You may have seen recent news articles about large organizations, such as manufacturing giant Norsk Hydro, Garfield County, Utah, and the City of Albany, New York, falling victim to ransomware attacks. What you probably don’t know, because it typically doesn’t make the news, is that these cyber-extortionists are also actively targeting small manufacturers and other businesses, and hundreds of these organizations are falling victim.
Small business victims typically find out about that they’ve been attacked when they come into work in the morning and find all of the files on their PCs, servers and network drives encrypted. Next to the encrypted files they find a notice from the attacker with a demand for payment in exchange for decryption keys to unlock the files. The payment demands can range from tens of thousands to hundreds of thousands of dollars.
Attackers are finding that small businesses, especially manufacturers, are perfect targets for these types of attacks for several reasons:
- The businesses allow employees remote access with just a user ID and password.
- Employees that aren’t significantly tech savvy are prone to use bad password practices.
- Servers and networks are configured with default security settings and aren’t actively monitored for signs of attacks.
- Backups are inconsistent and may not be adequately protected from destruction.
- Users tend to store critical information on desktops and laptops rather than network shares.
- Even short periods of downtime can have significant financial costs.
Business that identify themselves as fitting some of the criteria above are likely at a high level of risk for ransomware attacks. However, there are fairly straightforward steps that your organization can take to reduce its risk. The following is an outline on how a ransomware or cyber extortion attack typically proceeds that includes steps a business can take to help block the attack at each phase.
- Much of the time, attackers performing this type of cyber extortion gain access to the network by guessing employee passwords for remote access (VPN, remote desktop or virtual desktop protocols). Your organization should:
- Enforce multi-factor authentication for all remote access.
- Limit user accounts that have remote access to those employees with a business need.
- Consider switching from passwords to 15+ character passphrases to protect against a variety of password theft attacks.
- Make sure vulnerable network services are not exposed to the Internet by having periodic external vulnerability scanning performed.
- If not via remote access, attackers gain initial access through email phishing attacks leading to malware installation. Your organization should:
- Make certain all workstations have up-to-date anti-virus.
- Use a web filter to block access to malicious websites.
- Default deny outbound traffic through the firewall to block malware command-and-control channels.
- Once they have a foothold, attackers use a myriad of tricks to gain administrative access to the Active Directory domain. Your organization should:
- Discontinue use of default or shared administrator accounts, instead using named user accounts for each domain administrator.
- Separate domain administrator accounts from users’ daily-use accounts and only use domain administrator accounts for administrative tasks.
- Remove any accounts not requiring domain administrator access from the Domain Admins group.
- Attackers often use PowerShell scripting to automate deployment of their ransomware across a Windows network. Your organization should:
- Configure PowerShell to run in “Constrained Language Mode.”
- Enable PowerShell “Script Block Logging.”
- Logs set with Windows default settings only hold one to two days’ of authentication log data and are often insufficient to determine the origin and extent of the attack. Your organization should:
- Configure Windows systems to retain at least six months of security event log data.
- Backups are often insufficient to recover the encrypted data. Your organization should:
- Configure all servers with working backups.
- Require employees to store critical files on servers rather than laptops.
- Protect backups offline or in the cloud in a way that they can’t be destroyed by an attacker with control of the network and servers.
Should your organization require assistance assessing its risk or determining its level of preparedness for ransomware and other cyber extortion attacks, reach out to Sikich’s team of cybersecurity experts. Sikich is able to partner with you to improve your security posture, including offering virtual Chief Information Security Officer (CISO) consulting or performing any number of security services such as risk assessments, network security assessments, penetration testing, and vulnerability scanning.