Innovate. Accelerate. Win.
September 18-19 | Las Vegas and Virtual
#MIMSummit2023 is the frontier for unstoppable innovation. The gathering ground for security leaders looking to redefine what’s possible. The must-see industry event of 2023. Register today and save with special Early Bird rates!
Ransomware attacks have become a significant threat for nearly every industry and organization. In the United States, government officials have identified it as one of the nation's greatest threats. In the past year, criminals have attacked schools, shipping companies, healthcare entities, and energy facilities, among others.
Ransomware attacks almost doubled during 2021 over 2020, according to Sophos State of Ransomware 2022 report, affecting 66% of businesses, up from 37%. This represents a 78% year-over-year increase, indicating that adversaries have become far more capable at conducting operations at scale.
They have also become increasingly proficient at encrypting data. In 2021, data encryption was successful in 65% of attacks, an increase from the 54% rate reported in 2020. The average cost of a ransomware attack is $4.54 million US dollars. This cost exceeds the average total cost of a data breach, which is USD $4.35 million.
Given the impact that these assaults can have on all organizations, security professionals must defend their systems, networks, and software in innovative ways. Defending against ransomware necessitates a comprehensive strategy that involves the entire enterprise.
Segment Your Network: Zero Trust
As cloud usage increases, network segmentation becomes increasingly crucial, particularly in multi-cloud and hybrid cloud systems. Criminals typically use compromised credentials to escalate privileges and traverse systems and networks laterally.
To eliminate implicit trust, network segmentation is a crucial element of a Zero Trust strategy. Organizations segment their networks based on the criticality of their systems and data and allow access based on the status of the verified identity - human or machine. Each request for network access is evaluated and inspected based on the requestor's current trust status. This is highly useful for preventing the lateral migration of threats within the network if attackers manage to penetrate it.
Keep Systems Up to Date
Ransomware continues to prey on businesses who fail to install timely patches for known vulnerabilities. Multiple published reports demonstrate that attackers are exploiting not only recently disclosed vulnerabilities, but also vulnerabilities that are several years old. Legacy systems – software that the vendor no longer supports – leave the system open to an attack.
Backup Your Data
One of the most efficient methods for recovering from a ransomware attack is having reliable backups of vital data.
Recovery from a ransomware attack requires automating the backup process, safeguarding that data, and ensuring that it is not regularly linked to the network. Organizations should ensure that backups are stored offline or out-of-band, so that attackers cannot target them. This last point is crucial because even if businesses apply all the necessary safeguards to secure the backup data, if it is kept directly on the ransomware-infected device or network, it will also be encrypted.
Many cloud providers keep prior versions of files, allowing you to revert to decrypted data, which could mitigate the impact of a ransomware attack. Be sure to routinely test backups for efficacy. Finally, companies should always verify that the backup data they are recovering from is not contaminated.
Develop Policies and Plans
Unfortunately, sometimes even the best precautions cannot stop a determined adversary prepared to commit the time and effort required to disrupt a business.
Create an incident response plan so that your IT security staff is prepared. The strategy should specify the roles and communications that will be shared during an assault. Having at least one person who will oversee the incident handling process will aid in the coordination of incident response operations. You should also include a list of contacts, including any partners or vendors who must be contacted. Due to the numerous moving pieces involved in an incident, communication is crucial.
Having recovery procedures in place enables businesses to quickly resume full operations, minimizing downtime, financial loss, and brand damage. Enterprises should conduct routine, spontaneous drills on the incident response plan to provide the best possible outcomes in the event of a genuine incident.
Logging is also essential for a business to effectively respond to an incident. Establishing a process is the first step in log management. In the event that an enterprise is breached, logs will be required for incident response in order to pinpoint the origin of an attack and offer evidence for legal proceedings.
Enforce Code Signing Policies
Code signing is the procedure for digitally validating software. This verifies the identity of the individual or organization who created the code. This procedure guarantees that the code or program has not been altered after the developer signed it.
Attackers might potentially steal code signing certificates from legitimate developers, granting them the opportunity to release code under a trusted creator's name and enabling them to distribute malware to a greater number of victims.
Abuse of code signing can occur in a variety of different ways.
- Key Theft: When digital certificates or keys are improperly managed and kept, threat actors have the opportunity to steal the private keys of trusted users. Using these keys, they are able to sign code under the guise of another identity, obtain certificates in the name of a trusted identity, and then misuse that certificate inside the network.
- Coding Mistakes: It is also possible for code signing to be abused if the signed software contains flaws. Even though the code is signed, attackers can exploit these weaknesses to spread ransomware on target devices.
- System Compromise: If a system is infiltrated and software is being signed on that compromised system, the code can be altered prior to the actual signing. This permits malware payloads to be concealed without the developer's knowledge. Code signing was misused in this way in the recent SolarWinds attack.
- Use of Revoked or Expired Certificates: If a Certificate Authority (CA) does not check the validity of a compromised key or expired certificate, the certificate might be used to sign malicious software code.
There are a number of different code signing best practices that can be followed to ensure your code signing process is secured. The National Institute of Science and Technology (NIST) has released several recommendations on certificate and code signing best practices for users to implement. These include:
- Secure associated private keys on HSMs (Hardware Security Modules)
- Control the code signing process
- Validate code at every stage of the DevOps pipeline
- Use dedicated systems for code signing
- Check the validity of the code signing certificates
- Establish a strong certificate lifecycle management plan
Venafi CodeSign Protect encrypts code signing secret keys, automates approval workflows, and tracks code signing activity.
- Keep private keys safe by storing them on the secure Venafi platform or in HSMs and restrict access to approved users and use cases.
- Automate certificate issuance and revocation to enforce code signing policies across development teams. Software managers can define code-signing roles and approvers.
- Integrate smoothly into build workflows to provide local, quick code signing without modifying build scripts by offering code signing as a DevOps service.
- Keeps track of all code signing certificates and signed software by creating an inventory of development environments and visualizing all code signing projects in the enterprise.
Don’t pay the ransom
The FBI has come out against this tactic consistently. And there are many good reasons for not doing so:
- Paying the ransom doesn’t mean that your organization will regain access to their encrypted data.
- Organizations could incur penalties from the U.S. government for paying ransomware actors who may reside or operate out of countries who are subject to U.S. sanctions.
- Ransomware gangs profit from these ransoms. Paying the ransom means that you fund these criminal activities.
- There are an increasing number of high-profile examples of organizations not paying the ransom.
Train Your Team
The Verizon Data Breach Investigations Report for 2022 indicates that 85 percent of data breaches involve human engagement.
Employees should receive training upon hire and periodically throughout their employment so that the information remains current and accessible.
Download the Forrester Ransomware Survival Guide for more details on a successful ransomware strategy.