Prepare, Prevent, and Response: A Comprehensive Ransomware Protection Guide

Rampant Ransomware Attacks

On November 8, 2023, U.S. Eastern Time, ICBC Financial Services (FS), the U.S. arm of China’s largest bank, fell victim to a ransomware attack, disrupting certain systems. Reports indicate that the attack, linked to a Citrix vulnerability known as “CitrixBleed,” was orchestrated by the LockBit group. ICBC FS is actively investigating the incident, according to a notice on its website.

In the aftermath of this event, ransomware attacks are once again making headlines in the cybersecurity industry.

What is Ransomware?

Ransomware is malicious software designed to block access to a computer system or files until a sum of money is paid to the attacker, usually in cryptocurrency.

The diagram can be summarized in the following steps:

• Development of ransomware and other malicious software.
• Brokerage, sale, and distribution of ransomware.
• Acquisition of control over hosts, collecting and selling data.
• Credential and permission trading.
• Theft and storage of sensitive data.
• Deployment of ransomware to execute encryption.
• Money laundering through cryptocurrency transactions.

Ransomware can infiltrate a system through various means, including phishing campaigns, account abuse, vulnerability exploitation, RDP exploitation, brute force, weak password access, insecure configurations, etc. Once activated, the malware encrypts the victim’s files, rendering them inaccessible. The victim is then presented with a ransom note, providing instructions on how to make the payment to receive the decryption key.

Today’s ransomware attacks share the following characteristics:

• Targets: Critical and sensitive assets or data are the preferred targets of threat actors. Ransomware attacks exhibit characteristics of early probing, prolonged lurking, and sudden outbreaks. Credential access remains the most frequent ignition point in ransom attacks. Therefore, securing backups of critical data, strengthening daily operations to block early probing, and managing credential leaks are key to ransom protection.
• RaaS (Ransomware as a Service): Behind a single ransom attack, there are often multiple attackers. The attack chain is complex, making it challenging to pinpoint and profile ransom attackers. However, industry characteristics can be leveraged to monitor relevant intelligence on ransom threat actors and credential leaks, and conduct pre-emptive checks and reinforcement.
• Vulnerabilities: N-Day or 1-Day vulnerability attacks are common in ransom scenarios. Threat actors, considering cost-effectiveness, tend to use fewer 0-Day vulnerabilities. Timely patching of high-risk vulnerabilities is an effective means of protection against ransom attacks.
• Deployment: Multiple ransom threat actors tend to use Active Directory (AD) for large-scale rapid deployment. Ransom attacks involve strong human decision-making and operational characteristics. Domain controllers or high-privilege accounts are favored by attackers. Strengthening domain control security configurations, vulnerability management, and strictly controlling high-privilege domain accounts are necessary actions for ransom protection.
• Complexity: Ransom attacks are evolving towards “multi-ransom,” targeted attacks (shifting from passive to active), APT attacks, and cross-platform.  

Impact Brought by Ransomware Attacks

Ransomware attacks have become a significant threat to enterprise asset security. The theft or destruction of data can severely impact business operations, directly or indirectly causing significant losses.

Ransomware attacks are also a major threat to critical infrastructure data assets, with the theft, misuse, or destruction of data having profound effects on critical infrastructure operations. In addition to the ICBC FS incident, which had a wide-reaching impact and disrupted the U.S. Treasury market, there are many other examples. For instance, in May 2021, Colonial Pipeline, the largest fuel transportation pipeline operator in the United States, was forced to shut down four main gasoline pipelines due to a DarkSide ransom attack. This almost severed 45% of the fuel supply on the East Coast, severely affecting daily life and national security, leading the United States to declare a state of emergency. In April 2022, Costa Rica fell victim to a Conti ransom attack, causing a blow to the government and the economy. President Rodrigo Chaves declared a state of national cybersecurity emergency, with attacks targeting the Ministry of Finance, Ministry of Labor and Social Security, Ministry of Science, Innovation and Telecommunications, and the National Meteorological Institute.

Ransomware Attack Protection

A typical ransomware attack consists of three stages: accessing a victim’s network, finding target files, and encrypting files for ransom. NSFOCUS provides services and products specifically for ransomware attacks, covering:

• Security Assessment for Ransomware: Helping customers build ransomware attack prevention capabilities.
• Proactive Prevention: Nipping ransomware attacks in the bud.
• Attack Mitigation and Reinforcement: Stopping ransomware infection when an attack happens, helping customers reinforce their systems through data traceback and preventing further attacks.

Prepare

Develop Response Strategies for Ransomware Attacks

Developing response strategies is crucial in determining the overall framework and goal orientation of the response plan. Different response strategies should be formulated based on the severity of the damage. Common scenarios include:

• Non-critical business systems are encrypted by ransomware, with backups available, but data has been stolen.
• Multiple critical business systems are encrypted, causing widespread business unavailability, significant data stolen, but with independent backups (or no backups).
• The jump host (both internal and external) of the ransomware attack is located,  but crucial business systems are on top.

Strategies can be divided based on the following dimensions:

• Assets that have been encrypted and led to downtime.
• Existence of backups for encrypted data.
• Importance/sensitivity of the stolen quantity.
• Impact on the recovery plan.
• Unavailable targets caused by ransomware.

Establish Permissions, Roles, and Corresponding Processes

• Clarify all internal/external personnel involved in ransom event response, along with corresponding system/data/operation permissions.
• Determine response processes, formulate all steps in response events, and clarify the roles and specific actions involved in each step.
• Optimize the approval process to ensure that, in emergency situations or multiple emergency events, delays in event processing are not caused by the approval process.

