The President United States of America, Mr Joseph R. Biden and Indian Prime Minister Shri Narendra Modi had their first physical meeting and made a joint statement cover all facets of the Indo-US relationship, including cybercrime. The only subject in cybercrimes highlighted is ‘Ransomware’. It, therefore, highlights the most serious emerging threat in cyberspace.

The challenge of Ransomware is now and present. The latest major victim is the Public Department of the Tamil Nādu government. Of course, the Public Department is at fault too, where they are still using Windows 7, which is out of support and they do not have any credible anti-malware.

This is a two-part series on Ransomware. The first part will cover the recommendations on fortification and preparation against ransomware attacks on your organisation. The second part will cover what you may do in case you become a victim of a ransomware attack.

Ransomware is a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. The reason why ransomware is challenging is that it has direct involvement of money-making by criminals sometimes in excess of Rs 100 Crores (INR 1 billion), hence they keep adapting and changing the tricks and codes. The exploitation is the mix of human follies and computer follies. Once inside the system, instead of locking just one end device or device in a single VLAN, the malicious actors engage in the lateral movement to target critical data and propagate ransomware across entire networks. These actors also increasingly use tactics, such as deleting system backups, that make restoration and recovery more difficult or infeasible for impacted organizations.

Sometimes ransom is demanded not to expose the data, generally personal data, in the public domain, lest that brings the wrath of customers, Personal Data supervisory authority and in some cases Law Enforcement Agencies.

The problem is not that some personal data will be exposed, which may result in a fine by the GDPR (or similar) authorities but when the personal data is collected beyond the lawful requirements and company may not be in the state of explaining as to why such data was collected in the first place. And fine in such cases can be very steep. Criminals know it and hence they try to exploit your vulnerability. Therefore, lesson one does not store or process personal data beyond lawful requirements. And have your personal data policies in place as to why any personal data is being processed. This will cut the bargain chips of the criminal.

The second most important tip is to get your cybersecurity policies and processes following anyone any one standard such as ISO/IEC 27001 and/or NIST standards. Even if your company is not certified but policies and practices are aligned with anyone standard, then in the eyes of regulators/supervisors there have been appropriate efforts by your company to protect the data from cyber-attack. Everyone understands that a cyber-attack can still succeed, thus fear of the wrath of the legal authorities will be that much less, in case data is exposed or matter is reported to the legal authorities and they are investigating your systems to help you. In the US, the FBI has made a categorical statement that while investigating any case related to Ransomware, they will NOT make any report to any regulator, even if a flaw is found in your performance related to cybersecurity or any other thing. However, the same is not true in India. The criminals know it and use that as leverage to exploit the victims.

Now let's look at the issue from a technical perspective.

Access Control

Use an effective password policy, and ensure it is implemented without exceptions. Senior managers tend to demand to create exceptions for them being old and/or non-tech savvy. Remember, for a good amount of ransomware they are the primary targets. They hold, interact and process most of the business-critical information. Criminals can demand a larger amount of money if they are able to encrypt laptops of senior functionary.

Plan and shift to a passwordless approach or use password management software.

Use two or multi-factor authentication, especially for access to critical systems such as webmail, virtual private networks, and accounts that access critical systems.

Do not use a common password or access control for all system administrators. Every person should have his or her access credentials but give them admin rights as required for his or her functioning. Apply the principle of least privilege to all systems and services so that users only have the access they need to perform their jobs.

Limit the ability of a local administrator account to log in from a local interactive session (e.g., “Deny access to this computer from the network.”) and prevent access via an RDP session.

Deny uses to install and run any software. If a user wants to install software, if possible, test it in a sandbox / virtual environment and apply anti-malware to check it, before installation on the user system.

Make use of the Protected Users Active Directory group in Windows domains to further secure privileged user accounts against pass-the-hash attacks.

Follow the principle of least privilege. Remove unnecessary accounts and groups and restrict root access.

Limit the ability of a local administrator account to log in from a local interactive session.

