Working in information security often means meeting organizations in their worst possible moments. Times when mistakes and missteps are laid bare. While Asylas is always available to help in times of crisis, we prefer to help our customers implement best practices ahead of a disaster, rather than on the heels of an event. We recently worked with a municipal customer that suffered a devastating ransomware attack. Their story is a cautionary tale. We follow it with 12 steps to take now to prevent or survive a future ransomware event at your organization.
One City, Two Outcomes
The incident was first detected by an employee who came in early and viewed the ransom notice on her computer. She immediately contacted the IT department. They instructed her to turn off the machine and leave it off until they could assist.
The first department targeted was fortunate. They had separate backups that the attacker was unable to access. The majority of city functions were only down for a couple of days while IT wiped and restored all of their machines.
The police department did not fare so well. They had their backups stored on a local file share that was encrypted during the attack. Every workstation and server on the network was compromised and there were no backups available. The IT department wiped and reimaged their machines over the course of a long week, but the entirety of their data was lost. The data included incident reports, digital notes, and evidence.
We began our investigation on a machine that was encrypted by the ransomware. Based on the machine we received, Asylas was unable to determine the initial point of entry into the network. However, we did determine that the workstation under investigation was compromised using the department’s outsourced IT administrative account.
Asylas determined that the strain of ransomware was REvil/Sodinokibi. This ransomware has recently been known to exfiltrate data before encrypting it. This allows attackers to demand a second ransom or to sell the data on a dark web auction site.
Unfortunately, the municipality did not have any network or system logs to review by the time Asylas was pulled in. Due to the lack of logs, the likelihood of exfiltration was unable to be determined.
The municipality is currently in the process of determining how to notify individuals of the incident. It is difficult to know who to contact because they have no way to determine what data was on the compromised machines.
How To Stop Ransomware Before It Happens to You
Here are Asylas’ top 12 steps to give organizations a fighting chance at stopping ransomware attacks before they happen.
- Maintain a backup solution that is not accessible without a separate authentication. Attackers are using existing access to encrypt backups that are attached to the network.
- Install patches and updates. Most malware is able to take advantage of vulnerabilities in systems because systems have not been updated in a timely manner. If your machines have critical vulnerabilities that are more than a couple weeks old, you are leaving the door wide open for attackers.
- Scan for vulnerabilities. Even if you are regularly patching your systems, there may be machines that are missed or insecure configurations that are in place. Perform periodic vulnerability scanning to ensure you have full visibility into your environment.
- Disable unnecessary or outdated external services. Double check or scan your perimeter and see what’s open to the internet. Any ports/protocols that are not necessary should be closed/disabled. Any outdated services should be retired in favor of industry standard solutions (i.e., VPN rather than RDP). RDP has been used in many ransomware attacks.
- Disable PowerShell internally. For machines where PowerShell is not required, disable it. Many current hacker tools rely on PowerShell. Don’t make it easy on them.
- Use an Endpoint Detection and Response tool (not just legacy anti-virus). Legacy AV looks for specific, known bad files to block. Next generation AV or Endpoint Detection and Response tools look for attacker tactics, techniques, and procedures to identify malicious activities.
- Use email filters. Block all file types that your organization does not need to receive by email. Make sure you are filtering as much as you can before the email reaches the end user. No solution is perfect, but a layered security strategy gives you the best chance at stopping an attack.
- Educate end users. Ransomware often (but not always) comes from a user clicking a link in an email. These emails no longer appear to be from a prince in a foreign country. They look like they’re coming from your boss and are pretty convincing. Email filters help, but they don’t prevent 100% of bad emails from reaching your users. Teach your staff what current attacks look like and what to be on guard for.
- Enable two-factor authentication for all remote access. If you can access it from the internet, it needs to have two-factor authentication enabled. Typing in a code after entering your password seems like an annoying additional step. Your users will get used to it quickly, and it makes a huge difference in your security posture.
- Implement web filtering. Make sure your users can’t go to known bad or suspicious-looking sites.
- Evaluate your vendors. Starting in 2019, attackers began to see value in compromising outsourced IT companies. If compromised, an attacker can have access to thousands of machines that are managed by the IT firm.
- Keep the logs! In the event your organization does fall prey to a ransomware attack, it is vital to collect digital evidence that can be used to determine the details of the incident. (Initial point of compromise, which machines were compromised, was data taken, etc.) Keep the logs!