Ransomware for business
What Is Ransomware?
According to the FTC, ransomware is a form of malicious software that infiltrates computer systems or networks and uses tools like encryption to deny access or hold data "hostage" until the victim pays a ransom, frequently demanding payment in Bitcoin. According to the FBI, after the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems. If the demands are not met, the system or encrypted data remains unavailable, data may be deleted or leaked online as a form of extortion.
How Is Ransomware Delivered?
According to the FTC, ransomware often arrives through email phishing campaigns, which typically require the user to take an action such as clicking on a link or downloading a malicious attachment. Other campaigns use drive-by downloads, where a user visits a malicious website or a site that has been compromised, and the act of loading the site causes the ransomware to automatically download onto the user's computer. In addition, ransomware is delivered through "malvertising" campaigns, where malicious code is hidden in an online ad that infects the user's computer. These attacks can occur even on trusted websites through third-party ad networks that redirect the user to an infected server.
- Scam emails with links and attachments that put your data and network at risk. These phishing emails make up most ransomware attacks.
- Server vulnerabilities that can be exploited by hackers.
- Infected websites that automatically download malicious software onto your computer.
- Online ads that contain malicious code — even on websites you know and trust.
Responding to Ransomware
It is recommended that organizations do the following to respond to Ransomware.
- Determine which systems were impacted, and isolate the infected computer immediately, and remove infected systems from the network as soon as possible to prevent ransomware from attacking the network or share drives.
- If several systems or subnets appear impacted, take the network offline at the switch level. It may not be feasible to disconnect individual systems during an incident.
- If taking the network temporarily offline is not immediately possible, locate the network (e.g., Ethernet) cable and unplug affected devices from the network or remove them from Wi-Fi to contain the infection.
- After an initial compromise, malicious actors may monitor your organization’s activity or communications to understand if their actions have been detected. Be sure to isolate systems in a coordinated manner and use out-of-band communication methods such as phone calls or other means to avoid tipping off actors that they have been discovered and that mitigation actions are being undertaken. Not doing so could cause actors to move laterally to preserve their access—already a common tactic—or deploy ransomware widely prior to networks being taken offline. Only in the event, you are unable to disconnect devices from the network, power them down to avoid further spread of the ransomware infection. Please Note: Powering off a device will prevent you from maintaining ransomware infection artifacts and potential evidence stored in volatile memory. It should be carried out only if it is not possible to temporarily shut down the network or disconnect affected hosts from the network using other means.
- Identify and prioritize critical systems for restoration and confirm the nature of data housed on impacted systems.
- Prioritize restoration and recovery based on a predefined critical asset list that includes information systems critical for health and safety, revenue generation, or other critical services, as well as systems they depend on.
- Keep track of systems and devices that are not perceived to be impacted so they can be deprioritized for restoration and recovery. This enables your organization to get back to business in a more efficient manner.
- Consult with your incident response team to develop and document an initial understanding of what has occurred based on initial analysis.
- Engage your internal and external teams and stakeholders with an understanding of what they can provide to help you mitigate, respond to, and recover from the incident.
- Share the information you have at your disposal to receive the most timely and relevant assistance. Keep management and senior leaders informed via regular updates as the situation develops. Relevant stakeholders may include your IT department, managed security service providers, cyber insurance company, shareholders, investors, suppliers, and departmental or elected leaders.
- Immediately secure backup data or systems by taking them offline, and ensure backups are free of malware.
- Contact law enforcement immediately.
- Collect and secure partial portions of the ransomed data that might exist if available.
- Change all online account passwords and network passwords after removing the system from the network if possible, and change all system passwords once the malware is removed from the system.
- Delete registry values and files to stop the program from loading.
- Implement security incident response and business continuity plans.
- Conduct a post-incident review of the response to the incident, and assess the strengths and weaknesses of the incident response plan.
How Should You Report Ransomware to Law Enforcement?
The FBI is requesting that victims reach out to their local FBI office and/or file a complaint with the Internet Crime Complaint Center with the following ransomware infection details (as applicable).
- Date of infection
- Ransomware variant (identified on the ransom page or by the encrypted file extension)
- Victim company information (industry type, business size, etc.)
- How the infection occurred (link in email, browsing the Internet, etc.)
