The Silver Bullet Defense to Ransomware – by Andy Cottrell

In an era of cost-cutting, downsizing and generally insufficient budgets for everything, we are often asked, what is the one, main thing to do to protect against a ransomware attack? 

According to Statista, in 2022, there were 493.33 million ransomware attempts detected worldwide, indicating a persistent and growing threat. The 2022 Verizon Data Breach Investigation Report noted a 13% year-over-year increase in ransomware attacks, more than the previous five years combined. 

Education, government, and healthcare sectors were the top three most targeted by ransomware in 2022. Small businesses are particularly vulnerable, with 832 incidents of data breaches reported in 2022. Nearly 80% of these attacks were due to ransomware. 

The threat of ransomware has significantly evolved in recent years, becoming more sophisticated and damaging. Initially, ransomware attacks were primarily focused on encrypting victims' files and demanding payment for the decryption key. However, recent trends show a shift towards more aggressive and complex extortion tactics. 

Double Extortion: Attackers not only encrypt data but also steal it, threatening to release it publicly if the ransom is not paid. 

Triple and Quadruple Extortion: Beyond data encryption and theft, attackers now use additional pressure tactics such as launching DDoS attacks or contacting the victim's customers or partners to inform them of the breach. 

Ransomware-as-a-Service (RaaS): Cybercriminals offer ransomware tools and services to other attackers, enabling even those with limited technical skills to launch ransomware campaigns. Notable RaaS groups include Conti, which captured over $180 million in cryptocurrency payments in 2021. 

Targeting Critical Infrastructure: Ransomware groups are increasingly targeting essential services and infrastructure, such as healthcare, government, and education, causing widespread disruption. 

Automation: Ransomware groups are using automation to scale their operations, streamline system penetration, and reduce human error. 

Artificial intelligence: Many if not most ransomware attacks breach the attack surface using some form of social engineering such as phishing. A.I. gives the attacker the ability to automatically generate plausible content and spear-phish specific users by using publicly available data (OSINT). 

So how do we defend against such attacks? Well, let’s look at each of the phases. 

Attack surface Penetration 

Many people will tell you that the first step in defense is security awareness training. To train your staff ‘not to click on the link’. We used to promote training as the most important thing you should do, but based on experience I now believe that this is a lost cause. Training humans to do better needs to be your last line of defense – not your primary plan. Humans generally have two major flaws when it comes to cybersecurity – people are nice, and people like to be helpful. These are the attributes that the attackers know how to leverage, and as it turns out - no amount of training will train the niceness out of your staff. So instead, your defenses here are: 

• Intercept malware and links to malware before they ever enter a user’s inbox 
• Harden your perimeter using strong configuration, with vulnerability and patch management 

But also do the training – because the last line of defense is still a defense. 

Propagation 

• Use segmentation to isolate areas of different trust levels. Separate your servers from your users, IoT, VPN users and cloud workloads.  
• Use a zero-trust philosophy to restrict all connections to only those that are needed, authorized, and authenticated. 

Privilege Escalation 

• Use strong identity management built around least privilege for your user credentials including MFA, certificates, and password controls.  Manage onboarding and offboarding. Employ authorization before issuing credentials and permissions. Perform continuous auditing to validate current levels of access. 
• Take the same approach with service accounts. These are highly privileged accounts that are often overlooked concerning oversight and supervision. Passwords might remain unchanged for years and some such credentials have admin access throughout the entire organization. They need to be risk-reduced and then monitored and audited just like user accounts. No service account needs to be a global super admin – it just needs specific permissions that work for specific tasks. So, lock it down. 

Exfiltration 

• Not every endpoint needs unfettered access to the Internet. For example, is it imperative to your business that your IOT thermostat can move gigabytes of data to any IP address in Russia or China? Lock it down at the perimeter. When your perimeter is a laptop, lock it down on the local firewall. 
• Use a proxy to inspect all outbound connections and block those without an approved business purpose.  

Encryption 

• Backups are often touted as the panacea here. However, there are a few major concerns. Firstly, attackers know that this is your plan and will either attempt to encrypt your backups at rest, or even attach to the backup processes so that they encrypt everything as it is getting backed up.  
• Secondly, backups are notorious for failing when you try to restore your environment from them. Just because you regularly test that you can read the data in the backups.
• Have you tested recovery and redeployment on an entire environment? 

Horizontal controls 

Horizontals are a set of controls that mitigate risks at various phases of a lateral attack. 

1) End-point configuration hardening and EDR (Endpoint Detection and Response) 

Configuration hardening is the process of minimizing the attack surface of a computer system. CIS benchmarks are a great way of measuring this, and their CIS CAT tool makes it easier. 

EDR is software that uses real-time analytics and AI-driven automation to protect an organization's end users, endpoint devices and IT assets against threats that get past antivirus software and other traditional endpoint security tools. It analyzes data in real-time for evidence of known or suspected threats and can respond automatically to prevent or minimize damage. 

2) Penetration testing 

Pen Testing is often confused with Vulnerability Management (VM), which is used to scan and patch known vulnerabilities in your environment. VM is essential but it is not the same thing. 

A Pen Test requires human cunning. It is there to find the things that you didn’t think of. It can leverage a set of seemingly insignificant things and turn them into a big thing. By doing so, it demonstrates the viability of attack techniques that you assumed were not possible.  

“In 2023, 74% of breaches involved a human element.” – Verizon 2023 Data Breach Investigations Report 

Pen Testing results can help harden the attack surface and show ways to defend against lateral movement in your connected systems. 

3) Surveillance 

Once considered a ‘nice-to-have’, a SOC (Security Operations Center) is an essential tool for every organization. You should assume that attackers will break into your environment and that you will need to detect them. That’s the job of your SOC. Outsource it if you need to (you’ll be surprised how cost-effective it can be with the right vendor), but make sure they are up to the job by running Red Team tests. 

Read Penetration Testing – Stories from the Field by William Suthers

4) Readiness 

After all this is done and in place, it is still likely that you will suffer an attack. So be ready. Have your BCP (Business Continuity Plan), your DR (Disaster Recovery), and your IR (Incident Response) plans in place. Train everybody, test them and update them. When you are prepared, a ransomware attack is just another day at the office and not a material breach that you need to report to shareholders and clients. 

So basically, there is no silver bullet that will save you from becoming a ransomware victim. No such tool or technique exists. It all comes down to a comprehensive, risk-based cybersecurity program. To achieve that, I am sorry – but you are going to have to invest in funding such a program. 

“Success is stumbling from failure to failure with no loss of enthusiasm.” —attributed to Sir Winston Churchill 

About Truvantis  

Truvantis is a security, privacy and compliance consulting firm providing best-in-class services to secure your organization's infrastructure, data, operations and products. 

We specialize in helping our clients improve their business resilience and manage their risk by implementing, testing, auditing and operating information security programs. 

Our world-class services include security testing and a wide range of flexible compliance and vCISO programs. Truvantis is also an authorized PCI DSS Qualified Security Assessor (QSA) Company. 

Andy Cottrell, CEO Truvantis

CISA, MIET

Andy Cottrell is the founder and CEO of Truvantis and was the co-
founder and President of eRISC, a nonprofit supporting a US and UK community of banks, e-commerce sites and other financial services companies to combat online fraud.