Ransomware Attacks
07 October, 2018
Ransomware is a form of malware that targets both human and technical weaknesses in organizations and individual networks in an effort to deny the availability of critical data and systems. Ransomware is frequently delivered through spear phishing e-mails to end users. When the victim organization determines they are no longer able to access their data, the cyber actor demands the payment of a ransom, at which time the actor will purportedly provide an avenue to the victim to regain access to their data. Recent iterations target enterprise end users, making awareness and training a critical preventative measure.

Key areas to focus on with ransomware are prevention, business continuity, and remediation. As ransomware techniques continue to evolve and become more sophisticated, even with the most robust prevention controls in place, there is no guarantee against exploitation. This makes contingency and remediation planning crucial to business recovery and continuity.

Prevention Considerations

  • Implement an awareness and training program.Because end users are targeted, employees and individuals should be made aware of the threat of ransomware and how it is delivered.
  • Patch operating systems, software, and firmware on devices, which may be made easier through a centralized patch management system.
  • Ensure anti-virus and anti-malware solutions are set to automatically update and that regular scans are conducted.
  • Manage the use of privileged accounts.Implement the principle of least privilege: nousers should be assigned administrative access unless absolutely needed; those with a need for administrator accounts should only use them when necessary.
  • Configure access controls, including file directory, and network share permissions, with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
  • Disable macro scripts from office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full office suite
  • Implement Software Restriction Policies(SRP) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular Internet browsers or compression/decompression programs,including the AppData/LocalAppData folder.

Business Continuity Considerations.

  • Back up data regularly, and regularly verify the integrity of those backups.
  • Secure your backups. Ensure backups are not connected to the computers and networks they are backing up. Examples might be securing backups in the cloud or physically storing offline. Some instances of ransomware have the capability to lock cloud-based backups when systems continuously backup in real time, also known as persistent Backups are critical in ransomware; if you are infected, this may be the best way to recover your critical data.

Other Considerations.

  • Implement application whitelisting; only allow systems to execute programs known and permitted by security policy.
  • Execute operating system environments or specific programs in a virtualized
  • Categorize data based on organizational value, and implement physical/logical separation of networks and data for differentorganizational units.

The Ransom
The NCSC does not support paying a ransom to the adversary. Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom. Paying a ransom emboldens the adversary to target other organizations for profit, and provides for a lucrative environment for other criminals to become involved. While the NCSC does not support paying a ransom, there is an understanding that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.
In all cases the NCSC encourages organizations to contact CERT-GH immediately to report a ransomware incident and request assistance. Victims are also encouraged to report cyber incidents to NCSC / CERT-GH