Ransomware risk surging as holidays approach
Review your cybersecurity advisory and recommendations for mitigation as soon as possible.
The risk of experiencing ransomware is rising as we near the end of the year. Within the last ten days, Beazley Breach Response (BBR) Services has seen a significant increase in the number of ransomware incidents reported by policyholders. Last year at this time, we saw an escalation in the number of incidents and size of ransom demands that continued until the end of the year. To avoid experiencing a damaging cyber extortion event that shuts down your operations, it’s essential to maintain vigilance.
In October, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned about a potential widespread attack against the healthcare industry using the Ryuk variant of ransomware. More recently BBR Services has seen policyholders report infections by a whole range of variants, including Ryuk, eGregor, Conti, Dopplepaymer, and Sodinokibi. Organizations across a range of industries have been targeted.
Several factors lead to a higher risk as the holidays approach. Employees distracted by personal commitments may be more vulnerable to phishing emails. With IT and other staff taking more time off, consistently monitoring for and responding to potential malware becomes more challenging. And as threat actors increasingly pursue cyber extortion as a business model, they may try to maximize their take before year end and their own holidays.
Prepare in case you experience an incident
CISA and the FBI recommend the following measures:
- Establish and practice out of band, non VoIP, communications
- Rehearse IT lockdown protocol and process, including practicing backups
- Prepare to maintain continuity of operations if attacked
- Review plans within the next 24 hours should you be hit
- Check that your anti-virus and endpoint detection and response (EDR) are running; a stopped state may indicate compromise
- Power down IT where not used
- Consider limiting use of personal email
Reduce your ransomware risk
The main infection vectors for ransomware are internet-facing vulnerabilities, phishing, and precursor malware infections. Organizations of all types should review the updated Joint Cybersecurity Advisory; CISA and the FBI significantly expanded the recommendations about mitigation, and you should review them with your IT department or provider.
Here are some steps you can take to protect your organization:
- Secure remote access: Do not expose Remote Desktop Protocol (RDP) directly to the Internet. Use Remote Desktop Gateway (RDG) or secure RDP behind a multi-factor authentication-enabled virtual private network (VPN).
- Educate your users: Alert your users about the increased risk at this time. Because end users are targeted, make employees and stakeholders aware of the threats—such as ransomware and phishing scams—and how they are delivered. Train your users to identify phishing emails with malicious links or attachments. Regular phishing exercises are a great way to do this. Make sure users know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack
- Clean up email content and delivery: Enforce strict Sender Policy Framework (SPF) checks for all inbound email messages, verifying the validity of sending organizations. Filter all inbound messages for malicious content including executables, macro-enabled documents and links to malicious sites.
- Manage access effectively: Ransomware doesn’t have to go viral in your organization. Put in place appropriate measures for general user and system access across the organization: privileged access for critical assets (servers, end-points, applications, databases, etc.), audit user accounts, and enforce multi-factor authentication (MFA) where appropriate (remote access/VPN, externally facing applications, etc.)
- Patch systems and applications: Conduct regular vulnerability scans and rapidly patch critical vulnerabilities across endpoints and servers – especially externally facing systems.
Make sure backups are working
Threat actors often target backups as a way to turn up the pressure on a cyber extortion demand. The Joint Advisory also contains these useful recommendations about backups:
- It is critical to maintain offline, encrypted backups of data and to regularly test your backups. Backup procedures should be conducted on a regular basis. It is important that backups be maintained offline or in separated networks as many ransomware variants attempt to find and delete any accessible backups. Maintaining offline, current backups is most critical because there is no need to pay a ransom for data that is readily accessible to your organization.
- Use the 3-2-1 rule as a guideline for backup practices. The rule states that three copies of all critical data are retained on at least two different types of media and at least one of them is stored offline.
- Maintain regularly updated “gold images” of critical systems in the event they need to be rebuilt. This entails maintaining image “templates” that include a preconfigured operating system (OS) and associated software applications that can be quickly deployed to rebuild a system, such as a virtual machine or server.
- Retain backup hardware to rebuild systems in the event rebuilding the primary system is not preferred. Hardware that is newer or older than the primary system can present installation or compatibility hurdles when rebuilding from images. Ensure all backup hardware is properly patched.