The debate over whether or not to pay the ransomware demand has gone on for a while now. The FBI has long urged businesses to refuse all demands for a ransom payment. And while most businesses aren’t exactly excited to shell out a ton of money to criminals, if their backups are corrupted or they are facing extended downtime, paying the ransom may start to feel like the only option. Adding to the debate, last week the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) released updated ransomware guidelines, reinforcing the FBI’s stance and possibly opening the door to imposing fines on organizations that pay up.
In the updated guidelines, the OFAC states that the U.S. government “strongly discourages businesses from paying ransom demands, arguing these payments may help fund future attacks against the U.S. The OFAC also makes the point that paying the ransom in no way guarantees you will ever see your data again or that the attackers didn’t make a copy of your sensitive information to use against you later.
However, the OFAC is doing more than strongly discouraging payments, they may also start imposing civil fines on those who do pay. “U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities (“persons”) on OFAC’s Specially
Designated Nationals and Blocked Persons List (SND list).” And just last month the OFAC added SUEX, a cryptocurrency exchange service, to that list. According to OFAC, over 40% of transactions on SUEX are more illegal purposes, include ransomware payments.
These new guidelines, therefore, give the U.S. government to fine businesses who decide to pay the ransom. However, Treasury Department is careful to clarify that other, preventative measures businesses take against ransomware may save businesses from dealing with public civil fines. Such mitigating measures include maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols, among others.
Incident response plans are essential for mitigating the effect of any form of cyber attack. A good plan involves not only having a detailed roadmap for how to respond to various cyber attacks but also includes bringing in a team of employees how are responsible for carrying out different parts of the plan, running test scenarios with that team, then making any necessary adjustments from what didn’t work during the tests. When it comes to incident response, a quick, competent, and efficient response is essential to mitigating risk and limiting damage.
Backups are also critical for dealing with a ransomware attack, potentially allowing you to get your data back without ever having to deal with the attackers. And because these backups are so important, it’s essential to be smart about how you do it. First, use the 3-2-1 approach to backups. You want to have 3 backups on hand so you have multiple options in case one gets corrupted. 2 backups should be kept on-site for easy access, but 1 should be stored off-site and offline, to ensure the attackers can’t get a hold of that too. And because ransomware attackers often steal administrative credentials, you should use separate passwords for your backups.
Summer is barely over, but given the myriad of highly publicized ransomware attacks that have taken place this year alone, it’s probably pretty likely business leaders everywhere are desperately trying to ensure that no ransomware attackers can get into their systems. And while it’s great that more organizations are starting to take cybersecurity more seriously, if you are placing all your emphasis on defending against outside threats you’re ignoring the very important question: what happens if attackers do make it inside? Then what? You may think that if hackers make it into your system it’s already too late, but that is far from the truth. Between gaining access and executing the ransomware, there is a middle phase to the attack in which attackers move around networks, gain access to administrative credentials, and locate the data they are going to encrypt and/or steal. Attackers can spend months moving throughout a network before actually launching the attack. Defending the middle is therefore essential to protect against suffering a ransomware attack.
In fact, according to a recent report by Coveware, it may be a lot more important to focus on defending the middle than just trying to keep the bad guys out. After analyzing data from multiple ransomware attacks, Coveware discovered that while attackers use a variety of means to gain access to a victim’s system, what the hackers do once they are inside is always the same. “As our data shows, 100% of the cases where we were able to collect triage observations found privilege escalation and lateral movement tactics employed.” And the tactics used in the middle phases are actually pretty limited. Once inside, if only one of the attacker’s tactics fails, it becomes a lot more difficult to pull off the attack. According to Coveware, “inhibiting a threat actor from escalating privilege or moving laterally is equally if not more important than preventing initial [entry].”
Because the tactics used to move around a victim’s network are pretty limited, that also means just a few protective measures could be the thing that stops the hackers from launching their ransomware. Here are 3 things businesses can do right now to defend the middle:
Multi-Factor Authentication For Domain Controller
A system’s domain controller is the part of your network that allows or denies access requests to your network. It’s essentially the seat of your access controls. That means if hackers gain access to your domain controller they can give themselves access to pretty much anything they want. To prevent this, it’s essential to set up multi-factor authentication for your domain controller. What’s more, it’s vital to use a mobile authentication code-based MFA rather than on hard MFA tokens. According to Coveware, “100% of ransomware attack victims LACK true multi-factor authentication for the domain administrator accounts.” So setting up MFA for your domain controller could be the thing that saves you from a ransomware attack.
Disable the Command Line
The command line is a back-end tool that allows IT administrators to build scripts that run automatically and perform complex tasks on a system’s network. It’s also an essential part of how ransomware attackers make changes to your system and move around your network. Coveware found that ransomware hackers rely heavily on the use of command lines to automate various parts of the ransomware attack. Disabling command line and scripting capabilities means hackers can’t rely on automatic processes to carry out their attack, making their efforts that much more time-consuming and costly.
Imagine taking everything you have and putting it in a single locked room. If someone breaks in, everything you have is now gone. That’s exactly like what having an unsegmented network is like. In order to make things harder for the bad guys and keep your data as safe as possible, it’s essential to separate different parts of your network from each other. That way, even if an attacker gains access to one part of your network, they aren’t able to get anywhere else.
In the past few years, new approaches to cybersecurity such as defense-in-depth and cyber resilience are becoming increasingly popular among cyber experts. In essence, both of these approaches argue that just protecting your systems from the outside is not enough. It’s vital to not just hope no one breaches your defenses, but that you have protections and plans in place for when someone does make it inside. Defending the middle is one strategy for taking on a defense-in-depth approach to cybersecurity, and it could be the thing that stands between you and a full-blown ransomware attack.