Most of this successful attack are only possible if we have the human firewall failing as the last (or even first) line of defence.
People & Process - We done continuous phishing campaign exercise to keep all vigilant and conducted tabletop exercise taking on the "assumed breach" mindset so that everyone knows who to call, what to do, how to manage risk and when to make the right call for actions. It have thus far, gotten greater visibility with the top management and they are not spared too. The cybersecurity culture grows and matures. We are going into more scenarios and include dropping of "innocent" USB drive to entice the more lax or careless folks. The PA of the Senior leadership are targeted for a good reason as they are pivot to key personnel.
Technology - it need more augmentation than just the AV, and yes it is still new to stakeholders to get their buy in to invest. Support the CISO in their awareness of anti ransomware but more importantly is to verify, verify and verify backup regime is followed through and relevant to the business workflow. That is part of the tabletop exercise. We learnt that assumption of data recovery is going to have false sense of security till it can be proven otherwise. Backup need to be validated to be recoverable and BCP need to be exercised and not just discussed (and keep them back to drawers).
There is also recent step by step guide which is useful as it draws out partners that is savvy in handling such risks.
https://www.nccoe.nist.gov/projects/building-blocks/data-integrity/identify-protect
https://www.nccoe.nist.gov/projects/building-blocks/data-integrity/detect-respond
If I may also share EE has relevant articles in ransomware and you should check them out.
https://www.experts-exchange.com/articles/28059/TL-DR-Ransomware-Infected.html
https://www.experts-exchange.com/articles/21199/Ransomware-Beware.html
Using any form of fully disabling user actions not related to work, in my case my favorite (Software Restriction Policy)), I'd say, is at least 95% less worry on your mind.
I added some real time push message reporting on what users click, and luckily I can smile every time the executable wasn't allowed to run.
The time that users being users (no admin rights) being safe, went out the door when the first cryptoware was released.
And while backup is in place, and several antivirus packages, and mail filters are in place, SRP still caught enough, so it is NOT unnecessary luxury to have a third or fourth level of protection.
Businesses and individuals will likely continue to fall victim to ransomware because of they either fail to exercise good habits of Internet use, or because their anti-malware solutions are out of date or ineffective. The answer key is to perform frequent data backups. I recommend to use good infrastructure and education to deal with it. Take these points into consideration:
• Users training and awareness a must.
• Increase the awareness of cyber-security issues for users.
• Users should exercise good habits of Internet use.
• Deactivate unnecessary components on the main servers.
• Disable unused user accounts on the main servers.
• Implement patch management.
• Restrict servers access.
• Restrict shell commands per user or server for least privilege purposes.
• Apply DNS Filtering.
• Your networks should be segmented.
• Make secure offsite backups of your data on a regular basis.
All said, there is need for pre and post infection measures. EnSilo has something for this calling. Most infection bypasses AV easily with newer footprint, so needed a more deliberate agent on the machine to identify anomalies https://www.ensilo.com/faq/#how-does-ensilo-provide-automated-post-infection-protection-in-real-time
It will help if you educate employees on current events and how not to fall victim to cyber-attacks. Implementing your phishing campaigns are a great way to evaluate and formulate a security awareness program for your company. Also, routine employee security training will play a vital role in isolating weak points to identify where employees can make better decisions. All personnel, regardless of cyber-security expertise, should be trained according to their roles.
https://www.experts-exchange.com/articles/33451/Building-a-Robust-Security-Awareness-Program.html
Can you imagine, it takes you 24-72 hours to restore, only to find out, all of your backups are infected.That makes a lot of assumptions. You'd have to have something running or attached to the OS that would allow for the checking of a timer to explode.
I didn't like what I had heard about the claim of ransomware intentionally being left dormant to back it up, so once you restore it, you are going to end up with encrypted data again. That is pretty much checkmate, and sounds like it could happen.
Prevention - would be the best way to go.
NIST recently released guidance for detecting and responding to ransomware threat. Quite detailed and good to go into the issue and use case that can be architecture for a holistic action plan.
Table 5‑1 Example Implementation Component List
Product Vendor Component Name Function GreenTec WORMdisk Secure, immutable hardware Hewlett Packard Enterprise (HPE) ArcSight ESM Log analysis, correlation, management, and reporting IBM Spectrum Protect File-level, disk-level, and system-level backup and recovery Tripwire Enterprise and Log Center File integrity monitoring and database metadata integrity monitoring Veeam Availability Suite VM backup and restore This use case is resolved using a combination of several tools. The corruption testing component (Tripwire Enterprise) is used to detect changes in the file systems of various selected machines, specifically when files are modified or overwritten....
The logging component (HPE ArcSight ESM) collects logs from various sources for analysis and reporting.... These two components work together to provide information about the files encrypted by the ransomware tool: the name of the program that encrypted the files, which files were affected, when they were affected, and which user ran the program.
This information aids in removing the ransomware from the system and contributes to the identification of the last known good. However, it does not actually restore the availability of the user’s files. The backup capability component (IBM Spectrum Protect) is used to restore encrypted files.
https://www.nccoe.nist.gov/publication/1800-11/VolB/index.html#example-implementation
it costs a company $$$ so would rather avoid having to recover if we can.
Education is key.
Inform all your staff the importance of not clicking on random links, not opening up unknown attachments, only go to websites that are for your business, don't allow USB etc etc etc.
Regards
Alex