Protecting Your Network from Ransomware Attacks

We may all be targets, but we don’t have to be victims

Introduction

With new cases reported nearly every day, ransomware has become an inescapable part of the security conversation. Attacks are seen in organizations of every size and industry, and victims can suffer a loss of productivity, revenue, and confidence, in addition to the costs of recovery, and the threat of confidential information being leaked or sold.

It doesn’t have to be this way.

Ransomware is a threat that can be handled by adopting recommended defensive and resilience practices and technologies, and leveraging information and advice shared within a community of vigilant protectors.

Rapid7 is proud to be a part of that community. We have some of the foremost thinkers, researchers, and engineers actively engaging in the conversations around ransomware and encourage them to use our platform to help inform as many security professionals as possible.

What is ransomware?

At its core, ransomware is digital extortion. Cyberattackers use a variety of tactics to disrupt an organization’s operations or hold their data hostage so they can then force the organization to pay a ransom to secure a return to standard operations. Often, those same bad actors will steal data and threaten to leak or sell it to other nefarious outfits if a second payment is not made. This is known as a double extortion attack. It is nearly impossible to completely inoculate an organization from ransomware attacks, but it is possible to dramatically improve an organization’s ability to weather an attack, as well as reduce the odds of them being hit, and make it more expensive and inconvenient for cybercriminals to mount attacks.

 

Discover the Blog Series

 

Groundbreaking Research on Double Extortion

Double extortion ransomware is a relatively new and pernicious component to the overall ransomware problem. From its initial implementation by the Maze ransomware group just a few short years ago, to the proliferation of many groups, each employing the practice to devastating effect, double extortion has proven to be a tactic in critical need of analysis. In a first-of-its-kind report, Rapid7 uses proprietary data from the clear, deep, and dark web to analyze the disclosure layer of double extortion ransomware attacks. We’ve done this because knowing your enemy, their tactics, strategies, and eccentricities is the first step toward defeating them. Our analysts have determined what data is most commonly disclosed by attackers, how those disclosures differ from industry to industry, and what data different threat actors prefer to disclose. We look at the double extortion layer of ransomware in a way no one has before.

Read the Report

How does ransomware happen?

In the purest sense, ransomware is a type of malware that uses cryptography to lock data or systems up so they can be held for ransom. It exploits weaknesses within a network or organization, which could be within the network’s architecture, its third-party entry points, or even within its users themselves. It is important to note that in recent times, the term “ransomware” has become a catch-all for any extortion-based attacks, and may not actually include the delivery of malware itself. For example, some reported ransomware attacks actually leverage Distributed Denial of Service (DDoS), which does not involve malware, but rather involves attackers overloading systems with too much traffic until they fail.

For ransomware malware, the most common infiltration methods include spear phishing, ​​stolen credentials, VPN/remote access exploitation, web browser or application exploitation, and removable media. From there, attackers find ways to move through the network and encrypt data in order to extort a ransom from the organization. This lateral movement can happen in a number of ways including: command-line interface/graphical interface, scripting, user execution, and others.

Ultimately, preventing ransomware attacks means defending many points of entry across an entire network from unknown attackers seeking just a single weak spot to enter.

 

Malware 101

Responding to the ransomware threat

It’s important to remember that there is no silver bullet to preventing ransomware, but there are plenty of silver linings. For instance, a main component to a solid prevention plan includes instituting best practices within your workforce that can defend against any number of attacks.

Typically, a robust ransomware prevention and remediation plan has three parts to guide your organization’s actions: before the attack, during the attack, and after the attack.

Before the attack:

The key to prevention is minimizing the attack surface a bad actor has to work within. That means proper workforce training to prevent phishing exploitation, credential theft, or visiting compromised websites.

It is also critical to have a robust backup regime that allows you to restore your data back to a time before the attack. Finally, make sure you have a full incident response plan in place. This includes asking frank questions about your preparedness, understanding what measures you will take to identify ransomware before encryption takes place, ways to contain those breaches, how to recover lost data, and eradicate an existing threat. Make sure your incident response plan is available offline.

During the attack:

Once an attack is underway, the single most important goal your team should have is mitigating the impact. This means operationalizing your incident response plan, restoring data from backups, issuing new assets that are clean and free of exposure, and remediating initial access and execution vectors to prevent repeat attacks.

One of the biggest questions businesses face at this point is whether to pay the ransom. It is a complicated question rife with competing interests, viewpoints, and legal ramifications. We explore this question in depth in our Ransomware Playbook and offer alternative solutions to simply paying the ransom.

After the attack:

Once the worst is over, it is critical that your team debrief to determine how well your plan worked and whether there are gaps or weaknesses that need to be addressed. There are also several remediation and mitigation steps to take, including rebuilding systems from a known-good baseline, quarantining endpoints, changing credentials, and locking compromised accounts.

 

Get the Ransomware Playbook

How can we help?

There’s no one single solution to ransomware that can completely inoculate your organization from the threat and protecting every entry into our networks from ransomware can feel like an uphill climb. But while we may all be targets, we don't have to be victims. There are many internal and external tactics and products that, when used together, can give you the best line of defense available.

Attackers are working together, training each other, spreading their knowledge, and sharing their tactics and technologies. The good news is so are we. At Rapid7, we have industry-leading vulnerability risk management — InsightVM — and incident detection and response — InsightIDR— solutions that can help you understand and reduce your attack surface, identify risks, detect ransomware, and eradicate it within your networks as quickly and cleanly as possible. We are constantly and consistently improving these offerings to evolve alongside the threat of ransomware so you can be assured that our solutions will keep up with your internal efforts. When it comes down to protecting yourself from ransomware, you are not alone.

 

Discover InsightVM   Discover InsightIDR

Even More Resources

There’s no end to the need to educate yourself and your organization on the ransomware threat. It’s crucial to be better informed than the bad guys. That’s why we have some of the foremost thinkers, researchers, and engineers working on the project and encourage them to use our platform to help inform as many security professionals as possible. When the community works together, everyone is safer.

We also have a team of experts ready to help you assess your cybersecurity program maturity. And if you’re just getting started, we’re here to help you hit the ground running.

 

Cybersecurity Plan Evaluation   Cybersecurity Plan Consultation