Best Practices in Targeted Ransomware Attacks

Soon after Symantec released its July 2019 white paper documenting a 400% increase in targeted ransomware attacks over the past two-and-a-half years, a colleague came to me with a tough question about prevention. Apart from following basic security protocols like updating software and installing the file-based ransomware barriers listed in the report, she asked, ”Can companies avoid being targeted in the first place?”

Sadly, my answer was unequivocal: “No. We haven’t cracked the criminals’ minds and so can’t predict what motivates emergent ransomware gangs such as GoGalaker and Megacortez to target one organization over another. But, considering the current ransomware attack rate of 50 enterprises a month, plenty of corporate teams could be better prepared.”  

At the most basic level, every enterprise IT team should have a prepacked jump kit with everything they need to restore their data and get their applications working again—critical ransomware recovery functions. This jump kit must contain credential information that could become encrypted by ransomware. The team should also invest time in testing their restore procedures. The only defense against ransomware is having a correct backup and restore procedure in place.  Period.

Most organizations have trouble prioritizing preparation for a doomsday scenario, but as an emergency incident responder I’ve seen companies suffer horrible losses because their teams lacked a formal, actionable incident response plan with a ransomware playbook. Time and again, when confronting a cyber security crisis, business managers clash with IT professionals, and everybody wastes valuable time debating and seeking approvals for remediation steps that could have been authorized in advance. Meanwhile, as Symantec has seen in several recent incidents, the attackers have used stolen credentials to disable security software, mapped the organization’s entire network, and, using batch files, have spread ransomware across multiple computers. At that point, and this is incredibly rare based on my experience with ransomware attacks, only proper advanced monitoring and alerting could possibly detect the ransomware before it begins its encryption routine.

While there are certainly no fail-safe solutions for ransomware, or most things in life, I offer three experience-based suggestions:

1. Formalize a ransomware response playbook, which is supported by the higher-level incident response plan.

The most forward-thinking ransomware playbook ideas switch the decision-making power from top-level executives to the IT team and/or the system/data/application owners. Although corporate leaders will be naturally reluctant to accept this suggestion (and mightily resistant to put it in writing), when ransomware begins propagating a company’s network, it’s imperative that the IT leader have instant authority to take immediate remedial actions—by default. As illustrated above, unless the IT leader has independent agency in quarantining and disabling affected assets, the company will lose ground and the attack will spread. Charge the same technical leader with the responsibility for communicating to the business leaders and stakeholders a timeline of actions that includes what happened, why and how they responded, and the anticipated impacts.

Our ransomware white paper should also be required reading for anyone serious about formalizing response protocols. It offers more than a dozen ransomware mitigation measures (including the use of Symantec’s File Server Resource Manager, which blocks ransomware extensions from share files), and includes seven file-based protection tools that are available to all our customers. Symantec has also outlined in a previous post why companies should refuse to pay ransomware demands.

2. Design a defensive network.

Many of Symantec’s enterprise customers have relatively flat networks, and there are good reasons for that. Relatively flat networks are inexpensive, easy to manage, and allow everyone in the company to access resources anywhere with a simple set up.

But, all of those advantages become serious detriments if ransomware begins infiltrating your network. Given the current threat landscape, organizations might revisit the idea of network segmentation. By creating subnetworks and VLANs within the larger environment, you will improve overall security and gain capabilities in quarantining isolated zones. You might, for example, create a subnetwork that provides point-to-point links only among admin-specific machines and devices—favored targets for phishing and other schemes used in stealing credentials.

3. Assess your readiness and understand your vulnerabilities.

Finally, I recommend self-evaluation and commitment to continuous process improvement. This can be done internally or could include investing in an expert analysis of your organization’s cyber security situation. Symantec’s Incident Response retainer services include an annual Incident Response Preparedness Workshop. I’ve led several such sessions and have found them a gentle and relaxed venue for clients to learn how to capture and collect data relevant to a possible threat, and a chance to run through hypothetical crisis exercises. We conclude every workshop with a statement that sums up the client’s current security capabilities and identifies areas for possible improvement.