LINEARSTACK
March 23, 2023

5 Ways to Prevent and Recover from Ransomware Attacks

Ransomware is a threat all organisations face however, it is preventable. Read what you can do to prevent

A successful ransomware attack that encrypts a user's most important files or renders them unreadable isn’t a novel threat in the realm of cybersecurity. These destructive, financially motivated attacks where cybercriminals blackmail victims into paying them to decrypt their data have been studied and documented since the 1990s. These attacks have become more pervasive.

Stopping ransomware infections is near impossible to stop for any organisation. Systems will always have some vulnerability on a host, mobile device, or networking equipment. Hackers scan for known and unknown vulnerabilities before launching ransomware malware.

The majority of ransomware attacks come through the email channel. Many market-leading email security gateway solutions offer extensive inbound security protection focusing prevention of ransomware through various phish methods, including:

●      Spear phishing.

●      Whaling phishing.

●      Trap Phishing.

●      Plaintext attack phishing.

Understanding the kill chain of ransomware

Ransomware attacks vital infrastructures like healthcare or pumping fuel. It leaves many organisations looking for ways to protect themselves better. Legacy systems are particularly at risk from ransomware attacks because they tend to be outdated and under maintenance. OT/IoT/ODM devices deployed with the municipal water districts and utility grids rarely are updated with the latest firmware. These devices have become a target by hackers recently. Many water control systems have enabled their devices to communicate with external networks for better control and data analysis.

These devices have seen a considerable uptick in business disruptions and cybersecurity incidents, costing millions in damages. The colonial gas pipe attack in 2021 resulted from a multi-threaded ransomware attack. The pipeline owners paid ransomware $5 million to get access to their data back.

What are ways to prevent and recover from a ransomware outbreak?

Ransomware, unlike viruses, is a multi-threaded attack vector. The initial attack could be a phishing email sent to a specific individual in an organisation requesting they change their password or a request to download an attachment. Once the unsuspected end-user clicks on the URL or attachment, ransomware malware begins to install on the device. The malware attaches itself to the exploited vulnerability of the system. The ransomware instigates an outbound connection to the rogue command and control system to receive any additional instructions before starting the propagation

laterally within the victim's networks. As each host is affected by ransomware, the data on the devices is encrypted unless the attack is a rouse, and thehackers will most likely begin their extortion communication with a list of financial demands.

Organisations need to address all the layers of the ransomware kill chain, not just one specific attack vector.

LinearStack recommends organisations enable updated processes and adaptive controls to prevent ransomware including:

●      Security awareness training -execute weekly attack simulations - quarterly security awareness newsletters positively impact the user community. Using creative ways to inform the users will retain more information and reduce human error when phishing and social media messages come into their inboxes.

●      Network segmentation strategy - Ransomware propagates laterally in the victim's network. Once the malware is attached to a host, ransomware will use known Windows communication protocols like Simple message block(SMB) to affect machine-to-machine propagation in the same VLAN. The network containment strategy blocks lateral propagation by forcing all hosts to communicate with the network default gateway before any communication. The network also can restrict any port or protocol within a VLAN. This segmentation strategy is proven to stop east-west propagation within the network. However, the initialization and managing of the network segment is challenging and costly.

●      Backing up data has proven to be an effective way to recover from a ransomware attack. By leveraging timely backups andsnapshots, users can retrieve their files from backup before the encryption phase of the attack. Hackers are known to have altered their techniques and havebegun targeting backup and recovery solutions.

●      Enabling more comprehensive email security solutions. Stopping the initial attack vector is essential to blocking the remaining kill chain from executing. However, even with the most efficient email security solutions, phishing emails make it through to the victims, and a large percentage of those messages - the users click on things they should not have.

●      Sandboxing - Detonation- Scanning- Security sandboxing is a potent tool that most organisations only selectively use to stop the initial ransomware infection. Many email security vendors offer a Docker-type container in the cloud or a virtual machine for on-premises deployments to scan, detonate, and open all URLs and malicious email attachments within the email channel before the end-user accesses the content. This capability effectively opens embedded URLs within the email, checking with malware downloads, ransomware, or account takeovers.

Users voice their concerns if they cannot open a time-sensitive email due to security controls. SecOps will initially use sandboxing for corporate executives and attachments from untrusted sources. Organisations will also consider implementing email encryption and multi-factor authentication as a possible safeguard against rogue messages.

