As Ransomware Attacks Increase, DHS Alerts to Cybersecurity Insights
September 09, 2019 - The Department of Homeland Security is once again alerting all sectors to the rapidly increasing threat of ransomware attacks. Officials have shared FireEye research on ways organizations can both protect their enterprise and contain the malware.
According to the DHS Cybersecurity and Infrastructure Security Agency, the US is currently facing a ransomware outbreak that has “rapidly emerged as the most visible cybersecurity risk playing out across US networks, locking up private sector organizations and government agencies alike.”
For the past month in healthcare sector alone, hackers demanded a $1 million ransomware from one healthcare network and three other providers reported similar ransomware events. Most recently, a ransomware attack on third-party vendor Digital Dental Records and PerCSoft has left hundreds of dental providers locked out of their systems for more than a week.
What’s more, it’s also likely there are many more of these cyberattacks, but many more infections are simply going unreported and ransoms are being paid, according to CISA.
“We strongly urge you to consider ransomware infections as destructive attacks, not an event where you can simply pay off the bad guys and regain control of your network (do you really trust a cybercriminal?,” officials wrote. “But we also recognize that there’s no such thing as perfect cybersecurity and ransomware infections can still happen.”
Ransomware Basics and Recommendations from FireEye
READ MORE: Ransomware Attacks Double in 2019, Brute-Force Attempts Increase
Hackers leverage ransomware attacks both manually and through automated propagation, FireEye researchers explained.
In manual attacks, the cybercriminal will penetrate a network and use administer-level privileges to manually run encryptors on the targeted system through Windows batch files, Microsoft Group Policy Objects, and existing software deployment tools used by the victim’s organization.
With automated attacks, hackers leverage credential or Windows token extraction from disk or memory to build trust relationships between systems through Windows Management Instrumentation, SMB, or PsExec. This binds systems and executes payloads.
Hackers also automate brute-force attacks on unpatched exploitation methods, such as BlueKeep and EternalBlue.
“While the scope of recommendations contained within this document are not all encompassing, they represent the most practical controls for endpoint containment and protection from a ransomware outbreak,” FireEye researchers wrote.
READ MORE: Ransomware Attack on Digital Dental Records Impacts Many Providers
“If implemented proactively, the scope of controls outlined within this document can protect an organization from being impacted by a ransomware event that disrupts operations and impacts a large scope of systems,” they added.
The FireEye guidance provides organizations with insights on shoring up vulnerabilities in common entry points, such as unpatched endpoints.
Organizations can find methods to harden endpoints by restricting administrative accounts from leveraging internet-facing remote desktop protocol, leveraging network level authentication, RDP hardening, and other methods.
FireEye also shed light on the threat of credential exposure and ways organizations can harden usage.
“Local accounts that exist on endpoints are often a common avenue leveraged by attackers to laterally move throughout an environment,” researchers wrote. “This tactic is especially impactful when the password for the built-in local administrator account is configured to the same value across multiple endpoints.”
READ MORE: Ransomware Costs on the Rise, Causes Nearly 10 Days of Downtime
“Ransomware poses a serious threat to organizations, as attackers continue to utilize this tactic to monetize breaches,” they added. “This whitepaper should not be considered a comprehensive guide on every tactic and control that can be used for this purpose, but it can serve as a valuable resource for organizations faced with this challenge.”
Preventative Measures
As many cybersecurity researchers have stressed, CISA explained that organizations can protect against ransomware by ensuring all data, system images, and configurations are backed up and stored offline. Systems should also be updated and patched, while organizations must ensure security tools are up to date.
Next, organizations should review and exercise their incident response plan. Officials explained they should also take note of outside ransomware events and apply lessons learned.
Ransomware Response
If infected, CISA officials said organizations should seek assistance from the FBI or contact CISA, along with working with an experienced advisor to help with recovery efforts. The infected systems need to be isolated and the return to operations should be phased.
During recovery, organizations should also review connections to any business relationships that touch the network, such as vendors, customers, and partners. To prioritize recovery, business impact assessment findings should be applied.
Ensuring Network Resilience
Overall, CISA recommended organizations practice good cyber hygiene through backups, updates, whitelisting apps, limiting privileges, and use multifactor authentication. Microsoft recently reported that MFA stops 99.9 percent of all automated cyberattacks.
Networks should be segmented to ensure it’s difficult for a hacker to move around the network an infect multiple systems. Organizations also need to develop containment strategies, which can inhibit a hacker from taking data out of the network.
Lastly, organizations need to understand the system’s baseline for recovery, while reviewing and validating disaster recovery procedures and goals with executives.
Gloss