GandCrab, SamSam, WannaCry, NotPetya—they’re all different types of ransomware and they’re hitting businesses hard. Cybercriminals recognize big business translates to big payoffs, targeting hospitals, government agencies, and commercial institutions. All told, the average cost of a data breach, including remediation, penalties, and ransomware payouts, works out to $3.86 million.

Ransomware was one of the biggest malware threats of 2018, and it continues to disrupt the operations of businesses and the daily lives of individuals all over the world in 2019.
The 2019 ransomware landscape is quite diverse – security researchers track over 1,100 different ransomware variants preying on innocent web users. As this number is constantly growing and ransomware is becoming more sophisticated, we had a great discussion with Matthew McWhirt (Senior Manager, FireEye Mandiant) about the strategies to safeguard your organization, and how you can fight against it. Below are the excerpts:


Ransomware, one of the fastest-growing malware hazards of the 21st century, continues to threaten businesses and public institutions around the world. What is the best backup strategy to protect against ransomware and who is at risk in a ransomware attack?

Having a tested and practiced backup strategy is key to successfully restoring and reconstituting an environment following a ransomware attack.  Common challenges that companies face with backup and recovery efforts include:

  • The backups are encrypted, and therefore, cannot be used for recovery and reconstitution efforts
  • Production data that was encrypted was never backed up
  • Restoration processes and procedures have never been tested and vetted
  • Systems that support identity and authentication services are encrypted, and a recent point-in-time snapshot is not available

Organizations must first ensure that key data is backed up and either stored offline, or resident in an isolated enclave within the network – which cannot be accessed using privileged credentials that may be exposed within the environment.  Secondly, organizations should practice recovery and reconstitution efforts, to ensure that backup and recovery processes function as intended.  Lastly, organizations should verify that if an identity and authentication platform (e.g., Active Directory Domain Controllers) are impacted, a recent (24 hour) point-in-time snapshot is available for reconstitution. 

What would be a good back up strategy for small-medium sized practices, against the threat of ransomware?  

Small and medium-sized enterprises face the same threats as large enterprises, however they are often more vulnerable. This is because such businesses typically lack advanced and sophisticated security technologies necessary to effectively block this malware. Without the help of experienced cyber security partners, these mid-market organizations simply don’t stand a chance against advanced attackers that are used to targeting government bodies and some of the world’s largest enterprises.

What are the criteria of choosing a cybersecurity defense against ransomware?  

A successful ransomware deployment requires that three factors be exploited:

  • Access
  • Credentials
  • Connectivity

With access, if an attacker is able to successfully gain initial access to an environment (e.g., phishing), an attacker has a foot hold that they leverage for reconnaissance and further exploitation.  With credentials, if an attacker is able to obtain valid credentials for an account that has access to a large scope of systems within an environment (e.g., local administrator, domain administrator account), an attacker will leverage this for lateral movement.  With connectivity, if an environment has a relatively flat network, where little to no segmentation exists between systems, an attacker will abuse this configuration to further exploit systems, maintain access, and deploy ransomware.

Defenses should cover security controls and protections that harden initial access vectors, minimize the exposure of privileged credentials within an environment, and those that enforce segmentation between endpoints within an environment.  If an organization is able to harden controls that take away one of these factors from an attacker, the organization will be better prepared to defend against a large-scale ransomware outbreak within their environment.

What are the major challenges of ransomware faced by the IT/ITES industry? Does a typical ransomware only ‘attack’ certain folders/file types?

The trusted nature of connectivity and credentials that can be shared and leveraged between systems are common tactics that attackers leverage when staging and deploying ransomware.  Many organizations are not fully aware of the scope of privileged accounts that exist, are not enforcing restrictions for how privileged accounts can be utilized on common endpoints and are not creating segmentation between systems (even if just workstation to workstation communications).   Once an attacker is able to establish a foothold, gather credentials, and then pivot between systems, it’s game over. 

If an organization is able to harden their environment so that privileged credentials are not exposed (on disk or in memory) on common endpoints, in addition to creating a tiered architecture which yields to segmentation at both the endpoint and account layers – this can go a long way to successfully reducing risks of a successful ransomware attack impacting the environment.  While this strategy alone may not stop an initial event from occurring, what it will do is prevent an initial event from cascading into a large-scale incident.

Why a simple backup strategy is not enough to tackle the ransomware attack. What are your views on it?

While having backups are key to positioning for a successful recovery and reconstitution approach, just having a restoration strategy defined won’t protect against an attacker’s ability to potentially gain initial access to an environment, obtain credentials, and laterally pivot to deploy ransomware. 

Without a defensive game plan that is practiced and adjusted to account for weaknesses and identified gaps, an organization won’t be positioned to successfully defend against an attacker that is focused on deploying ransomware. 

Based upon the previously mentioned steps for hardening against access, credentials, and connectivity – an organization needs to be focused on implementing practice controls and defenses which take away the game plan leveraged by most attackers when their goal is to deploy ransomware and disrupt operations.

Email remains the most common vector for ransomware infection. What is your take on that and measures to reduce the threat?

Ransomware often uses weaponized email messages as an initial exploit method to reach victim systems. Email-based ransomware is generally used in targeted attacks, and relies on a variety of methods to exploit an endpoint, including malicious attachments and emails that contain links to malicious external URLs. Most reported ransomware infections have been introduced via email attachments or embedded links. In fact, one in every 101 emails contains a malicious link or attachment, according to the recent Gartner report titled ‘Fighting Phishing- 2020 Foresight’. The report also mentions that ransomware damages reached $5B in 2017.

Thus, it is important to ensure this vector is protected, and organizations are able to protect themselves against email-borne attacks. The important components of such email security are given below:

  • Detection of and protection from targeted threats such a ransomware to safeguard business assets
  • Real-time, automated protection from spear-phishing and other socially engineered attacks to minimize imposter calls-to-action
  • Flexible deployment models to support on-premises, cloud and hybrid email environments
  • Comprehensive, contextual threat intelligence to provide the security teams the information they need to respond to threats
  • Protection from hard-to-detect multi-stage and multi-flow attacks

What are the responses of the companies who have used the Mandiant services? 

Throughout 2018, FireEye observed an increasing number of cases where ransomware was deployed after the attackers gained access to the victim organization through other methods, allowing them to traverse the network to identify critical systems and inflict maximum damage. So far in 2019, we’ve already responded to 2X the number of ransomware attacks than we did in 2018.

We recently published a playbook of recommendations that we’ve used with clients when responding to ransomware attacks.  The practical hardening guidelines that we published in a detailed whitepaper are the same ones that clients are required to implement to both contain and harden their environment during or after a ransomware event.  These same steps, if done proactively, can prevent against a single event from cascading into a large-scale ransomware incident within an environment.

Also read:

Leave a Reply

Your email address will not be published. Required fields are marked *