As ransomware threats become increasingly sophisticated – and the cost of cyberattacks continues to mount – authorities in the U.S. have updated guidance on preventing attacks.
In May, a number of U.S. agencies published an updated #StopRansomware Guide, adding several new recommendations for preventing and responding to attacks as ransomware actors around the globe adopt new techniques to exploit vulnerabilities and exfiltrate sensitive data.
In this blog, we’ll outline what’s new in the #StopRansomware Guide and offer tips for shoring up your cyber defences as hackers adopt insidious new means of gaining access to networks.
Advanced social engineering
Social engineering scams – in which hackers dupe victims into clicking links by pretending to be someone they aren’t – have only become harder to spot in recent years.
Bad actors are now using search engine optimization (SEO) poisoning to increase the likelihood of victims clicking dangerous links. Hackers use SEO poisoning to boost the search results for malicious websites so they appear at the top of the page, adding an air of legitimacy to websites of ill intent.
There are also drive-by downloads, which trick users into thinking they’re downloading content from a legitimate website when they’re in fact downloading malware. People often fall victim to drive-by downloads after opening a malicious email or clicking on a pop-up window.
And let’s not forget malvertising – these online ads appear on both malicious and legitimate websites, seducing users into clicking on links they shouldn’t.
To prevent social engineering attacks, the #StopRansomware Guide recommends:
- Offering cybersecurity awareness training to your personnel
- Using a protective domain name system service to block access to malicious sites
- Using “sandboxed” web browsers to isolate host machines from malicious code
Preventing compromised credentials
One of the most common root causes of ransomware attacks is compromised credentials. The #StopRansomware Guide has many recommendations to prevent compromised credentials, including:
- Using phishing-resistant multi-factor authentication (MFA), and using an MFA that does not require a password – such as fingerprints or facial recognition – where possible
- Subscribing to a credential-monitoring service to monitor the dark web for compromised credentials
- Using identity and access management (IAM) systems to monitor and manage access privileges on your network
- Using a zero-trust access control to restrict user-to-resource access and resource-to-resource access
- Locking users out of your network after a prescribed number of failed log-in attempts
- Educating personnel on password security through annual training
Backing up the cloud
As organizations in all sectors undergo digital transformations and gravitate toward a cloud-based environment, it’s important to consider what happens if your cloud is compromised. The #StopRansomware Guide recommends:
- Backing up your data often, either offline or using cloud-to-cloud backups
- Using multiple cloud service providers in case one vendor is compromised
- Setting alerts for abnormal cloud usage
- Using object locks and delete protection to prevent data from being overwritten or deleted
- Using version control to recover more easily from malicious activity
Zero-trust architecture
A zero-trust architecture (ZTA) assumes a network may already be compromised and continuously validates users’ connections. A ZTA requires a new authentication and authorization for each connection. User access will time out periodically, requiring you to verify your device and identity at regular intervals. Implementing a ZTA can reduce your risk of a breach.
What happens after a breach?
The updated #StopRansomware Guide also contains tips for threat-hunting activities when you’re responding to a breach. For enterprise environments, recommendations include looking for:
- Newly created active directory accounts or accounts with escalated privileges
- Anomalous log-ins to your VPN
- Endpoint modifications that may impair your backups
- Signs that Cobalt Strike has been used on your network
- Signs of unusual endpoint-to-endpoint communications
- Potential signs of data exfiltration
- Newly installed software, newly created services and unexpected scheduled tasks
For cloud-based environments, the guide recommends:
- Using tools to prevent and detect modifications to IAM systems, network security and data protection services
- Using automation to take action as soon as common issues (such as disabled network features or new firewall rules) are detected
These are only some of the recommendations contained in the revised #StopRansomware Guide (you can read the full guide here). If you’re interested in learning more about preventing and responding to ransomware attacks, the lawyers in our Privacy, Data Protection & Cybersecurity group have wide-ranging experience helping a variety of organizations combat cyber threats. Contact us to learn more.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.