Ransomware attacks can devastate an organization. Worse, there have been instances where organizations experience repeat attacks. Targeted ransomware attacks generally take place over a longer period of time, with sophisticated attackers learning the ins-and-outs of a victim's environment to increase the likelihood of a payout.
In the event that post-incident analysis and remediation are not thorough enough, attackers often leverage the knowledge they gained and the tools they left behind from the initial intrusion to execute a repeat attack, or to sell access to a new set of attackers. Therefore, it’s imperative to understand how these threat actors operate across all stages of the attack, identify root cause, and address any existing gaps and vulnerabilities to avoid falling victim to a repeat attack.
As cybercriminals become more sophisticated and attack techniques evolve, threat actors are flying under the radar, lying low across the networks of numerous victims waiting to make their next move. By following best practices and deploying the right solutions, enterprises can prevent repeat ransomware attacks.
Don’t underestimate education and preparation
Now more than ever, organizations must prioritize employee education to increase awareness of ransomware attack techniques and infiltration methods, such as phishing campaigns and drive-by downloads. It’s especially true if the organization has been a victim of ransomware in the past, to reduce the likelihood of a repeat attack.
Organizations should also ensure that all vulnerabilities and external-facing services are up-to-date with the latest patches, and to secure remote access. Vulnerabilities leave organizations exposed to compromise, and it’s essential to deploy patches as soon as they are issued to help keep the organization secure. The effects of Log4j has been a fitting example of the importance of staying up to date to avoid potential infiltration, as we saw first-hand the impact such vulnerabilities can have.
Finally, organizations should have a well-thought-out incident response and crisis communications plan with defined roles and responsibilities mapped out to limit the overall impact should the worst occur. This includes preparing internal teams and external incident response service providers in steps to take, and actually exercising the plan end to end regularly.
Conduct thorough investigations
Companies must do a thorough investigation post-breach to identify root cause and prevent future compromise.
Attackers can spread through the network quickly by gaining administrative access to an important system, and exploiting that access to distribute across the network. In fact, most attacks that make headlines (think DarkSide, Kaseya) are deployed manually and spread to multiple systems, maintaining access until they are removed. We can’t stress enough the importance of retracing the attacker’s every move – identifying how the attacker gained entry and how they set up the ransomware distribution and execution – to ensure they no longer have access to the network.
It’s important to first determine the type of ransomware that has attacked the organization. Identifying the ransomware executable and initial infection vector can help security teams connect the missing pieces. Security teams can discover the ransomware executable via timeline analysis and looking for the creation of executables surrounding the first encrypted files. Identifying the initial infection takes more time, requiring a series of steps. However, it’s worth security teams making the investment to do so – as the organization can’t prevent a future attack if it doesn’t know how the ransomware threat actor got in.
Security teams should focus on identifying the accounts used by the ransomware threat actors to access servers. From there, it’s important to follow the trail back and investigate the workstations and servers the ransomware threat actor leveraged and infiltrated, to better understand the method of exploitation the attackers used to gain initial access.
It’s also often helpful to analyze the tactics, techniques and procedures (TTPs) used at the initial point of entry, to arm security teams with the knowledge to search for and prevent additional entries. Once security teams have identified the initial access point, they can be more effective in reviewing event logs and detecting any additional lateral movement. By identifying every account, system, and credential compromised, as well as the method of exploitation, security teams can feel confident they understand the extent of the compromise and can completely remove the attacker’s access.
The overwhelming volume of alerts security teams face often discourage thorough investigations, especially across complex cloud environments – where getting the data required for an in-depth investigation can be very manual and time consuming -- or in some cases, impossible. Contrary to what people may think, ransomware isn’t immediate. Attackers spend up to two weeks performing recon and gaining persistence inside a network before executing an attack, so it’s important to thoroughly investigate alerts, such as the use of Cobalt Strike, to understand the true scope of the incident early-on. Without a thorough investigation to better understand and block an attacker’s movement across the network, security teams risk letting attackers lurk in the background.
Repeat ransomware isn’t coming – it’s here, and organizations need to defend themselves. It’s time for the security team to ask: are we prepared?
James Campbell, co-founder and CEO, Cado Security