propagate from less critical AD networks to more critical AD networks.
- Patch and harden
Planning for an attack and taking the appropriate steps to thwart attempts is essential.
Companies can approach this by first removing local admin and install rights from users. Second, make sure that no shared passwords exist between systems, whether cached or local. Implement Microsoft Local Administrator Password Solution (LAPS) and disable cached credentials. That way, the ransomware cannot utilise these credentials to access other systems and propagate around the network.
Harden systems by removing unnecessary software – such as PowerShell – from workstations and closing down ports. And finally have a solid vulnerability management program to patch vulnerabilities, such as ETERNALBLUE, to prevent the ransomware from propagating around the network.
- Prioritise testing
It’s important to test disaster recovery (DR) plans and processes regularly to make sure they hold up under a real-world attack. Organisations don’t want to discover that their backups are out of date or they can’t recover from them when they’re under attack. Testing should also include exercising of crisis management teams to deal with a cyber-attack; the Executive Leadership Team needs to be prepared too.
- Educate employees
Education, education, education. Organisations may have carried out best practice training at the beginning of the pandemic, but this needs to happen on a recurring basis. It’s not just about training – education of the workforce provides the basis for ongoing, long term cyber security.
Employees need to know how to spot and report phishing emails before they click on any suspicious links and keep abreast of the latest phishing scams. While not every strain of ransomware works this way, having knowledgeable employees as a first line of defence greatly reduces certain threats.
Recovering from a ransomware attack
The war against cyberattacks continues to get more difficult. If an organisation is hit with ransomware and they’ve taken the steps above, they only need to shut down or segment the infected devices or system, recover from backups, and get back to work. If an organisation hasn’t taken the necessary precautions, there are often only few options available to them. The first may be to give in to the hacker’s ransom request. Paying tells hackers an organisation is willing to hand over money and can put a target on them for future attacks. The other option is to recover compromised data and rebuild systems from scratch, which in some cases can take weeks.
Cyber recovery will be a whole team effort, from the leadership team down. Preparation makes all the difference to response and recovery.
Engaging with experienced partners to gain access to expert resources that can expedite a return to business as usual is advisable. Doing this before becoming a victim of ransomware is key, because the last thing an organisation needs in 2021 is to be hit by a cyberattack, and realise plans and processes are not in place to support a speedy recovery.
Chris Butler is Lead Principal Consultant, Resilience & Security, at Sungard Availability Services