CompuCom, a top-50 ranked US managed service provider (MSP), declared in late-March 2021 that it experienced a significant ransomware attack that disrupted its service delivery capabilities for 16 days. The company estimates it will spend up to $20 million and lose up to $8 million in revenue due to the attack.
This event is yet another reminder that no company is immune to cyberthreats and that cybersecurity must be at the top of every CIOs priority list; even for those working alongside CISOs. It also puts the spotlight on third party risk, but that’s a topic for a different article.
Today we’ll share six tips from one of TechSafe’s security pros on typical ransomware attacks and baseline actions to mitigate risk:
- The use of a RaaS provider
- Limited skill is required to start the operation, but the type of ransomware that is used is likely to be well known.
- Any off-the-rack anti-ransomware solution should detect most RaaS threats, but outdated “virus-only” solutions may not provide full ransomware protection.
Action: Utilize an advanced endpoint protection solution that stops online extortion.
- Data gathered through public information storage
- Many ransomware attacks make historical user information (like usernames and passwords from large breaches) readily available over the Dark Web, either freely or for a small fee. However, this information may not always be fresh.
- Therefore, it’s important to change passwords regularly, and to monitor for breached accounts that may be for sale.
Action: Implement Dark Web Monitoring to ensure compromised user credentials are found quickly and action is taken.
3. Attempts to infect targets using a “scattergun” approach, usually through phishing
- Most commonly, this is achieved using an infected PDF or another type of document, or an infected webpage accessed through a link.
Action: Reduce the likelihood of phishing breaches by implementing a next-generation endpoint solution with threat intelligence to scan and block malicious attachments. Additionally, ensure users undergo regular phishing training via simulations with in-the-moment training.
- If the PC is infected, the malware will probably attempt to exfiltrate its data
- Exfiltrated data could be credit cards, social security numbers, or simply lists of email addresses that could be used for future attacks.
Action: Know your data and protect it accordingly. Data classification enables organizations to know where sensitive data resides and implement the necessary controls.
- Data will become encrypted and held for ransom
- Ransoms typically average $100,000 but this varies based on how many devices have been encrypted – the attacker wants to maximize the chance of payment.
- If your systems become encrypted it’s almost always impossible to decrypt these files. Instead, you’ll need to restore lost files from backups.
Action: Ensure you have a backup strategy for recovery. If you rely on the Microsoft 365, ensure your data is backed up outside of the Microsoft Cloud.
- The ransom is paid (or not) but the threat doesn’t go away
- Generally, the attacker will retain some form of foothold into the organization, though not always to re-ransom the network but to gather more data/passwords.
Action: A SIEM provides deep visibility into security events and allows organizations to connect the dots following a ransomware attack for future risk mitigation.
At TechSafe Systems we deliver advanced security solutions from next-gen endpoint protection to managed SIEM + 24×7 SOC so reach out if you’d like to talk with one of our vCISOs.