- Requested ransom amount
- Actor's Bitcoin wallet address (may be listed on the ransom page)
- Ransom amount paid (if any)
- Overall losses associated with a ransomware infection (including the ransom amount)
- Victim impact statement
Containment and EradicationIf no initial mitigation actions appear possible:
- Take a system image and memory capture of a sample of affected devices (e.g., workstations and servers). Additionally, collect any relevant logs as well as samples of any “precursor” malware binaries and associated observables or indicators of compromise (e.g., suspected command and control IP addresses, suspicious registry entries, or other relevant files detected)
- Take care to preserve evidence that is highly volatile in nature - or limited in retention - to prevent loss or tampering (e.g., system memory, Windows Security logs, data in firewall log buffers).
- Consult federal law enforcement regarding possible decryptors available. In addition, here are two sites that will analyze your ransomware and will provide you with the link to download the decryption solution if available.
Should Organizations Pay the Ransom?
The FBI does not support paying a ransom to the adversary because it does not guarantee the victim will regain access to their data. In fact, some individuals or organizations are never provided with decryption keys after paying a ransom. Paying a ransom emboldens the adversary to target other victims for profit and could provide an incentive for other criminals to engage in similar illicit activities for financial gain. Although the FBI does not support paying a ransom, it recognizes that executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers.
There are serious risks to consider before paying the ransom. USG does not encourage paying a ransom to criminal actors. However, after systems have been compromised, whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees, and customers. Victims will want to evaluate the technical feasibility, timeliness, and cost of restarting systems from backup. Ransomware victims may also wish to consider the following factors:
- Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after paying a ransom.
- Some victims who paid the demand were targeted again by cyber actors.
- After paying the originally demanded ransom, some victims were asked to pay more to get the promised decryption key.
- Paying could inadvertently encourage this criminal business model.
What Prevention and Continuity Measures Exist?
Focus on email security. Most ransomware starts as phishing/spear phishing to the inbox. Intercepting malicious mail before your users have an opportunity to click is key.
- Invest in resiliency. Participate in ransomware exercises to build the muscle memory in your organization to respond quickly and consider common decisions associated with a ransomware attack. Upskill your teams (not just security, but everyone who needs to be involved in case of an attack) to be able to anticipate, communicate, respond, and identify any gaps in your process or communications.
- Vault your data. Savvy ransomware attackers go into your system and delete your backup before sending ransom notes and encrypting data. Make sure your critical data is archived in an offline vault that is detached from the rest of your systems. If your backups remain online, ensure segregation from production systems, and use unique credentials for access.
- Protect your endpoints. Since ransomware targets endpoints, focusing on them reduces the likelihood of initial compromise, promotes early detection, and minimizes spread.
- Deploy agent-based disk and process/execution scanning (EDR) to identify and block known malicious software and behaviors.
- Implement network-based IPS that can identify and drop malicious network traffic, as well as block known malicious domains and IPs.
- Use DNS Filtering to prevent access to newly registered and unverified domains.
- Limit remote administrative access (RDP) and enforce MFA.
- Require signed executables and scripts to avoid unsanctioned or malicious executables running in your environment.
- Perform ongoing patch management prioritizing remediation of public, remote, and crown jewel systems.
Enable attachment scanning, URL rewriting, and IP reputation filtering.
- Enforce SPF/DKIM/DMARC policies.
- Use external sender banners.
- Support programmatic removal of mail that is determined as malicious post-delivery.
Secure the network. Segmenting the environment forces threat actors to work harder to move laterally within your systems.
- Require MFA to access privileged networks (802.1x, VPN, bastion strategy).
- Implement segmentation strategies to isolate data and systems.
- Monitor across segments and networks (east-west traffic) in addition to ingress/egress traffic.
Incorporate threat analysis & detection into decision-making.
- Collect security and endpoint logs in a SIEM.
- Integrate threat intelligence feeds into security tooling.
- Establish alerting and notifications for security operations.
- Use threat intelligence to scope red teaming and penetration testing activities.
Regularly educate and train employees to maintain situational awareness and report any potential issues immediately. Provide real-world examples and repercussions of successful ransomware exploits.
- Use Spot the Phish awareness campaigns & integrate phish reporting in an email client.
- Provide document management guidance to users aligned with the backup strategy.
- Brief the Board and/or Board Committees on ransomware-related security posture.
Maintain a rigorous third-party risk assessment program, using a zero-trust mindset, and have a communications plan with third-party suppliers in case of an attack. Ensure your third parties are considered when conducting internal red teaming and penetration testing.
