The recent Travelex incident has shown once again that ransomware, far from being in abeyance, continues to evolve into an ever more sophisticated and refined threat.
We have all (hopefully) been taught that clicking on links and running programs from unknown sources is dangerous. Instead of spraying our inboxes with phishing emails and links, a lot of time is now being spent by criminals on finding targets of high value.
They are now willing to invest the time and effort required to probe, access and analyse a target network. All in a bid to identify data (and backups) that could be subjected to a ransomware attack. By targeting commercial and government organisations with high value, critical assets, they maximise their chances of a decent pay day.
The ransomware attributed to the recent Travelex attack is known as Sodinokibi (REvil), a descendant of GandCrab. Doing the rounds since the spring of 2019, it has been deployed against a number of organisations to devastating affect.
McAfee have been following its life cycle and recently published a fantastic series of blog posts here, well worth a read if you are technically minded or just plain curious.
So besides purchasing some whizzbang anti ransom software.... What practical and pragmatic things can we do to reduce the likelihood and impact of an attack?
Train your people – At their induction and don’t just leave it there… You should provide refresher training regularly to keep abreast of new threats. It’s difficult to overstate the importance of the mark 1 human eyeball when protecting your organisation.
Employees capable of recognising a dodgy e-mail link or knowing who to ask should they have concerns are vital.
Strong layered defences – Good firewalls, spam filtering, web filtering and anti-phishing tools are available from a range of vendors. Having a number of tools in place creates layers (and therefore a better chance) of preventing an attack.
Anti-malware – Its almost assumed that an organisations desktop machines are protected by anti-malware. However, when was the last time you audited your systems to ensure these tools are active, up to date and performing regular scans? Do you also need to look wider to phones, network devices and other items to ensure they are adequately protected as well?
Patch your systems – Patching isn’t always about slowing down your computer 😊 they contain lots of security fixes. As with any threat, it’s important to keep all your systems up to date. Many attacks are automated and sniff out known weaknesses in operating systems and programs that are not patched.
Stop with the admin privileges! – Ransomware and other threats rely on being able to install themselves and run code on your network. The more systems an affected user has privileges to access, the greater the risk of spread. You can minimise this by carefully controlling:
a) User privileges (e.g. don’t allow users to work with administrative rights and remove local administrator accounts on computers)
b) Resource privileges – Does “everyone” need to access “everything” on the network? Make sure you limit access to systems and folders based upon job role or need to know.
Segment your network – Another significant way of reducing the impact of a ransomware attack is to segment your network to reduce the chance of an attack spreading. Its nice that you can see the other offices file server, but what’s the risk of leaving it connected? Are you sure your connected cloud storage is safe?
Maintain comprehensive backups and segregate them from your network – If your backup server is visible on the network could its data also be encrypted during a ransomware attack? Look to restrict access to these systems and maintain isolated “off network” copies of your backups.
Does your backup policy address the risks of a ransomware attack? Are you happy that the backups you hold will work?
Regular testing through restoring backups ensures your staff are familiar with the process (and therefore quick) and that the backups themselves aren’t damaged/corrupt.
Incident response – Having a well-practised incident response plan allows you to react appropriately and quickly to contain an attack. By considering, documenting and practising for such a scenario, you can reduce recovery time and any potential impact.
Should you need help or advice with your ransomware precautions, please get in touch. Our team of consultants are here to help.