Communication

• List of emergency contacts for relevant employees, customers, service providers, and suppliers involved in incident response.
• Detailed explanations of how, when, and with whom event response personnel should communicate/synchronize.
• Establishment of a core contact team/personnel for employees to report events as soon as possible.
• Formulation of a statement plan to respond quickly, explain the handling of the event-related issues, actively communicate with regulatory authorities and the media, and demonstrate information content. Particularly, to strengthen enterprise security and preventive measures while handling the crises to reshape the corporate brand image.

Ransom: Pay or Not to Pay?

• If backups are destroyed, and no decryption tools are available, companies may consider paying a ransom to recover files. While paying the ransom can help reduce downtime losses and may be cheaper than the cost of downtime, it is not a recommended decision. Payment is only advisable when all other means fail to address the impact of the ransom event, and the loss of data could lead to the company’s bankruptcy.
• Paying the ransom does not guarantee that encrypted files will be decrypted. In addition, decrypting files does not mean that the malware infection itself has been cleared.
• Whether to pay the ransom or not is strongly associated with the developed response strategies.

Data Recovery Plan

Establish key recovery indicators for events, prioritize recovery of data based on asset importance, critical business functions, and application priorities, and gradually restore data.

Assess and Strengthen Network Security for Ransomware Scenarios

Backup and Recovery Assessment

Evaluate the environment, processes, and recovery plans for asset backups.

High-Frequency Vulnerability Assessment for Ransomware Attacks

Assess the detection and protection capabilities against vulnerabilities frequently used by ransomware attackers, including common web applications, middleware vulnerabilities, and insecure configurations.

Near-Real Attack and Defense Assessment

Simulate real ransomware attack scenarios, evaluate the enterprise’s detection, protection, and response capabilities.

• Red Team Services – Simulate complete ransomware attacks using tactics from active/TOP ransomware attackers, select target data and deploy harmless ransomware samples.
• Blue Team Services – Evaluate the enterprise’s response to simulated ransomware events from multiple dimensions.

General Security Protection Assessment: Assets, Threat Exposure and Configurations

• Asset Inventory: Using means such as internal network scans, combined with endpoint control and server security control, to establish an asset ledger. Timely maintenance and confirmation of asset baselines, ensuring approval for changes, and not missing ledger changes are crucial. Core weaknesses of enterprise information assets include (a) Business/websites/systems/platforms that are unmanaged, unused, and unprotected; and (b) Test systems, experimental platforms, systems not yet disconnected after retirement, systems in operation with loaded business but not officially handed over for maintenance, business or systems co-operated with partners, systems with unclear responsibility handover, and systems in decline.
• Threat Exposure Management: including (a) Overall risk assessment of enterprise attack surface and externally exposed assets; (b) Boundary access authentication (VPN, Email, etc.); and (c) Evaluation of enterprise employees’ resistance to social engineering attacks.
• Configuration Assessment: including an evaluation of enterprise network segmentation and security boundary configurations, as well as the existence of AD settings most commonly abused by ransomware attackers for privilege escalation and the potential attack paths that may result.

Prevent

Exposure Risk Management for Ransomware Attacks

Configure periodic and real-time scanning strategies through a ticket system, automate the triggering of scanning mechanisms by linking ransomware intelligence and actively capture ransomware events, and promptly discover vulnerabilities such as application types, ports, services, and vulnerabilities that may be exploited by ransomware. Security operations experts check the exposure surface, verify security vulnerabilities, upgrade protection rules, and perform actions such as closing exposed ports to eliminate security risks and prevent ransomware attacks.

Ransomware Monitoring and Analysis

Security operations personnel conduct 24/7 monitoring and analysis services based on traffic, logs, and threat intelligence. Through comprehensive analysis, they pinpoint abnormal behavior of assets, prevent targeted attacks, identify possible ransomware hazards, and synchronize analysis results and handling recommendations through notification mechanisms such as emails and SMS.

Asset Protection and Reinforcement

• Baseline scanning, vulnerability scanning, and reinforcement.
• Centralized system reinforcement.
• Access permission reinforcement.

Response

Once a ransomware attack occurs, the Response Plan for Ransomware Attacks should be activated immediately.

From the perspective of products, automated orchestration and response playbooks created on an intelligent security operations platform automatically collect alerts generated under high-confidence rules about ransomware events, conduct event investigation and perform alert triage. In the event handling process, manual host isolation, automated one-clicking blocking and other response operations can be performed. With that, the impact scope of the attack will be controlled quickly.  

Security operations experts initiate prompt traceback analysis, pinpoint the ransom delivery route, and offer remediation recommendations. Further, they enhance protection policies by considering comprehensive business scenarios to prevent the recurrence of similar events. Continuous optimization and iteration of security capabilities across the entire service life cycle ensure effective swift actions and emergency response. 

NSFOCUS Operation Architecture for Ransomware Attack Protection

Drawing on the core principles of a proactive security approach to combat ransomware, NSFOCUS employs extensive threat intelligence on ransomware attacks and taps into a well-organized expert resource pool.  This results in a ransomware protection solution that not only anticipates threats but also consistently detects, responds swiftly, and precisely traces incidents. This solution effectively reduces the exposure surface of ransomware attacks and ensures uninterrupted business operations for users. Most importantly, it enhances the overall resilience of the users’ systems against cyber attacks.

Don’t hesitate to reach out to us if you’d like to learn more about protecting yourself from ransomware attacks or any other aspects of cybersecurity.