Additional Layer within the network becomes a more significant target.

Most storage networks are isolated at layer two away from other data centers’ assets. The legacy VLAN and ACLs provide rudimentary level segmentation; however, they offer minimal containment capability outside of deploying additional security adaptive controls in a security outbreak. Ransomware and other forms of malware continue to wreak havoc across storage networks.

The role of managed security services in combating ransomware.

Recognising the battle against ransomware is well beyond an organisation's SecOps, DevOps, and NetOps capacity is the first step in addressing the attack vector. Organisations receive thousands of email phishing attacks daily. A percentage of these phish attacks begin the kill chain for ransomware. Managed services providers like LinearStack provide the expertise, scale, and capacity for organisations to focus their SecOps resources on adaptive preventive strategies while LinearStack handles the monitoring, prevention, and counter-measures against ransomware attacks.

With their 24 x 7 x 365 support model, years of experience in network monitoring, incident response, and expertise in email security, XDR, and network containment, LinearStack helps reduce the impact on organisations while delivering cost-effective managed services solutions to the marketplace.

LinearStack pillars for success with each client

Cybersecurity is all about layers of defense

LinearStack security experts leverage four critical security workflows for protection against ransomware within their managed services offering.

●      We filter what's essential -  Our SOC-as-a-Service dials down the noise, so clients only need to see what is an actual attack vector executing in their environment.

●      Staying Compliance ready even before, during, and after a ransomware attack - Clients suffering ransomware attacks that lead to data exfiltration, password theft, and compromising critical hosts impact their ability to stay within compliance mandates. LinearStack enabled a comprehensive approach with the clients to help expedite the resolution while monitoring their compliance status.

●      Helping clients stay resilient, resilience, resilience - LinearStack partners with their clients to develop with continuous improvement, enable more proactive measures and critical services assessment to the current adaptive controls, redraft security policy, and provide training to critical internal SecOps teamsas part of LinearStack professional services.

●      LinearStack collaborates with its clients to develop a cyber hygiene culture, anti-ransomware strategy, and ongoing processes to reduce cybersecurity risk in their environment.

Why LinearStack?

Find out why you should trust us and what sets us apart from the competition.

●      A calm and rational response - Our experienced team is extraordinary under fire to provide a measured and carefully thought-out response. They will work quickly and methodically on your behalf in a time-critical situation.

●      Proven systems and processes -ready to deploy at a moment's notice, we're guided by proven techniques and incident response plans. You will know exactly who is doing what when an attack happens.

●      Minimise the cost of downtime - We provide faster detection, response, and containment to minimise any damage to your business, data, reputation, and crown jewels.

About Us

LinearStack is a New Zealand owned and operated specialised cyber security services company with a global footprint. We are 100% privately held.

The core focus of our business is to accelerate our customer’s cyber security operations with the help our cyberdefence services. We offer a range of managed and professional services to accomplish this goal for our customers. We are a true 24x7 eyes-on-glass and hands-on-keyboard operation.

We augment our client’s teams by acting as a true an extension of their team empowering our clients to prioritise their cyber security strategy and customers while we protect their business from cyber threats 24x7. This is a transition we manage smoothly through tried &tested, robust, and well-defined processes.

How LinearStack can help

At LinearStack, we’ve helped enterprises with complex third-party ecosystems to secure their business against supply-chain attacks. We provide advice and assistance to reduce third-party risk and can also build and manage your security infrastructure to protect you from advanced attacks 24x7x365.

For cyber security services in New Zealand, the United States, or Australia, call us at 0800 008 795 or email at info@linearstack.co.nz.

Contact Us

Get in touch with us today:

Phone: 0800 008 795

Email: info@linearstack.co.nz

Website: https://linearstack.co.nz   

Blogs

Start Reading

Our latest blogs and news are here for you

When to Leverage the Negative vs Positive Security Model

Ransomware is a threat all organisations face however, it is preventable. Read what you can do to prevent
Read More

What are Quantitative and Qualitative Risk Assessments?

Understanding cybersecurity challenges in 2023 with Quantitative and Qualitative risk assessments.
Read More

What is the ACID Compliance Framework?

Elements of the ACID framework, risks, and help.
Read More
Are you experiencing a security issue? Call us now.