The city of Baltimore has been hit with a ransomware attack that forced the shutdown of most city servers as officials investigate the origin and severity of the attack. This marks the second time ransomware has hit Baltimore: In March 2018, a cyberattack infected the city’s 911 dispatch system and took down automated dispatches for 911 and 311 calls.
The ransomware variant in that case was identified as RobbinHood, a new form about which little is known. The ransom message on Baltimore’s computer system said RobbinHood used a file-locking virus that encrypts files to take them hostage. The note demanded payment of 3 Bitcoins (equivalent to about $17,600 at current prices) per system, or 13 Bitcoins (worth about $76,280) in exchange for freeing all the city’s systems. Baltimore has declined to pay and is in the process of restoring systems from available backups.
Baltimore is just another victim in a litany of ransomware attacks that have ravaged organizations of all types and sizes. Unfortunately, this result has become the new normal. With seemingly everyday reports of new ransomware infections, our alert fatigue has kicked into high gear. This particular story didn’t even hit most of the national news websites, whereas a few years ago it would have been the lead.
But we don’t have to accept ransomware as an inevitability. There are simple things that any organization can do to dramatically reduce its likelihood of joining Baltimore in this inauspicious condition.
First, understand how most ransomware enters an organization’s environment. It’s helpful to think of this in terms of “push” and “pull.” In the former, an attacker directly accesses an organization’s resources to “push” the malware in. Phishing attacks are frequently designed to capture unsuspecting users’ credentials, and those credentials are then used by the attacker to access the organization’s network (typically via Remote Desktop or remote-access VPN). People also tend to reuse their passwords on different websites, and if one of those sites were to be compromised, the captured credentials could similarly be used to obtain unauthorized access. Bonus points for the attacker if the credentials have administrator privileges. And then there’s the old-fashioned exploitation of vulnerabilities on an organization’s public-facing servers in order to plant the malware. These are just a few examples.
And in the “pull” method, attackers try to trick employees into unknowingly pulling the malware in. Malicious attachments to e-mail messages, hyperlinks embedded in phishing messages, and drive-by downloads (e.g., unintentional retrieval of malware as a result of visiting an infected website) are the biggest culprits here.
Regardless of delivery mechanism, once the malware enters the environment, the organization obviously has a challenge on its hands. So, what can be done to prevent this from happening in the first place? It’s important to understand that there’s no magic bullet, but by incorporating a combination of controls, both individuals and organizations can make it exponentially more difficult for ransomware to take hold:
- Security awareness training and testing. Condition employees to be on the lookout for suspicious e-mail messages. When they know they’re being tested and that failure has consequences, behavior should dramatically improve.
- Limit account privileges. The privileges assigned to an employee’s account should include those necessary for his or her job role, but nothing more. If these credentials are stolen, extra privileges mean extra damage that can be inflicted by an attacker.
- Use a password manager. The problem with passwords isn’t necessarily that they’re weak, it’s that they tend to be reused. When this happens, the likelihood of credential theft increases exponentially. Using a password manager like 1Password for your personal passwords allows you to maintain a strong, unique password for every app and website on which you have an account.
- Use multifactor authentication. If an attacker steals your password, it no longer matters how long or complex it is. Coupling strong, unique passwords with multifactor authentication is a surefire way to keep from being low-hanging fruit in the metaphorical attack orchard.
- Prevent malicious DNS lookups. Before it can take hold, most ransomware requires the ability to resolve malicious DNS names. But by using Cisco Umbrella to remove this capability, an organization can dramatically stack the deck in its favor.
- Deploy web and email security. Prevent onsite and remote users from communicating with malicious IP addresses or URLs. Sandbox all attachments to incoming e-mail messages and inspect all embedded hyperlinks.
- Protect endpoints. Attackers have become adept at disguising malware to evade detection by antivirus software and other traditional mechanisms. But by protecting its workstations, servers, and mobile devices with Cisco Advanced Malware Protection (AMP) for Endpoints, an organization can leverage the world’s most advanced threat intelligence in real time to keep malware in check and proactively hunt for threats within its environment.
- Patch operating systems and applications. Many variants of ransomware spread by exploiting vulnerabilities for which patches are already available. By keeping systems and applications up-to-date, and organization can severely inhibit ransomware’s ability to take hold and spread.
To learn how Symplexity’s managed security services can help your organization accomplish these things and more, reach out to us at firstname.lastname@example.org or call (260) 432-1364.