Ransomware made national news in January when Travelex was hit with a destructive attack, plunging the foreign exchange company into perhaps the biggest crisis in its over 40-year history. Travelex may be a particularly high-profile ransomware victim, but it is far from alone – in 2019, 205,280 organisations submitted files that had been hacked in ransomware attacks. This was a 41 per cent increase from 2018, and it wasn’t just the volume of attacks that increased last year – the average ransom demand more than doubled in the last quarter of 2019 to over £60,000.
When it comes to protecting your organisation from ransomware attacks and mitigating risk, it helps to understand the anatomy of an attack. Many ransomware attacks follow a similar pattern: attackers gain initial access via some means, be it a vulnerability in the external infrastructure or via email campaigns aimed at harvesting credentials. They will then spend time searching the network for high value target hosts, which they proceed to encrypt before notifying the victim and demanding a ransom. This approach has proven very effective for cybercriminals, who recognise that the greater the value of the data held ransom, the greater the chance of someone paying up.
So how do you prevent your organisation from suffering a similar fate to Travelex? These seven steps can help to minimise the risk of a ransomware attack infecting your organisation and causing financial, operational and reputational damage.
1. Carry out regular checks of your external infrastructure
By this I mean all of it. There is a real temptation within many organisations not to include all of their external assets within the scope of penetration tests and general vulnerability scanning activities. This happens for countless reasons, ranging from cost and fear of what might be found all the way to assets simply not being tracked. This is not good enough.
You should ensure all endpoints are known and checked multiple times a year as part of a full manual penetration test, and this should be backed up with monthly or quarterly vulnerability assessments where possible. It is always better to know about and address vulnerabilities affecting external infrastructures quickly, as they are often the starting point for cyberattacks. Once a foothold is gained, a ransomware infection can snowball from there.
2. Make sure you are aware of your external exposure
This is similar to the penetration guidance above; one really feeds the other. If you know for example that you run VPNs that act as your only external touchpoint between external and internal networks, these need to be priority hosts. Monitor patch releases and include them in monthly update cycles. Leaving them exposed and vulnerable to avoid disruption and downtime may be tempting, but is absolutely not an option; the consequences if something goes wrong will always outweigh the short-term inconvenience.
3. Combine proactive and reactive cybersecurity measures
It is also vital to combine proactive and real-time reactive services as part of your annual IT security spend. Identifying external exposure and potential vulnerabilities is one thing, but monitoring and detecting internal movement prior to a ransomware deployment is another. Attackers can spend weeks, months or even longer inside networks cherry picking hosts of value. The deployment of ransomware should not be the first you hear of it; dedicated Cyber Security Operations Centre (CSOC) services can help combat this and provide an early warning for such activity.
4. Reduce external attack surfaces
This is something seen a lot in penetration tests even today. It’s not uncommon to see protocols like SMB, RDP, SSH and SNMP exposed to the internet with no filtering on them, whilst most offer a second line of authentication (keys, certificates etc.). You shouldn’t rely on these – as we saw in Travelex’s case, all it takes is one vulnerability to upset the apple cart. Bake security into the design – don’t overlay it afterwards.
5. Review your mail filtering options
Whilst the Travelex attack seems to be far more sophisticated, one can’t ignore the volume of malware spread via simple mail campaigns – it remains one of the key entry points to the corporate perimeter, and as such needs some advanced mail filtering attention.
6. Implement robust multi-factor authentication
I attended a large number of incident responses last year in which the initial infection began with the compromise of an Office 365 or similar account. If you are not using multi-factor authentication already, this is simple to turn on technically. Operational acceptance is another matter, but given the potential cost and consequences of a large-scale breach it shouldn’t really be optional.
7. Be prepared if the worst happens
The guidance shared so far has focused on preventative protections. But what about if you’re past that stage? The advice remains the same as ever when it comes to ransomware outbreaks: ensure regular backups are taken for all key data should you need to restore, reset passwords for known comprised accounts post-breach, and invest in malware protection that offers anti-ransomware measures. Some vendors now offer copy-on-write solutions among other technologies that can help ring fence important data and combat many common ransomware traits.
The recent Travelex ransomware saga is testament to the massive financial, operational and reputational damage a successful cyberattack can inflict on an organisation. This isn’t a time for burying your head in the sand and hoping the same fate doesn’t befall you. Taking proactive steps to prevent and reduce the risk of cyberattacks like those shared above may well be the best cybersecurity decisions you make this year.
Andy Swift, Head of Offensive Security, Six Degrees