There’s one unhappy holiday tradition to commemorate again this year: time for your cybersecurity teams to be on high alert for ransomware attack attempts.
Holiday periods are viewed by cyber attackers as prime time for targeting businesses, since reduced IT staffing profiles result in decreased chances of detection and an increased time to respond.
Last year’s holiday ransomware traffic volumes even prompted a Cybersecurity & Infrastructure Security Agency alert, with the 2022 ransomware season commencing when Lapsus$ successfully targeted Portugal’s largest media consortium on New Year’s Eve weekend.
One ransomware gang element has changed since the late-2021 holiday period, though — the maturity level of user exploitation is increasing. Today, the threat actors are:
- Continuing to evolve their attack attempts
- Compromising the environment
- Studying the victims before direct engagement
- Injecting themselves (possibly with fake domains) into existing email threads (for Business Email Compromise) or internal chat groups/channels (for the ransom of stolen data)
From Mitiga’s conversations with CISOs in these last 2 years, there has been a noted shift in the organizational mindset regarding ransomware. Two years ago, we heard one CISO note:
We don’t need to overly prepare for it, we have insurance.
However, within the last year we have heard CISOs grapple with some of the obstacles involved in successfully warding off the ransomware gang:
I don’t have full visibility or control over our dev environment. And when we do have an incident, the developers just blow away the environment and start again.
I need help understanding our 1,500 accounts. I have responsibility without authority, resources, or visibility.
We acquired a company, and their environment has a lot of challenges.
Unfortunately, for CISOs and others involved in organizational cloud and cybersecurity services, addressing ransomware isn’t as simple as “beefing up” security.
At a high level, for ransomware threats to diminish:
- Misconfigurations and vulnerabilities have to end
- Poor instantiation of security controls has to end
- Users attacked over their expected trusted communication systems has to end
With those thoughts in mind, here are several recommendations to make it through the upcoming holiday seasons with reduced ransomware visitors.
Back to Basics 1: Misconfigurations
Misconfigurations are interesting because:
- They don’t get old
- They don’t get patched
- They can go unnoticed for a long time
Yet, misconfigurations are still an open door into your environment — because of the rapid shift to the cloud in the past two years, misconfigurations are continually found. This makes misconfiguration exploitation of interest to cyber attackers, because these entry points into your environments are likely to remain in place and go undetected longer than a high CVSS vulnerability.
Get your configurations reviewed by security architects and pen-testers alike.
Back to Basics 2: Apply Security Patches
Patching processes can be nuanced, representing a never-ending cycle for IT teams. Then, the nature of security patches must be considered — not every patch that is needed:
- Is available in time
- Functions properly
- Doesn’t disrupt operations
However, when it comes to covering the basics to prevent a successful holiday visit from the ransomware gang, immediately applying security patches upon their issuance is a good place to start.
Maintain a Cloud Incident Response Plan
Operating with the premise that your organization will be targeted by cyber attackers or ransomware gangs, you should have an established, well-defined, well-practiced Incident Response plan.
Beyond that in-house Cloud IR plan, you should have an established contract and Service Level Agreement with an Incident Response partner.
With these baseline IR programs, organizations are less apt to find themselves holding panicked negotiations in the immediate aftermath of a nasty holiday breach.
Advice for the C-Suite
CFOs, CIOs, and CEOs are stakeholders in preventing ransomware attackers from succeeding at their organization, but this leadership team is frequently focused on a myriad of other tactical and strategic responsibilities.
Based on our conversations with these C-Suite members, some words of advice when it comes to limiting the impact and success of ransomware attackers:
- For CFOs: Ransomware today involves encrypting, extortion, access, and denial of access. With encryption, the recommendation here is for CFOs to focus on the financial systems being resilient from a breach that corrupts all your data at the worst possible time — such as the holiday buying season or year-end financial close.
In terms of extortion, our recommendation is to ensure data security at all points in the life cycle, including:
- Removable drives
- Enterprise chat messages
- Data inside an email
Access is the sale of access to other cyber attackers that have an interest in invading and remaining inside of your environment. External counsel and an incident response provider are going to be key guests to the event if this happens. The end-result is a long process that results in evicting the attackers.
Denial of Service (DoS) is coming back as a fourth option when dealing with ransomware. Having commercial solutions in place where possible is the best- practice, and testing them early will help ensure a better holiday season.
- For CIOs: If it can be locked down, lock it down. Don’t let security, like multi-factor authentication, be “easy” for the organization. As many companies are learning about MFA bypass attacks, “easy is not secure.”
- For CEOs: Actively participate in exercises and briefings for both crisis response and business continuity and disaster recovery.