Understand that law enforcement agencies often work with the private sector to develop decryption tools quickly after ransomware attacks occur. These tools can be used to decrypt infected machines. Law enforcement can also help properly gather evidence when incidents occur.
- Ensure your incident response and business continuity plan includes ransomware response protocols such as:
- Details for employees about who to call if a ransomware ploy is successful.
- Ability to isolate the infected system from the network.
- Steps to isolate or power-off affected devices that have not yet been completely corrupted.
- Way to immediately secure backup data or systems by taking them offline and ensuring backups are free of malware.
- Tools to change all online account passwords and network passwords after removing the system from the network.
- How to work with law enforcement as appropriate.
- Review your prevention and identification processes.
- Review hardening guidance from your local CERT or government cyber security agency, such as US CISA's Ransomware Guide.
The FBI recommends organizations consider implementing the following prevention and continuity measures to lessen the risk of a successful ransomware attack.
- Regularly back up data, and verify the integrity of the backups.
- Secure backups, and ensure backups are not connected to the computers and networks they are backing up.
- Scrutinize links contained in emails, and do not open attachments included in unsolicited emails.
- Only download software, especially free software, from known and trusted sites, and verify the integrity of the software through a digital signature before execution when possible.
- Ensure application patches for the operating system, software, and firmware are up to date, including Adobe Flash, Java, Web browsers, etc.
- Ensure antivirus and antimalware solutions are set to automatically update and regular scans are conducted.
- Disable macro scripts from files transmitted via email, and consider using Office viewer software to open Microsoft Office files transmitted via email instead of full Office Suite applications.
- Implement software restrictions or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular Internet browsers or compression/decompression programs, including those located in the AppData/LocalAppData folder.
The FBI also recommends that organizations do the following.
- Enable strong spam filters to prevent phishing emails from reaching the end users, and authenticate inbound email using technologies like Sender Policy Framework, Domain Message Authentication Reporting, and Conformance, and DomainKeys Identified Mail to prevent email spoofing.
- Scan all incoming and outgoing emails to detect threats, and filter executable files from reaching end users.
- Configure firewalls to block access to known malicious IP addresses.
- Consider disabling Remote Desktop Protocol if it is not being used.
- Conduct an annual penetration test and vulnerability assessment. (See the FBI's brochure, Ransomware Prevention, and Response for CISOs.)
The following are additional considerations for businesses.
- Focus on awareness and training. Because end users are often targeted, employees should be made aware of the threat of ransomware, how it is delivered, and be trained on information security principles and techniques.
- Patch all endpoint device operating systems, software, and firmware as vulnerabilities are discovered.
- Manage the use of privileged accounts by implementing the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary, and they should operate with standard user accounts at all other times.
- Configure access controls with least privilege in mind.
- Use virtual environments to execute operating system environments or specific programs.
- Categorize data based on organizational value, and implement physical/logical separation of networks and data for different organizational units.
- Require user interaction for end-user applications communicating with Websites uncategorized by the network proxy or firewall.
- Implement application white-listing. Only allow systems to execute programs known and permitted by the security policy. (See the FBI public service announcement from September 15, 2016, "Ransomware Victims Urged To Report Infections to Federal Law Enforcement.")
- Organizations also should conduct a cyber-security risk analysis of the organization and have and test an incident response plan.
- Finally, organizations should take into account insurance coverage, including cyber-liability/cyber-extortion coverage.
Is There an Example of a Recovery Plan Specific to a Ransomware Attack?
The National Institute of Standards and Technology Guide for Cybersecurity Event Recovery includes an example of a recovery plan in the form of a playbook for a ransomware attack. (See the NIST's special publication, Guide for Cybersecurity Event Recovery.) While the guide applies to US federal agencies, it should be useful to any organization.
Could a Ransomware Attack Result in a Breach under HIPAA?
The Department of Health and Human Services (HHS) provided guidance in Fact Sheet: Ransomware and HIPAA that states:
- A breach under the HIPAA Rules is defined as, "… the acquisition, access, use, or disclosure of [protected health information] PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI." See 45 C.F.R. 164.402.6.
- When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a "disclosure" not permitted under the HIPAA Privacy Rule.
- Unless the covered entity or business associate can demonstrate that there is a "… low probability that the PHI has been compromised," based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.