Maintain close liaison with the Human Resource department to ensure, if an employee leaves the organisation, her account should be immediately disabled. It should be a matter of policy as to how long after leaving the job, a person’s account is to be maintained. In any case, change the access control immediately. In big organisations automate the system to avoid gaps between IT and HR teams.

The HR department must also inform the IT department about the role change of a person, so that role bases access system is updated. Have a policy about how long access to old data is allowed to access in case of role change.

Hold weekly IT team internal audit to ensure that data as received from the HR department is implemented according to the policy. CIO or Head IT should undertake a sample audit. CISO / Head IT Security should undertake a quarterly audit on access control implementation. These audits should be in addition to the compliance audits as required by the law/ regulation/ standard. Special attention should be paid to Remote Monitoring and Management accounts that are publicly accessible—this includes audits of third-party access given to MSPs.

Asset Management

Create IT assets management policy

Consolidate, preferably in automated form, IT assets inventory for logical (software, databases, applications) as well as hardware assets.

Undertake ABC analysis of assets after classifying the assets. Consolidate and restructure assets distribution if possible so that enhance security measures can be applied to Class A assets. This also gives the priority list to undertake recoveries and help negotiators to decide as to how much they can push the limits. Alarms and trip-wires can also be set up to protect critical assets. You may find CIS Hardware and Software Asset Tracking Spreadsheet useful. Here is the link.

Create a backup policy. Class A assets should be backed up more frequently, while backup of class C can be handled according to the ability of an organisation to bear the cost and efforts of backup.

Back up of Class A logical assets should not only be automated but also have OFFLINE back up. Ransomware criminals also tend to attempt to obliterate or render useless any online backup.

Enhance Network Security

Disable Remote Desktop Protocol (RDP) services from all systems. RDP may be activated only for specific and recorded reasons. On completion of any RDP session, again deactivate the services. Prevent access via an RDP session through group policy, creating exceptions only for short duration. If any RDP application such as ‘Anydesk’ is installed for a specific reason, its access code must be changed on completion of every session

Host Domain Controller on an independent server with no other application. When accessing DC, each authorised user should use two different accounts. One is for routine activities and the other is to administer the DC. The second account should have MFA implemented. If anyone is using the administrative services on DC, a 3rd person should be automatically alerted. This 3rd person should use non-network-based communication to validate such use.

Keep network diagram updated at a regular interval. Clearly mention network physical and logical segmentation and IP schema used for each segment. A physical isolation plan for each segment may be prepared so that it can be implemented at any point in time with minimum loss of time. Access granted to employees who are authorised to Work-From-Home and vendors to any segment must be clearly mentioned. Data flow diagrams especially for personal data will be useful to stop the attack from spreading and damage assessment.

Keep PowerShell instance updated. Restrict usage of PowerShell, using Group Policy, to specific users on a case-by-case basis. A very strict logging regime should be implemented for the persons’ authorised use of PowerShell. Any version below 5.0 may not be effective transcription logging enabled. The two logs that record PowerShell activity are the “PowerShell” Windows Event Log and the “PowerShell Operational” Log should be preserved at least for 6 months or from internal audit to internal audit. Auditors must check both logs for any unusual activity. If SIEM or SOC is implemented, copy for both logs should be automated for daily auditing. Protect such logs from tampering.

Institution of SIEM and log analysis can provide early warning and may prevent criminals to execute the final step of encryption. If Security Operation centre is not possible then at least simple Security Incident and Event Management (SIEM)

Reporting

In Indian Cyberspace reports of a ransomware attack can be made to the central agency at cybercrime.gov.in or on phone number 155260 from anywhere in India. Or you may report to the local cyber crime police station. You can also make a report to the local police but they may not be of big help, except keeping the matter on records.

Ransomware threats can jeopardise the very survival of a company. Paying the ransom is not a solution and that only empowers the criminal to come with more vengeance and motivation. It is, therefore, necessary to undertake all possible measures to prevent any such attack. In the next part, we will see that in case criminals are successful in encrypting your system, what steps can be taken,

(Part 2 will cover the situation where ransomware attack is to be handled.)

Image Source : https://www.securitymagazine.com/articles/95487-nist-publishes-draft-cybersecurity-framework-for-ransomware-risk-management