experts call for ransomware resilience as crisis escalates banner

Experts Call for Ransomware Resilience as Crisis Escalates

It’s been a busy few months for ransomware. At the end of August, multiple US cybersecurity organisations warned of a pernicious ransomware-as-a-service group called RansomHub. This criminal outfit, formerly known as Cyclops and Knight, has been active since February this year and has been gathering affiliates from other groups such as LockBit.

RansomHub has encrypted and stolen data from at least 210 victims, according to an advisory from the US Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, the Multi-State Information Sharing and Analysis Center, and the Department of Health and Human Services. They spanned many sectors the US government considers part of its critical national infrastructure, including water and wastewater, IT, public sector services, healthcare, emergency services, food and agriculture, and financial services.

An evolving threat

RansomHub is evolving. It recently integrated a tool called EDRKillShifter that disables endpoint detection software, enabling it to infect systems more successfully. Ransomware affiliates using the tool then spread laterally through the target network, infecting systems and both exfiltrating and encrypting malware in a double-extortion attack.

With threats like this continuing to plague critical national infrastructure, it’s no wonder that the US government is making more noise than ever about the ransomware threat. This month, National Cyber Director Harry Coker warned about the increasing threat of ransomware attacks. The White House also hosted its fourth International Counter Ransomware Initiative summit, in which 68 countries (including 18 new additions) participated to try and stamp out ransomware.

The latest summit established a counter-ransomware fund to help member organisations strengthen their capabilities against ransomware, along with guidance for victims on how to cope with a ransomware attack. Anne Neuberger, the deputy national security advisor for cyber and emerging technology, once again warned insurers against funding ransom payments.

Laura Payne, CEO of Canadian cybersecurity consultancy White Tuque, says avoiding payments is a solid policy. “You don’t know who that money is going to, and most likely, it is going to something that will have a connection to terrorism activity. That puts you in a dangerous spot from a legal perspective,” she says.

Neuberger stopped short of recommending policies such as an outright ban on funding ransom payments. However, that may be unnecessary as insurers face increased financial pressure from ransomware claims. A report by cyber insurer Coalition found that while claim numbers were down for the first half of this year compared to 1H 2023, losses increased by 14% overall. It said the average ransomware loss was up 68% at $353,000.

“In Canada a couple of years back, I heard one of the insurers talk about it, and they said the only thing that was a less profitable insurance business was hail damage, which tells you how bad things are,” said Payne.

Prevention is better than cure

Of course, prevention is better than cure. How can organisations protect themselves against ransomware attacks? The RansomHub advisory recommends several steps, beginning with a recovery plan and multi-factor authentication. It adds that it’s also critical to keep all software and firmware updated, which will help block ransomware that relies on known vulnerabilities.

Because ransomware intruders operate by spreading laterally in an organisation, the advisory also recommends segmenting networks to prevent attackers from easily accessing other parts of the infrastructure.

The advisory also recommends passwords between eight and 64 characters, which aligns with NIST recommendations. “Long is strong,” agrees Payne. She also has several other pieces of cyber-hygiene advice.

“Have good basic protection and a high-quality anti-malware service,” she adds. Make sure your networks are set up with the current wireless standard, which would be WPA2 or WPA3 with a password. Don’t use public Wi-Fi, and back up your stuff.”

The advisory authors recommend that those backups be encrypted and immutable so that attackers cannot tamper with them. Maintaining offline backups is a good strategy here, but several storage systems on the market render backup data immutable at the operating system level. Organisations can also use write-once-read-many (WORM) hardware for such backups for hardware-level protection.

The advisory recommends other protections, including carefully managing internal permissions. For example, disabling many command-line scripting tools can help prevent attackers from ‘living off the land’ by allowing them to move laterally and steal data without raising the alarm.

The document also recommends auditing accounts to ensure least-privilege access and time-limiting access for administrative accounts to close the attack window. It also warns administrators to disable unused ports and use network monitoring tools to spot and track unusual activity.

The organisations behind the advisory also recommend protecting email – a common delivery system for ransomware – by putting banners on emails that come from outside the organisation and disabling hyperlinks in all emails received.

These recommendations reflect basic cybersecurity hygiene, and like the ransomware discussion itself, they have been circulating for years. “I don’t mind repeating them,” says Payne. She has to, as do government agencies because so many companies are not listening. Until they do, the crisis will continue.

Streamline your workflow with our new Jira integration! Learn more here.