Ransomware: A Problem of Excesses (Access, Privileges, Vulnerabilities)

Over the years, ransomware has escalated from a curiosity and fringe occurrence to a full-blown crisis that induces cold sweats and panic amongst security and IT workers, especially those working with stretched IT resources. At its core, ransomware is simply a form of malware that cyber threat actors use to infect computers or networks, then encrypt files and data, to make them inaccessible until the owner has paid a ransom. Of course, even paying the ransom is no guarantee that access will be restored by the perpetrators.

Recent Ransomware Trends and Targets

According to a tally by the threat intelligence firm Recorded Future, just this year alone, 230 ransomware attacks targeting public, state, and local governments and healthcare providers have been reported. Another recent study reports that over 500 schools incurred ransomware attacks this year through October. Additionally, a recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000 daily ransomware attacks reported in 2015).

The Global Ransomware Marketplace Report ranked RDP as the #1 ransomware attack vector, with phishing in the #2 spot. As the report states, “the ability to proliferate ransomware across partitioned networks and backups has made RDP a favorite target.” Interestingly, most of the organizations hit by ransomware had outsourced IT, and, of the organizations that paid the ransom, 64% had outsourced IT.

In recent years, governments, schools, and hospitals have stood out as some of the industries most prominently victimized by ransomware. Often, these organizations are targets of opportunity due to aging systems, lack of funding, limited personnel resources, and poor basic cybersecurity practices. They often rely heavily on outsourcing to vendors for the day-to-day management, patching, and updating of their systems. Additionally, a number of schools and other organizations, or their insurers, have paid the ransom, which only improves the ROI part of the equation for attackers.

A recent Vanderbilt study has also demonstrated the cost to human life as a result of ransomware attacks. As many as 36 additional deaths per 10,000 heart attacks occurred annually at the hundreds of hospitals examined that experienced ransomware attacks. From downtime and economic devastation, to loss of life, today’s ransomware is clearly beyond the scope of mere nuisance—it’s a deadly serious matter. So, what are we getting wrong, and what changes can we make to get it right when it comes to ransomware defenses?

Proven Ransomware Mitigation Strategies

There’s no silver bullet cyber defense to repel all varieties of ransomware, but there are strategic IT security practices and key technologies that will eliminate many types of ransomware outright and dramatically reduce your overall risk of suffering a devastating ransomware, or other malware attack for that matter.

So, how can your organization significantly improve its chances at avoiding predation by ransomware?

1. Bolster your security around remote access pathways into your environment.

Remote access, particularly by third-party vendors, is often the weakest link in network security. Many factors contribute to the unique difficulties of securing third-party access. Vendors authorized to access the network and applications might not adhere to the organization’s same level of security protocols. Perhaps they use weak, or worse yet, default passwords, or share a single set of credentials amongst numerous people.

Last year, the FBI issued a public service announcement regarding the increased use of remote desktop protocol (RDP) by cyber threat actors, including using it to inject ransomware in compromised remote systems. In fact, according to research by Avast, some ransomware strains spread almost exclusively via RDP

Another risky practice is the use of VPN to extend “secure” access to vendors. Hackers often target VPNs to compromise the supply chain and then steal sensitive company data. VPNs generally provide broad, often excessive, access to network resources. Not only does this create a potential surface for mischief, but it also gives even the legitimate third-party user access to far more than the one or two applications they might really need.

Steps you need to take better control remote access should begin with eliminating “all or nothing” remote access for vendors—that means ditching those VPNs. Require all connections to be brokered through a single access pathway, to reduce the attack surface. Implement granular, role-based access to specific systems and defined session parameters. Vendors or internal users should only be permitted access to specific systems, for a specific allotted time, for specific applications or purposes. Administrators should also be able to approve or deny access requests.

BeyondTrust secure remote access solutions are built just for these use cases and more. With the BeyondTrust solution, you can manage, and audit vendor and internal remote privileged access without the need for a dedicated VPN solution. Every privileged remote session is tightly controlled, monitored, managed, and audited. No vendor or remote access session should go below your radar.

2. Manage and secure privileged credentials

Compromised credentials are a well-known ingredient of almost all IT security incidents—ransomware is no exception. To execute, ransomware wants privilege. That’s why it’s critical to secure privileged credentials with an enterprise privileged password management solution—a core component of privileged access management (PAM) platforms--that will consistently discover, onboard, manage, rotate, and audit these powerful credentials. Once used, the credential can either be kept as is or immediately rotated. The best of these tools will even be able eliminate embedded credentials and managem credentials for service accounts. Automated rotation of credentials and consistent enforcement of strong password policy protects your organization from password re-use attacks and other password exploits.

3. Enforce least privilege

As G. Mark Hardy, CISSP, CISA President, National Security Corporation noted, “Ransomware is not magic – it can only run with the privileges of the user or the application that launches it. Therein lies its weakness, and our chance to leverage tools to contain it before it starts.”

Sure, removing local admin privileges and applying least privilege access across all users, applications, and systems won’t prevent EVERY ransomware attack, but it will stop many of them. It will also mitigate the impact of those ransomware payloads that do gain a foothold in your environment by closing down lateral pathways and reducing the ability to elevate privilege. Least privilege can even mitigate the impact of stolen credentials. If the credentials are for a user, endpoint, or application with limited or no privileges/privileged access, then the damage can also likely diminished.

The best way to enforce wholesale least privilege across your environment is with endpoint privilege management solutions, which are also a key component of PAM platforms. Segmenting system and networks is another way to broadly ensure that any ransomware contagion is contained.

4. Patching & Vulnerability Management (VM)

Of course, one of the most fundamental ways to reduce ransomware and other exploits is simply staying up-to-date with patching and remediating of known, published vulnerabilities. This condenses the attack surface, reducing the potential footholds in your environment available to attackers.

Most ransomware attacks do not leverage zero-days—if you’re effective at patching, that’s good news for you. And if a ransomware attack does happen to leverage a zero-day exploit, following strategies 1 – 3 above give you favorable odds of avoiding the worst-case fallout, if not escape it altogether.

No single approach will defeat all types of ransomware. However, adhering to the four best practices outlined in this blog will drastically lower your risk of incurring a ransomware outbreak.

BeyondTrust can help you achieve each of the four best practices—and in an integrated fashion. With BeyondTrust on your side, you can increase end-user productivity, while vastly lowering your enterprise’s cyber risk. Contact us today to learn more.

Additional Reading

The Simple Ugly Truth of Ransomware (blog)

RDP: The Risk of Remote Desktop Protocol is far from “Remote” (blog)

Privileged Remote Access (demo video)

Privileged Access Management (PAM) Buyer’s Guide & Checklist (whitepaper)