Responding to Ransomware: A Q&A with David Shear of Vigilante
It’s not enough to acknowledge the threat of ransomware—companies need to be positioned to communicate with threat actors (whether directly or indirectly), contain damage and minimize business interruption associated with this increasingly common form of cyberattack. I talked to David Shear, threat data governance and integration manager of Vigilante, about best practices in preparation and response to ransomware events.
How prevalent are ransomware attacks today, and generally how do they impact an organization?
DS: Ransomware has become an increasingly prevalent threat to organizations globally. While the numbers may not be as high as malware variants like Adware or Trojans, the impact of ransomware is typically much higher due to the control it has over a network, the data accessed, and the downtime caused by attack.
The most obvious impact of ransomware is encryption of the infected system. However, there is an even bigger concern nowadays of ransomware groups not only encrypting victim systems but also exfiltrating data off the network to release or sell as penalty for non-payment.
Another impact that’s worth being more aware of is that even if you pay for the decryption keys and tools, it can take weeks to months to fully decrypt a large network. The decryption tools provided by threat actors are often slow and error-prone, which is made worse by the sudden stopping of services on victim systems.
Say a company has just realized they are the victim of a ransomware attack. What are some of the first things they need to do to respond and recover their data?
DS: Ideally, any compromised organization has an incident response (IR) process, with a third-party vendor or internal IR team available for immediate engagement. Regardless of capabilities or organization size, victims should engage law enforcement (e.g., the local FBI office) in parallel to starting the incident response process.
Unfortunately, encryption of data is the last stage of a ransomware campaign so the focus here is to give investigators as much information to work with, while protecting your network in its current state as best as possible. Removing/blocking the infected machines from your network and the internet are necessary in keeping more data from being exfiltrated and more systems from being infected.
Compromised machines should be imaged for law enforcement and IR teams to investigate the full scope of the infection, including entry point, lateral movement points, and actions carried out by the malware. Many organizations mistakenly immediately wipe infected systems which can hinder incident remediation.
Once the full scope of infection has been established and points of entry are secured, the victim can hopefully restore from backup, work with ransomware experts to possibly decrypt the content, or lastly, pay the threat actors for decryption.
In your work with companies that are victims of ransomware attacks, have you ever come across a situation where the threat actors have lied, or claimed to have things they didn’t?
DS: No, not really. If you are engaging with the ransom group at the point of asking how to decrypt your data, the impact is enough that they don’t need to lie about what they have access to. These modern ransomware groups focus on high-pressure tactics such as releasing your information to the public and informing media outlets of your compromise to get your attention.
Lying, or exaggerating claims were often a tactic of a different group of ransom themed threat actors. In prior years, various groups would compromise an organization, exfiltrate data, then threaten to release the data if a ransom was not paid—often communicating with their victims via email as opposed to the newer automated ransomware processes.
Tell us about the process of verifying the type of data stolen by a threat actor in a ransomware scenario. Why might an organization need outside experts to help them with this?
DS: It should be noted that not every ransomware variant exfiltrates data from victim networks. In either case, however, ransomware groups will clearly lay out steps for an organization to upload/email a sample of encrypted data which will then be decrypted by the threat actors verifying their claims.
The effectiveness of outside experts can vary, but typically they will provide solutions to the victim, and at minimum, much needed control in a situation that requires it. Some of the solutions can involve decrypting tools for various ransomware variants, or techniques that may be leveraged to recover encrypted information to an earlier state. All of this can be hit-or-miss, depending on how many counter-forensics techniques threat actors employed in their campaign.
Lastly, outside experts tend to be more familiar with evidence collection and preservation, which is key to finding the initial point of infection and full scope of what was compromised. Victims who panic and start wiping machines can hinder recovery and follow-on analysis which are critical to the process of remediation.
What is your best advice for organizations to avoid being a victim of ransomware? Is this type of attack inevitable today?
DS: Given the prevalence of ransomware groups, it’s safe to assume that being targeted is inevitable. However, compromise is not a given if organizations take the proper steps to secure themselves.
The two biggest entry points that you’ll read about in any campaign regarding corporate ransomware attacks are email and the Remote Desktop Protocol (RDP). Email security is a challenge for most as it’s often the cornerstone of communication between organizations making it difficult to lock down too much without restricting its core functionality. Email security should be a top priority to businesses, as it’s the easiest entry point for any threat actor.
RDP is an increasingly common entry point for ransomware campaigns. It’s apparent that with the majority of the workforce now at home, organizations must provide access to corporate resources from remote locations. Unfortunately, this greater access also presents an entry way for a potential attacker.
Any sensitive network service such as RDP should first and foremost be located behind a corporate VPN. Having your RDP service exposed directly to the internet makes it a prime target for criminal groups constantly scanning the internet for available services to brute force, or even exploit. Small defenses like strong passwords and changing the default port of RDP could be helpful but these types of protections will at most delay a dedicated threat actor.
The final recommendation is a defense-in-depth approach to your network security. The ideal solution is not just one or two defenses in hopes they prevent the attack, but a multilayered approach that makes it difficult for threat actors and malware to move laterally through a network, giving you more ways of detecting malicious activity. This is especially important for combatting more sophisticated ransomware campaigns which rely on those lateral movements.
We would like to thank Mr. Shear of Vigilante for his commentary and thoughtful advice on ransomware, a morphing threat that can impact any organization. David mentioned developing an IR plan at the outset to guide an organization through a cybersecurity crisis—not only for detailed preparation but to demonstrate readiness to insurers who often require it. Your IR plan needs to be actionable and accessible, so that senior management can instantly consult the plan at any time following a crisis event (and usually we see them on nights and weekends) connecting them with pre-selected external IR experts. For more information on Breach Plan Connect™, please visit us here.