Ransomware: Basic Cyber Security Practices

img blog Ransomware Basic Cyber Security Practices r1

Ransomware is the most common cyber threat that Canadians face and it is on the rise. During a ransomware attack, cybercriminals use malicious software to encrypt, steal, or delete data, then demand a ransom payment to restore it.

Ransomware can have severe impacts including core business downtime, permanent data loss, intellectual property theft, privacy breaches, reputational damage and expensive recovery costs.

In an open letter from the Canadian Centre for Cyber Security (CCCS), they wrote, “Fellow Canadians, Since the beginning of the COVID-19 pandemic, we have all been reminded of how crucial the internet is to our way of life. More and more of us have been working and studying from home and conducting business online, and it is therefore more important than ever that we take steps to remain cyber safe.

Across the world, we have seen a marked rise in the volume and range of cyber threats – and Canada is no exception. This includes a surge in ransomware incidents – a tactic wherein threat actors deny access to an organization’s most important informational or vital systems until organizations pay the threat actor, usually in digital currency. This year, we have seen a growing number of ransomware threats targeting Canadian small and medium-sized businesses, health care organizations, utility organizations, and municipalities.

There is, however, good news. By adopting basic but appropriate cyber security practices, we can all help stop the vast majority of cyber incidents targeting Canadians.

You, and your organization, are not alone.

The Communications Security Establishment’s Canadian Centre for Cyber Security (the Cyber Centre) and the Royal Canadian Mounted Police (RCMP) urge all Canadian organizations and businesses to take steps to review and strengthen the cyber security of your networks, systems, and information – and we are here to help.

Together with law enforcement agencies, and other federal and international partners, we are working hard to make threat information more publicly available and provide you with specific advice and guidance to help you stay safe from the impacts of ransomware. Canada is also working closely with our allies to pursue cyber threat actors and disrupt their capabilities. We are also assisting in the recovery of organizations compromised by ransomware, and helping them to be more resilient going forward.

To keep yourselves and all Canadians safe, we’re asking you to take action. Our national cyber security must involve efforts from industry partners, small and medium sized businesses, and all Canadians. Our message is clear: taking basic steps to ensure your organization’s cyber security will pay swift dividends.

Taking action is worth it.

To assist your organization, the Cyber Centre has published best practice guidelines. As Canada’s national technical authority for cyber security, the Cyber Centre provides extensive advice and recommended IT actions to organizations to help mitigate the threat of ransomware. Canadian organizations should invest in these inexpensive but effective baseline cybersecurity controls to limit their exposure to cyber attacks. You can refer to the Ransomware Playbook for specific advice. Once you have implemented these practices, we encourage you to register with the CyberSecure Canada program, thus attesting to your cyber security status and certifying that protective measures are in place.

If your organization is threatened with or falls victim to ransomware, you should implement your recovery plan, seek professional cyber security assistance, and immediately report the incident to the Cyber Centre’s online portal as well as your local police. Timely reporting is critical to help us identify the threat vector and update our guidance, make linkages across separate incidents, launch law enforcement investigations and take action against cybercriminals, and ultimately reduce the risk to other Canadians.

It’s time to think seriously about cyber security. We urge you to take stock of your organization’s online operations, protect your important information and technologies with the latest cyber security measures, build a response plan, and ensure that your designated IT security personnel are well-prepared to respond to incidents.

Your government is here to help. Together, we can make Canada the most cyber secure place to conduct business and other activities online.

Ransomware Case Study: the Conti Group

In a separate article by CCCS, they wrote, “This case study describes the typical methods of the Conti ransomware group, one the most prolific cybercriminal groups in operation.

Even by ransomware standards, Conti is regarded as one of the most ruthless and damaging gangs, frequently targeting hospitals, medical networks and other critical services.

In a typical attack Conti actors steal, encrypt and/or delete files. They also threaten to leak sensitive data if the ransom is not paid, a tactic known as “double extortion.”

A typical Conti ransomware attack takes place in four stages: reconnaissance, intrusion, infection and impact.

Stage 1: Reconnaissance

Conti actors gather information to identify high-value targets such as hospitals and other organizations that provide essential services or hold sensitive data. They use Internet searches, system scans and information shared on the Dark Web, such as stolen passwords or login credentials. Conti actors continue to gather information throughout the attack cycle to leverage greater ransoms and to ensure payment is not withheld.

