This week the NCSC issued a warning of the evolving risks posed by Ransomware, with increasingly sophisticated techniques being used to extort money from businesses around the world.
What is Ransomware?
Ransomware is a type of malware which uses extortion to obtain money from its victims. Ransomware locks the files and data on a computer system, usually by encrypting the files, and the criminals behind the attack demand a payment in return for unlocking the files.
How Ransomware is evolving
According to the advisory, ransomware threat actors demonstrated increasing technological sophistication through 2021.
The top three initial infection vectors used for ransomware in 2021 were:
- Phishing emails
- Remote Desktop Protocol (RDP) abuse through stolen or brute forcing credentials
- Exploiting software vulnerabilities
There was a move to a more organised ransomware marketplace last year in what the report calls the ‘professionalisation’ of ransomware with the increased use of Ransomware-as-a-Service (RaaS). The RaaS services evolved to be more than simply providing ready to use software tools, the NCSC reports that RaaS services now include ‘independent services’ to assist with the negotiation of payments, help for victims to make payments and even dispute arbitration and the provision of 24*7 helpdesks to expedite payment and system recovery once decryption keys have been provided.
After encrypting their victim’s network, threat actors are more often using ‘triple extortion’ threats in order to motivate their victims to pay: threatening to publicly release stolen information, disrupt the victim’s internet access and inform the victims shareholders and partners about the attack.
The increased adoption of cloud infrastructures has resulted in ransomware developers creating tools designed to attack cloud service providers, API platforms and cloud storage. Attack vectors include exploiting vulnerabilities in cloud platforms and compromising on-premise networks and then using their trusted connections to access cloud infrastructures.
Managed Service Providers (MSP) are being increasingly targeted because the threat actors know that compromising one MSP will yield trusted access into the heart of all their client’s networks (think Kaseya for one example). Similarly the software supply chain came under increasing attack, again because threat actors understand that compromising one supplier can result in their code being transported into the networks of all of that supplier’s customers. (Think Solarwinds for example).
Finally, ransomware actors are more frequently launching their attacks on weekends and public holidays in order to exploit lower staffing levels in the victim’s IT teams during these times.
How to defend your network against Ransomware
Strengthen your network protections to defend against the tactics and techniques used by ransomware operators:
Keep all operating systems and software up to date
Ransomware authors use known software vulnerabilities to gain access to their victims networks and to enable lateral movement within the network. Establish a regular monthly patching cycle to ensure systems are kept up to date. Do not forget to patch virtual machines and cloud systems as this is usually the customer’s responsibility. The CISA maintains a useful list of known exploited software vulnerabilities which will help you to prioritise patching if you know your systems are not up to date.
Automated vulnerability scanning is recommended to identify systems that need patching, especially on larger networks with many devices.
Secure and monitor RDP and risky connections
Remote Desktop access and other similarly risky remote access services need particular attention both to keep them secure and to monitor them for abuse.
Prevent credential theft and re-use by requiring multi-factor authentication for RDP connections.
Ensure systems are securely configured, applying proven security baselines where they are available. If RDP is not used then block it at the firewall to prevent ingress (on port 3389).
SMB file sharing (Server Message Block and Samba) is often used to propagate malware across a network – if you do not need it in your network, disable it on your servers.
Review the security posture of external networks you connect to – supplier and client systems for example. Ensure those network interconnects are placed on isolated LAN segments to protect your network from a breach in a connected network.
Raise Awareness through training
Technical controls will never successfully block all incoming phishing emails and spam, so use Security Awareness Training to help you staff spot fraudulent emails and phishing attempts.
Require MFA for all external services
Require multi-factor authentication for all services published to the internet. This includes webmail, VPNs and Office 365 environments (Sharepoint and Outlook webmail).
Set unique passwords
Ensure all accounts on your network have unique and strong passwords set. The same password should not be reused across multiple accounts and passwords used by system admins should not be stored on the network where an attacker could find them – use a password manager that employs strong encryption to protect login information.
Protect your backups
Protect cloud storage by backing up to multiple locations that are protected by MFA for access and ensure the backups are encrypted.
Segment your network
Network segmentation can help prevent the spread of ransomware across your network. This is especially important where your organisation has international operations and VPN links or interconnections with the networks of suppliers or customers. Internal and external penetration tests are essential to ensure your network segmentation is actually working.
Use Intrusion Detection Systems
Automated tools that monitor network activity for indicators of ransomware activity can help detect a network breach quickly.
The full security advisory contains more details and advice that security managers can use to protect their networks from the evolving risks posed by ransomware.
Further information for UK organisations can be found on the NCSC Ransomware hub.