Fighting Ransomware? Get Ready for the Hunt

The rapid growth of targeted ransomware attacks on state and local governments and educational institutions call for security teams to adopt a new mindset in order to protect vital information and assets. No longer can technology and information security teams (InfoSec) solely rely on erecting defensive walls around their perimeter networks to keep out the bad guys, as the bad guys are likely already in their networks.

Recent research indicates cyber criminals and hackers stealthily move through networks about 190 days before detection. Cyber security teams must go on the hunt to track them down and prevent them from doing damage. Moving from a defensive mindset to a more aggressive, hunter approach is a radical change of thinking for many government and education InfoSec professionals, but must be adopted to stem the tide of targeted ransomware and other cyber threats.

Over the past two years, the number of organizations being hit with targeted ransomware attacks has multiplied as the number of gangs carrying out these attacks has proliferated, according to Symantec’s white paper, Targeted Ransomware: An ISTR Special Report.

Attackers deploying ransomware malware generally attempt to encrypt as many machines as possible, targeting servers as well as ordinary computers, and will often try to encrypt or destroy back up data. The affected organization could have its operations severely disrupted, losing access to vital data and services, unless a ransom is paid to unlock the affected computers and servers.

Ransomware on the Rise

Attacks appear to be happening every month. In fact, 23 local government entities across Texas were recently hit by a coordinated ransomware attack, the state's Department of Information Resources (DIR), reported. The Texas DIR indicated that the attacks started Friday morning, Aug. 16 and though the locations were not named, “the majority of these entities were smaller local governments.”

In June, three local Florida municipalities were all struck by ransomware – all three cases started with a city employee clicking on an attachment in email and unleashing malware. In 2018, ransomware incidents ranged from public libraries and school districts to major cities like Atlanta, as well as places like Akron, Ohio; Albany, New York; and Jackson County, Georgia.

In most of these cases, cyber criminals are looking to do the least amount of work for the biggest return on investment. The number one threat vector still is and probably always will be humans, who are being targeted via email phishing attacks. What’s more, the fact that city and local government officials publicly report they are paying ransoms provides an incentive for attackers to target them.  Attackers say, “here is a business cycle that works.”

Resource Constraints

State and local governments and educational institutions have talented and skilled people working on the frontlines of cyber protection, but a big challenge – especially for smaller organizations – is the lack of resources. Not only are budget constraints a real issue, the ability to recruit and retain talent is also a hinderance. Add in the consideration that government agencies and educational institutions are embracing cloud and mobile-enabled environments to streamline IT operations and deliver more digital services, and the ability to fight ransomware becomes even more of a challenge.

Solving for Ransomware

As the Symantec ransomware report points out “attackers behind the ransomware are skilled and knowledgeable enough to penetrate the victim’s network. They deploy a range of tools to move across and map the network while using a variety of techniques to evade detection, before simultaneously encrypting as many machines as possible.”

There are some options state and local government organizations and educational institutions should consider, however, including:

• Two-factor authentication: Increasingly, in order to secure access to devices and systems where data resides, deploying two-factor authentication, which adds a second level of authentication to account log-ins, is a must.

• Managed security services: To address resource and workforce constraints more organizations are turning to managed security services, offering a subscription-based cost structure to provide continual, real-time monitoring across an organization’s security environment.
• Data loss prevention (DLP): Stop unauthorized data exfiltration by insiders, while providing visibility into external threats. DLP tools can become threat-aware to safeguard data from both insider and outsider threats.
• Defense-in-depth: A defense-in-depth security approach in which multiple layers of security controls are placed throughout an IT infrastructure to defend against emerging, sophisticated threats and to protect data irrespective of where it is and how it is accessed is important.
• Threat hunting: Organizations either internally or via their managed security services provider should deploy threat hunting tools and techniques to actively detect threats that would otherwise go unnoticed.

Overall, state and local governments and educational institutions need to keep building their defense-in-depth strategy and prepare for the hunt in order to keep a step ahead of their adversaries.