Stage 2: Intrusion

Conti actors typically gain illicit access to the victim’s system either through stolen credentials or through spear phishing emails containing malicious attachments or links. Unlike generic phishing attempts, spear phishing emails are personalized to the recipient, making them more convincing.

Often the malicious attachment appears to be a regular file type, such as Word, Excel or PDF, but when the victim opens it, malware, such as TrickBot, IcedID, or BazarLoader, downloads and executes on their device.

Stage 3: Infection

Once the first device is infected with malware, Conti actors will often install Cobalt Strike software as a command and control (C2) mechanism to coordinate the next phase of the attack.

They exploit unpatched vulnerabilities and often use tools already available on the victim network to gain persistent access.

They use remote execution software (such as PSExec and Remote Desktop Protocol) to move laterally across the victim network, obtaining credentials and escalating privileges without triggering anti-virus software.

This process allows them to spread the infection to all connected devices on the network.

Stage 4: Impact

At this point, the Conti actors deploy the ransomware, exfiltrating (stealing), deleting or encrypting the victim’s sensitive data.

They employ a double extortion technique in which they demand a ransom to restore the encrypted data, while threatening to leak it publicly if the ransom is not paid. They may in fact have already deleted the data, but the victim does not know that.

Since January 2020 Conti leaked several hundred gigabytes of data stolen in over 450 cyber attacks against Canadian and international organisations. This is based on information from Conti’s own “Ransomware Leak Site”. We assume that many more victims have paid ransom without having their data published online.

Conti has publicly claimed to have compromised and stolen data from at least 24 Canadian victims by September of 2021. More than half of those belonged to the machinery, professional services, real estate, and specialty retail sectors.

As of September 2021, the Conti group’s average ransom payment is $373,902 USD.

Case Study Conclusion: 

The Conti group is one of the most sophisticated ransomware groups in operation. However, at every step of this process, there are cyber security tools and practices that can prevent or mitigate the impact of ransomware attacks.

You can find further resources on ransomware, including how to defend against it, on the Cyber Centre’s dedicated ransomware page.”

Ransomware: How to Prevent and Recover

In an additional article by the CCCS, they wrote, “Ransomware is a type of malware that ultimately denies a user’s access to files or systems until a sum of money is paid. Ransomware can use your network to spread to all connected devices. There are two prominent types of ransomware:

  • Crypto ransomware removes access to your files by replacing them with encrypted data.
  • Locker ransomware blocks the login access on your device.

Devices are often infected with ransomware by clicking on links or downloading attachments placed in unsecure websites, phishing emails, and social media applications. Threat actors often scout your networks for information they can exfiltrate and monitor your communication methods prior to deploying the ransomware.

If your device is infected with ransomware, you will receive a ransom notice on your screen indicating your files have been encrypted and are inaccessible until the ransom is paid. Threat actors will often threaten to destroy your data permanently, or release your data publicly, if you do not pay the ransom in the time limit requested. Payment is often requested in the form of digital currency, like bitcoin, since the transfer would be difficult to trace. Prepaid credit cards or gift cards may also be requested.

How can I prepare my organization?

There are several ways you can minimize your risk and prepare your organization if a ransomware attack occurs.

Plan ahead. Develop an incident response plan to address how your organization will monitor, detect and respond to an incident, such as a ransomware attack. Your plan should also include a backuprecovery, and communication plan. Your incident response plan should designate roles for your employees and provide them with detailed instructions in the event of an incident.

Provide security awareness training for employees. Provide employees with tailored cyber security and device management training to ensure they don’t fall victim to malicious activities such as phishing emails and infected downloads.

Practice recovering. Test your incident response and recovery plan by conducting simulations or walk-through exercises. The scenario should test the effectiveness of your response and highlight areas requiring improvement.

Consider cyber insurance. Research cyber insurance providers and policy details to determine whether it would benefit your organization.

How can I protect my organization?

Backup your data. Implement a backup plan for your organization. A backup is a copy of your data and systems that can be restored and provide you with access to your critical systems in the event of an incident. Backups should occur frequently to ensure your data is as close to real time as possible. Create many security barriers between your production systems and your backups and ensure your backups are stored offline without connection to the internet or local networks. Threat actors can infect your backups with ransomware if they are connected to your networks, which will hinder your efforts to recover. Testing your backup process is also crucial to a quick and effective recovery.

Practice the principle of least privilege. Manage and monitor user accounts and access by applying the principle of least privilege, which advises on providing employees with access to only those functions and privileges necessary to complete their tasks. Restrict administrative privileges and require confirmation for any actions that need elevated access rights and permissions.

