DHS has seen a proliferation of ransomware attacks, prompting an alert into how the malware is spreading and ways all organizations can protect the enterprise and contain the virus.
September 09, 2019 – The Department of Homeland Security is once again alerting all sectors to the rapidly increasing threat of ransomware attacks. Officials have shared FireEye research on ways organizations can both protect their enterprise and contain the malware.
According to the DHS Cybersecurity and Infrastructure Security Agency, the US is currently facing a ransomware outbreak that has “rapidly emerged as the most visible cybersecurity risk playing out across US networks, locking up private sector organizations and government agencies alike.”
For the past month in healthcare sector alone, hackers demanded a $1 million ransomware from one healthcare network and three other providers reported similar ransomware events. Most recently, a ransomware attack on third-party vendor Digital Dental Records and PerCSoft has left hundreds of dental providers locked out of their systems for more than a week.
What’s more, it’s also likely there are many more of these cyberattacks, but many more infections are simply going unreported and ransoms are being paid, according to CISA.
“We strongly urge you to consider ransomware infections as destructive attacks, not an event where you can simply pay off the bad guys and regain control of your network (do you really trust a cybercriminal?,” officials wrote. “But we also recognize that there’s no such thing as perfect cybersecurity and ransomware infections can still happen.”
RANSOMWARE BASICS AND RECOMMENDATIONS FROM FIREEYE
Hackers leverage ransomware attacks both manually and through automated propagation, FireEye researchers explained.
In manual attacks, the cybercriminal will penetrate a network and use administer-level privileges to manually run encryptors on the targeted system through Windows batch files, Microsoft Group Policy Objects, and existing software deployment tools used by the victim’s organization.
With automated attacks, hackers leverage credential or Windows token extraction from disk or memory to build trust relationships between systems through Windows Management Instrumentation, SMB, or PsExec. This binds systems and executes payloads.
“While the scope of recommendations contained within this document are not all encompassing, they represent the most practical controls for endpoint containment and protection from a ransomware outbreak,” FireEye researchers wrote.
“If implemented proactively, the scope of controls outlined within this document can protect an organization from being impacted by a ransomware event that disrupts operations and impacts a large scope of systems,” they added.
The FireEye guidance provides organizations with insights on shoring up vulnerabilities in common entry points, such as unpatched endpoints.
Organizations can find methods to harden endpoints by restricting administrative accounts from leveraging internet-facing remote desktop protocol, leveraging network level authentication, RDP hardening, and other methods.
FireEye also shed light on the threat of credential exposure and ways organizations can harden usage.
“Local accounts that exist on endpoints are often a common avenue leveraged by attackers to laterally move throughout an environment,” researchers wrote. “This tactic is especially impactful when the password for the built-in local administrator account is configured to the same value across multiple endpoints.”
“Ransomware poses a serious threat to organizations, as attackers continue to utilize this tactic to monetize breaches,” they added. “This whitepaper should not be considered a comprehensive guide on every tactic and control that can be used for this purpose, but it can serve as a valuable resource for organizations faced with this challenge.”
As many cybersecurity researchers have stressed, CISA explained that organizations can protect against ransomware by ensuring all data, system images, and configurations are backed up and stored offline. Systems should also be updated and patched, while organizations must ensure security tools are up to date.
Next, organizations should review and exercise their incident response plan. Officials explained they should also take note of outside ransomware events and apply lessons learned.
If infected, CISA officials said organizations should seek assistance from the FBI or contact CISA, along with working with an experienced advisor to help with recovery efforts. The infected systems need to be isolated and the return to operations should be phased.
During recovery, organizations should also review connections to any business relationships that touch the network, such as vendors, customers, and partners. To prioritize recovery, business impact assessment findings should be applied.
ENSURING NETWORK RESILIENCE
Overall, CISA recommended organizations practice good cyber hygiene through backups, updates, whitelisting apps, limiting privileges, and use multifactor authentication. Microsoft recently reported that MFA stops 99.9 percent of all automated cyberattacks.
Networks should be segmented to ensure it’s difficult for a hacker to move around the network an infect multiple systems. Organizations also need to develop containment strategies, which can inhibit a hacker from taking data out of the network.
Lastly, organizations need to understand the system’s baseline for recovery, while reviewing and validating disaster recovery procedures and goals with executives.