Introduction

Ransomware is one of the types of cyber-attacks that directly targets the infrastructure and information storage of Organizations; it is currently booming but is a well-known tactic in the Cybersecurity world. This page presents a compilation of information on what ransomware is, the steps a typical attack follows, the different types and the consequences it can have. In addition, we will present a prevention scheme that includes a recovery plan, strategies to limit the scope of damage and ways to hinder the spread of this threat.

What is Ransomware?

Ransomware is a type of malicious software (hereafter malware) that encrypts a victim’s files or systems and demands a financial ransom in exchange for providing the decryption key. Attackers often use social engineering techniques, malicious emails or software vulnerabilities to infiltrate systems and encrypt data. Once the files are locked, the victim receives a ransom message that usually requires payment in cryptocurrencies, making it difficult to trace the attacker.

Steps in an attack

Infiltration: Attackers enter the victim’s system, often through malicious emails, software downloads from dubious sources, or by exploiting security vulnerabilities.

Data Encryption: Once inside the Infrastructure, the malware encrypts files, making them inaccessible.

Ransom Message: A ransom message is displayed demanding payment of a sum of money in exchange for the decryption key.

Payment and Decryption: If the victim pays, the attackers can provide the key to unlock the data. However, it is not always guaranteed that the data will be recovered.

Types and consequences

There are several types of ransomware, varying in complexity and approach. The most common include encryption ransomware, screen-locking ransomware and doxware ransomware (which threatens to leak sensitive information).

The consequences of a ransomware attack are far-reaching. In addition to the loss of critical data, companies can face business interruption, reputational damage and significant costs. Individual victims may also suffer the loss of personal data.

A common misconception about ransomware attacks is that it is still limited to attacks that only affect a single computer at a time (also known as the commodity model). Today’s attackers have evolved far beyond this, using tools and affiliate business models that maximize the threat of commercial damage to targets. Access credentials are traded, quickly turning what appear to be low-priority malware infections into significant business risks.

Mitigation Scheme

Based on the scheme provided by the Microsoft community, the following scheme is presented, which includes three important steps:

Prepare a recovery plan

At this stage, it is highly recommended to consider the «worst case scenario»: assuming that the organization has suffered an attack. This exercise is very useful when it comes to limiting the impact of the attack, since both the team and the infrastructure are prepared to take action efficiently if it occurs.

The following recommendations are presented to provide support in this first instance:

a. Encryption and backups:

Encrypt information and back up all critical data on a regular basis, including systems, applications and important files.

Store backups in offline locations or locations inaccessible to attackers.

Perform periodic restore tests to ensure that backups are effective.

b. Develop a disaster recovery plan (Recover from zero):

Create a detailed plan outlining the steps to be taken in the event of a ransomware attack.

Define roles and responsibilities for personnel in the event of an incident.

Establish a process for incident notification.

c. Attack simulation

Conduct drills and incident response exercises to prepare the team.

Limiting the scope of damage

In this instance, the focus should be on reducing the amount of information exposed to attackers in the event that they gain access to the infrastructure. The main preventive action is the principle of least privilege, both for roles (especially accounts with Administrator privileges) and for assets.

As for specific recommendations, the following are available:

a. Network Segmentation:

Divide the network into segments to prevent attackers from moving freely throughout the infrastructure.
Apply access restrictions between segments to minimize the exposure of critical systems.
Isolate infected systems from the Network to prevent further propagation.

b. Access Controls and Privileges:

Implement appropriate access controls to restrict who can access sensitive systems and data.

Reduce unnecessary privileges to prevent attackers from gaining access to critical systems.

c. Early Attack Detection:

Use intrusion detection systems (IDS) and intrusion prevention systems (IPS) to detect and block suspicious activity.

Set up alerts to notify the security team of potential threats.

Making propagation more difficult

This last stage encompasses active prevention of attacks, reducing the attack surface and having a rapid response to suspicious activity in its earliest stages.

The following actions are considered appropriate:

a. Software Maintenance and Upgrades:

Keep all systems and software up to date with the latest security patches.

Consider implementing a patch management system to automate deployments.

b. Email and Web Filtering:

Use email and web filtering solutions to block malicious emails and sites.
Configure rules to inspect and block suspicious attachments or dangerous links.

c. Use of Security Solutions:

Implement advanced security solutions, which may include anti-malware services, SIEM systems, vulnerability management, among others.

Configure firewall solutions to inspect and block malicious traffic.

d. Training and Awareness:

Educate on safe data handling practices and identification of potential ransomware threats.

Conclusions

To counter the threat of ransomware, it is critical to identify, secure and be ready to recover high-value assets, whether data or infrastructure, in the likely event of an attack.

It is important to consider that no security measure guarantees 100% protection against these attacks. Therefore, it is crucial to have a robust prevention strategy and a well-defined incident response plan to minimize the impact. Additionally, it is essential to keep in mind that these processes must be analyzed and updated periodically according to the current reality, which also includes obtaining frequent information on the latest threats.