What is ransomware?
Dating back to the late 1980s, ransom malware, or ransomware is a type of software that is specifically designed to disrupt, damage, or gain unauthorized access to a system. Ransomware specifically prevents genuine users from accessing their own systems and files while the ‘bad actor’ demands a ransom payment to regain access.
With the advancement of technology in the modern day, the prevalence of ransomware has grown with new ransomware attacks appearing everyday. Cybercriminals have had to adapt to increased protection shifting their attacks to key entry points on networks.
Different types of ransomware
- Spear Phishing
- Social Engineering
New forms of ransomware appear almost daily. The most common ransomware attacks are explained here.
Protecting your business against ransomware
Ransomware has become one of the most common forms of cyber attack in recent years. Cryptocurrencies make ransom payments safer for attackers, and "Ransomware as a service (RaaS)" means that attackers don't need any technical skills to attack.
Osirium Privileged Access Security (including Privileged Access Management, Privileged Process Automation, and Endpoint Privilege Management) are the critical security tools to help protect against ransomware attacks. Not only to prevent attacks but also to protect the systems, such as backups, which are crucial to recover after an attack and reduce potential downtime.
- Prevent ransomware from being installed
- Prevent lateral movement of ransomware around the network
- Protect backups and hypervisors
Privileged Access Security is a multi-layered approach to the prevention of ransomware attacks and the protection of critical systems.
A typical ransomware attack
How does ransomware work?
The attack begins
Even with the best training, human beings can be fooled by sophisticated phishing attacks or make a mistake. It's easy to click on a link that installs malware. So, a safety net is needed to reduce the possibility that such an error leads to catastrophe.
The best way to prevent ransomware from being installed is to prevent the user from installing applications on their laptops or workstations. However, with users often requiring additional software to help support their job (for example software developers or network engineers), what can be done? Osirium Endpoint Privilege Management (EPM) is built to prevent unauthorised installs while letting users run approved applications with elevated privileges.
The attack spreads
Once malware is installed on the workstation, it looks for opportunities to cause the most damage. That usually starts by identifying valuable administrator accounts as they have the most access and can cause the most damage.
The local admin account on the workstation is a good starting point. The attack will then look for servers the user can access, other user accounts on the workstation, network shares and much more. It will look for the most sensitive data on customers, suppliers, staff and intellectual property. Anything that will help spread the attack further or make ransomware recovery harder.
The attack may also exfiltrate interesting data and credentials that are to be sold on the dark web even before the ransomware strikes. Although the attacker may claim to delete the stolen data after the ransom is paid, that's not a solution. The information will already be in multiple locations on the dark web and can never be fully recovered.
The attack strikes
Modern ransomware attacks are patient. The malware waits until it has maximised its impact.
The attack will collect valuable data and credentials and infect critical systems such as hypervisors and backups systems. It may even wait until backup cycles have been completed to make a recovery as hard as possible. The attack may wait weeks or months before striking.
Once the strike begins, the malware works as quickly as possible. It tries to encrypt desktop and server systems before being noticed, or anyone can "pull the plug" to stop the attack. In the quest for speed, encryption may not be perfect. Even if the victim pays a ransom and gets the encryption key, they may never be able to recover all their systems or data.
How Privileged Access Security protects against ransomware attacks
Prevent the attack installation
Malware is often hidden in seemingly legitimate software installation packages. Users have often been given a "local admin" account to install applications without asking the IT help desk. The user is happy because they can make changes without waiting. IT are happy they're not involved in minor tasks and can concentrate on more significant projects.
Unfortunately, this means it's easy to install malware. Osirium's Endpoint Privilege Management (EPM) allows IT to remove those risky local admin rights without increasing the workload for the help desk. If users can only install or run approved applications with elevated privileges, it's much harder for malware to infect the organisation.
Prevent lateral movement
If the valuable administrator privileges are never available or revealed to the admins, they can't be stolen by malware. All access to critical IT systems should always be via Privileged Access Management (PAM). Those systems include cybersecurity tools, databases, servers, network switches, backups, and much more. As well as preventing unauthorised access to those valuable admin credentials, PAM makes it easy to spot suspicious activity on the network.
PAM also encourages good credential practices. Humans are not good at using complex passwords, but password management with PAM removes that responsibility and risk. Regular rotation of passwords becomes easy. As passwords can be updated in one place, the changes are fast, and there's no need to inform anyone that may access the systems - if you even know who they are.
Prevent misuse of privileged accounts
Using automation for all IT processes that depend on administrator access adds another level of protection for critical systems. Privileged Process Automation (PPA) ensures that all corporate and regulatory processes are followed and users can't do anything they shouldn't. For example, an admin updating a rule on a firewall could accidentally open ports that an attacker will later use.
How can you recover from a ransomware attack?
Recovery plans will vary between organisations, but they typically have common features.
If the worst happens and a ransomware attack strikes, the first steps will be to restrict activation and further malware distribution to new systems.
The quickest way may be to shut down as many systems as possible as fast as possible or "Pull the plug." There are risks with quickly powering-off systems, especially servers which may be in use such as data corruption or loss. There is a balance of risk between damage caused by the shutdown and the risk of infection.
When an attack is in progress is the worst time to make such decisions. Before an attack starts, all organisations should consider their options.
They should build a plan for what to do after the attack is discovered. Importantly, the plan needs to be tested, so the impact of an emergency shutdown is understood.
The organisation will have to decide whether to pay a ransom demand or try to rebuild systems from scratch. Either way, there will be a need to restore systems and recover data from backups. As noted earlier, even having the decryption key is no guarantee of being able to decrypt files.
Those backups could be the difference between restoring the business in days and weeks or never being able to recover. That's why it's so important to have extra levels of protection around backup systems, as has been recommended by the National Cyber Security Centre NCSC).
For more information
If you'd like to know more about how Osirium Privileged Access Security can be used to prevent ransomware attacks, please use the form below, and we'll be in touch.