The FBI reports that as many as 2,048 ransomware complaints were registered in 2021, and the Financial Crimes Enforcement Network noted there were 68 variants of ransomware in that same year, accounting for over $590 million in ransom payments.
Recently, healthcare systems including the CommonSpirit Health system — the fourth largest in the country — and other hospitals in Texas and Seattle were hit with suspected ransomware attacks. New York’s Suffolk County government computer network was also shut down by such an attack in recent months. The list of targets is extensive.
SEE: Mobile device security policy (TechRepublic Premium)
- Methods for defending against ransomware attacks
- What do all ransomware attacks have in common?
- How to improve systems and ward off ransomware attacks
- The benefits of cybersecurity preparation
Methods for defending against ransomware attacks
Organizations are not alone in defending against cyberthreats. Here to help is the MITRE ATT&CK framework, a free global resource containing documented information on how to recognize adversarial behaviors, threat models and employed ransomware techniques.
MITRE also offers mitigation tactics based on collected data, including recognition of the eight commonalities that are apparent during such attacks. An understanding of these tactics helps organizations devise better plans to detect and avoid worst-case scenarios.
What do all ransomware attacks have in common?
All ransomware payloads apply a cryptographic cipher, which means they use an algorithm to encrypt user and system files. Techniques that are commonly used to do so are well documented in MITRE framework under the “Impact” Tactic.
For payloads to be successful, they need to bypass existing security controls that may be in place already. The “Defense Evasion” Tactic lists some of these techniques, such as renaming system utilities, indicator removal, clearing event logs, using abuse profile installers and disabling security tools.
In this scenario, hackers use valid accounts extracted from compromised hosts to interact with a remote network, gaining access to multiple functions. Ransomware can even move from one computer station to another. This category can be found under MITRE ATT&CK tactic “Lateral Movement.”
Disables system defenses and recovery efforts
In this instance, attackers delete system data designed to assist with the recovery of corrupted systems, thereby impeding those efforts to get back online.
While there are many ways to achieve this, the common ones used by many of these payloads are the abuse of scheduled tasks and the creation of registry keys. These techniques can be found under the MITRE ATT&CK tactic “Privilege Escalation.”
Attempts to persist
Similar to the above, once system defenses are compromised, attempts are made to further infect and disable the systems and users available within the software. These techniques can be found under the MITRE ATT&CK “Persistence” tactic.
Before encrypting the victim’s data, the payload transports business-critical data from the victim’s network to the threat actor using DNS tunnels and Application Layer Protocols HTTP/HTTPS or Alternative Protocols. These actions can be found under the MITRE ATT&CK tactics “Command and Control” and “Exfiltration.”
Hence the name “ransomware.” Paying the demanded ransoms is illegal according to the FBI, as per its definition of terrorism.
How to improve systems and ward off ransomware attacks
The first step to improve your company’s cybersecurity defense is upgrading or replacing outdated legacy computer systems that are more vulnerable to cyberattacks. What might have worked well for a company or government organization for many years may not be adequate now to prevent malware attacks.
The cost of replacement will pale in comparison to the cost of downtime and the loss of clients and customers once a data breach goes public. Install improved monitoring systems that can detect an attack or a series of attempts to breach the defenses in place, and limit the number of administrative privileges given out.
Next, improve employee training to ensure everyone at all levels of a hierarchy understands that for entities which exist substantially in today’s online world, data security is the primary responsibility.
Facilitate this with defined organizational policies to demonstrate that this is the organizations’ utmost priority. Consistently remind employees to avoid phishing attacks that start with clicking on links to suspicious emails as this provides hackers the entryway needed to an entire computer network.
It sounds simplistic, but recognize it may not always be “someone else” or “that won’t happen to us,” as organizations both large and small — including elementary schools and rural government bodies — are targets.
There are cyber insurance policies available, with insurers demanding improved cybersecurity implementation before covering claims for incident response, loss of information and compliance/regulatory costs.
The benefits of cybersecurity preparation
Ransomware attacks do not have to be inevitable. Recognizing the commonalities these attacks share can lead to upgraded operating systems, heightened security monitoring procedures and improved defenses, overseen by employees with constantly evolving skill sets.
With savvy hackers looking to reinvent their own acumen on a regular basis, recognizing the latest cyberattack trends to stay one step ahead to protect data, and in some cases, to simply keep operating, is an imperative for any size organization, agency or business.
Jayant Kripalani is a cybersecurity professional with 20 years of experience working for global security companies such as Splunk, Cisco, Rapid7 and Wipro. He holds a bachelor’s degree in computer engineering in addition to multiple industry certifications. He has worked extensively with SOC teams and currently specializes in cybersecurity strategy and consulting.