The EMEA mainstream media’s spotlight on ransomware attacks may have dimmed over the last 18 months but that doesn’t mean the threat has disappeared. There is certainly no room for complacency, and we would do well to pay attention to recent events, writes David Warburton, F5 Networks Senior Threat Research Evangelist.
Far from diminishing in disruptive impact, ransomware attacks appear to have gained a new level of strategic precision, including a spate of public sector organisations being taken offline. Schools, municipalities, and government agencies have all been hit. The US Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA) has now cited ransomware as “the most visible cybersecurity risk” attacking American IT systems.
This level of “visibility” is, in part, because a single, one-time infection originating from a user with high-level privileges can disable thousands of servers and cause weeks of disruption for millions. A 2019 incident with the Baltimore City government vividly illustrates the consequences: two weeks of crippled systems and a ransom of $100,000 to cough up. Elsewhere, more than 20 local governments in Texas were targeted in a similarly effective and coordinated attack in August.
A pattern is emerging, and rest assured it won’t be constrained by geographical boundaries.
The reason local governments are under fire is simple. Safe on-line services are essential for small municipalities, yet they rarely have the resources to adequately protect them. While local government is always high on cybercriminals’ target lists, their prey is being stalked with more purpose. Those with rudimentary operations and budgetary constraints are on shaky ground.
Taking ransomware threats seriously
The consequences are potentially dire for reputations and bottom lines alike whenever ransomware strikes. It may be tempting to pay up, but it is best not to as its guaranteed hackers will be back for more. Either way, the cost of a ransomware attack can be huge: organisations will either be paying the attackers a king’s ransom in Bitcoin or coughing up millions to recover and repair from the infection.
With the media’s attention on more zeitgeisty threats like cryptocurrency mining, it is important to not lose sight of the basics. Public sector organisations are under more pressure than they might think.
Key steps to confront ransomware include:
Putting a robust cybersecurity strategy in place. Don’t cut corners. Invest in, and engender, a security-first culture. The initial cost might put off smaller councils, but it will pale in comparison to the outlay of a successful ransomware attack.
Authenticating for Internet-facing apps. Locking down Internet-facing logins with robust authentication is the first step to protect against ransomware. Multi-factor authentication is recommended. At the very least, make sure default passwords and known leaked credentials are immediately addressed.
Training employees. Arm the workforce with insight on ransomware attack consequences and the red flags to look for. As a priority, raise awareness on phishing techniques. Employees should always question attachments and links as a matter of course. According to the F5 Labs 2019 Phishing and Fraud Report, as many as 71% of analysed phishing sites using HTTPS to appear more legitimate. The most impersonated brands and services are Facebook, Microsoft Office Exchange, and Apple.
Scanning and filtering internet traffic. Gain visibility and context on encrypted web traffic so that malicious sites, attachments and command-and-control traffic can be automatically blocked before network infiltration occurs. The majority of malware is hosted on well-known sites, so it is essential to decrypt SSL/TLS traffic to ensure security devices can inspect the content.
Ensuring vital files are backed up. Backups must cover all critical systems and areas of personal data. Backup copies should also be kept ‘offline’ to safeguard against ransomware infection. Regular disaster recovery simulations are advisable to avoid Baltimore-eque scenarios.
Segregating networks: The most destructive malware and ransomware campaigns freely connect to every available system once network access is attained. Avoid flat network structures. This means an infected system must pass through a filter or additional access controls before moving out of its local resource group. As ever, every device needs adequate security measures, and staff should only get access to the files they need.
The battle against ransomware calls for a defence-in-depth approach. This means putting several dissimilar, overlapping barriers in place to slow down or stop known attack vectors.
The first line of defence is always to stop an attack from landing on any system. It is worth noting that the costs of ransomware-related defensive controls should be easier to justify than other, more nebulous attacks. The direct financial costs of operational downtime are difficult to ignore.
As we’ve seen in the US, local governments may be vulnerable right now, but nobody is safe. To date, ransomware has usually hit traditional, general purpose, physical computers, but it is only a matter of time before it becomes a big problem for IoT devices, mobiles, and cloud systems as well.
