Ransomware Attack Scenarios
One of the reasons why ransomware’s influence is so great is that there are multiple ways in which ransomware attacks can occur. As an MSP, protecting your clients’ businesses from ransomware requires being familiar with all of the ransomware attack scenarios and taking steps to defend against each of them.
With that need in mind, this article describes common ransomware attack scenarios and what to do if one of these attacks affects your clients.
Types of Ransomware Attacks
Phishing is a type of exploit where an attacker convinces someone inside an organization to take an action (such as clicking a link inside an email or revealing login credentials) that allows the organization’s systems to be compromised. If attackers can gain this access, they can encrypt the organization’s data and hold it to ransom.
Email is the most common vector for executing phishing attacks, but it’s not the only one. Phone calls, SMS messages and even physical documents can be distributed to employees inside an organization in an attempt to trick them into revealing sensitive information.
When phishing, attackers often make a message appear to come from someone legitimate by, for example, creating a fake email account pretending to belong to a person from the same organization or to a vendor you partner with. These strategies can make it easier to convince someone inside the organization to fall for the phishing attack, even if anti-phishing systems mark the message as coming from outside their own organization.
Further reading Types of Phishing Attacks
Remote Desktop Protocol
Remote Desktop Protocol, or RDP, is a widely used protocol for accessing computers from remote locations. Because RDP gives remote users the same level of access to a system that they would have if they were sitting in front of it and logged in, compromising RDP is a ransomware attacker’s dream scenario.
Although RDP is secure when configured properly, there are several ways in which poorly secured RDP connections could be used to install ransomware inside an organization:
- Weak user credentials: Attackers could gain access by taking advantage of weak RDP passwords that they can guess or brute-force. The absence of multi-factor authentication, and the use of the same account for multiple types of applications, makes weak user credentials easier to exploit.
- RDP open to the Internet: If RDP ports are accessible from the public Internet, they are very easy for attackers to find and scan for vulnerabilities. It’s best to keep RDP connections behind a firewall so that they are available only to users who are in a physical location (such as their office) or (if they are working remotely) logged into a company’s VPN.
- Outdated RDP tools or protocols: If RDP applications, or RDP itself, are not kept up-to-date, they may contain known security flaws that attackers can exploit to break in and install ransomware.
- Privileged RDP account: A compromised RDP connection is bad. It’s even worse if the account that was compromised has admin permissions. That’s why it’s a best practice to follow the principle of least privilege, which means that the minimum privileges necessary should be assigned to each account. Unless there is a specific reason for an admin account to require RDP access, this configuration should be avoided.
Further reading 4 Ways to Improve Your Remote Desktop Security
Any application -- even one as simple as Windows Calculator -- can potentially be exploited by an attacker to gain unauthorized access to a system and install ransomware.
That is true no matter how up-to-date applications are, or which version of an operating system a user is running. However, there are a few practices in particular that can lead to application exploits:
- Modified settings: Applications that are configured in ways they were not designed for could open up vulnerabilities. Before changing settings in an application, review its documentation to make sure you are not configuring it improperly.
- Saved passwords: Applications may save passwords from previous logins, giving attackers easy access. It's best practice to disable saved passwords. (Check other password management best practices.)
- Compromised websites: Websites that host malicious software may attempt to install that software on users’ computers. Web browsers should be configured to mitigate this risk. In especially sensitive environments, you could even consider running user applications inside a virtual machine that is restored to a previous “clean” state automatically after every session; that way, any malware installed during a session will be erased when the user logs out.
It’s easy to overlook the risk of an attacker gaining physical access to systems, but it’s a real scenario. Organizations with poor physical security have little to protect them from someone simply walking into an office, sitting down at a workstation and deploying ransomware.
This is true even at organizations that take basic steps to address the needs of physical security. For example, keeping doors locked is no guarantee that an intruder won't sneak in behind someone else, or break a lock after hours.
Responding to Ransomware Attacks
It's important for MSPs to be prepared with a response plan in case their clients' systems (or even their own systems) are attacked with ransomware.
The basic steps to follow when responding to a ransomware attack include:
- Analysis: Perform a full analysis of the attack to identify which devices were infected, and ensure that the attack vector is no longer active.
- Antivirus run: Scan all affected systems with antivirus software to identify any known exploits that were introduced with the ransomware. It's important to make sure that all malware has been removed before restoring operations; otherwise, data could be re-compromised after the restore. (Choose an MSP antivirus that suits your needs.)
- Recovery: Once systems have been confirmed to be free of ransomware, you can recover data from backups, and allow customers to resume normal operations. Check our guide with data recovery best practices.)
- Harden operations: With operations restored, you can now take steps to harden systems to prevent another ransomware attack. Make sure software is up-to-date, address weaknesses in your firewall configuration, enforce multi-factor authentication, and so on. You may also consider deploying pre-installed anti-ransomware tools like Malware and Ransomware protection in Office 365.
Further reading OS Hardening Checklist
Recovering from Ransomware if Backups Were Infected
The steps above assume that you have a ransomware-free backup copy of data that you can use for the restore. Unfortunately, that is not always the case. Your data retention policy might not have saved data long enough to ensure that a copy from before the attack is preserved. Or, your backups themselves could have been compromised during the attack (which won't happen if you remembered to store at least one copy of your backups in an offline location, but you may forget to do this).
Further reading Steps for Keeping Backup Data Safe from Ransomware
In these situations, recovery is harder, but all hope is not necessarily lost. You may still be able to recover through the following strategies:
- Reconstruct data from other sources: In attacks of limited scope, you may be able to find sources of data that weren't compromised during the attack, and use them to recover. For example, perhaps you can find an employee who was on vacation and whose laptop was turned off during the attack. In that case, you could use data from the laptop as the basis for recovery. This approach will require more effort, and might not preserve all of the data, but it's preferable to paying a ransom.
- Look for a decryption key online. In some cases, resolving ransomware may be as simple as obtaining a publicly available decryption key or following another known procedure for decrypting the affected data. So, although it may seem obvious, make sure you Google or ask in relevant forums for a solution.
- Pay the ransom. As a last resort, you can always pay the ransom (and hope the attackers actually provide a decryption key in response). Of course, if you back up your data, you avoid this embarrassing and risky outcome.
Ransomware comes in many forms, and there is no way to guarantee immunity against it. But there are steps you can take to minimize the risk of your clients' systems (or your own systems) falling victim to ransomware in the first place. And by keeping data backed up, storing at least one copy of the backups in an offline location, and having the right retention policies in place, you place yourself in a position to recover from a ransomware attack without having to pay the ransom.