Update and patch systems. Check for updates and patches to repair known bugs and vulnerabilities in your software, firmware, and operating systems. Threat actors can exploit unpatched or unsupported systems and devices easily.

Disable macros. Ensure you disable macros as your default to reduce the risk of ransomware being spread through Microsoft Office attachments.

Segment Networks. Divide your network into several smaller components, which makes it more difficult for ransomware to spread across the entire network.

Set up security tools. Install anti-malware and anti-virus software on your devices to detect malicious activity and secure your network with a firewall to protect connected devices. Consider installing Domain Name System (DNS) filtering on your mobile devices to block out malicious websites and filter harmful content. You can also implement Domain-based Message Authentication, Reporting and Conformance (DMARC), an email authentication and reporting system that helps to protect your organization’s domains from spoofing, phishing, and other malicious activities.

Seek professional cyber security assistance. Engaging with a cyber security professional early on may enable you to recover your systems and data more quickly than relying on your internal IT staff when facing a cyber incident.

How do I recover from an attack?

Consider the following steps to help remove and reduce the spread of ransomware.

  1. Isolate the device immediately. Take your devices offline to stop the ransomware from spreading to other connected devices. Some strains of ransomware are designed to stay dormant on a device and quietly spread to other network connected devices before encrypting the files. In these cases, you may not be able to stop the ransomware from spreading.
  2. Identify the type of ransomware. Use the information in the ransom note (e.g. listed URLs) and the new file extensions your encrypted files inherited, to research possible reoccurring attacks and identify the ransomware. If you locate a decryption tool online, proceed to Step 3.
  3. Remove the ransomware. Use the online decryption tool to remove the ransomware from your devices, which should decrypt your files and make them accessible.
  4. Reset the device and wipe all the data. If there is no decryption tool available online for your strain of ransomware, safely wipe your device and reinstall the operating system.
  5. Restore from your backup. Analyze your backup files and ensure they are free of the ransomware or any other malware. Store your backups offline to mitigate the chance of the ransomware infecting your backup files. Once you are confident, restore your systems and devices from your secure backup.
  6. Update and patch. Apply any available updates to your devices, hardware, and software. Patch your operating system and ensure all anti-virus, anti-malware, and firewall software are up to date.
  7. Change passwords. Reset credentials including passwords on all systems, devices, and accounts. Threat actors often save this information for future attacks. Consider using passphrases on your devices as they are more secure and easier to remember.
  8. Provide training. Train users on cyber security to help reduce the risk of future attacks. Training should address preventative actions against ransomware attacks, such as learning how to identify suspicious emails and attachments. Use common threat examples and past occurrences to keep up to date and prepared for the future.

Should I report it?

Although it may not feel essential in the moment, reporting the ransomware incident to law enforcement, the Canadian Centre for Cyber Centre and the Canadian Anti-Fraud Centre is important. If you are the first to be targeted by this strain of ransomware, then law enforcement will be aware and can monitor for subsequent occurrences. These organizations can also help your mitigation and recovery efforts.

Risks of paying the ransom

The decision to pay a cyber threat actor to release your files or devices is difficult and you may feel pressured to give in to the demands of the threat actor. Before you pay, contact your local police department and report the cybercrime. Paying the ransom is not usually advised, due to the following:

  • The ransom will not guarantee access to your files. Threat actors may demand more money despite receiving the first ransom payment.
  • It encourages threat actors to continue infecting your devices or those of other organizations with ransomware as they assume you will continue to pay with each attack.
  • Threat actors can use wiper malware that masquerades as ransomware. In this case, your files are not recoverable as the malware alters or permanently deletes them once the ransom is paid.
  • Your data has likely been copied and can be leaked by the threat actor for profit. They may also continue to extort you with the copied data.
  • Your payment may be used to support other ransomware attacks or terrorist organizations.”

In short, ransomware incidents can severely impact business processes and leave organizations without the data they need to operate and deliver mission-critical services. The economic and reputational impacts of ransomware incidents, throughout the initial disruption and, at times, extended recovery, have also proven challenging for organizations large and small.

At Adaptive Office Solutions, cyber security is our specialty. When you know your technology is being looked after, you can forget about struggling with IT issues and concentrate on running your business. By making an upfront investment in your cybersecurity, you can lower your costs through systems that are running at their prime; creating greater efficiency and preventing data loss and costly downtime. 

To schedule your Cyber Security Risk Review, call the Adaptive Office Solution service hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca