As the world of technology continues to evolve, so have the types of ransomware attacks that can impact organizations. For most businesses, data is their most valuable asset, and without protections against ransomware in place, employees can put themselves and their organization at risk of losing critical information. Having a ransomware protection strategy that incorporates cyber-hygiene best practices should be top of mind for businesses and their employees. We’re joined by Aamir Lakhani, Global Security Strategist and Researcher at FortiGuard Labs, to discuss the different types of ransomware attacks along with some ransomware best practices to protect yourself and your business from an attack.
Can you briefly discuss your role at FortiGuard Labs?
Aamir: My responsibilities as a senior security strategist at Fortinet’s FortiGuard Labs include hunting for the latest attack techniques and making sure we can defend against not only specific attacks using those techniques but any new attacks that may be using the same logic.
To do my job effectively, I need to understand networking, reverse engineering, digital forensics, and incident response. Moreover, I need to understand our customers’ business risks and goals. Security should enable organizations to work more efficiently, not impede their existing business goals.
As a FortiGuard Labs senior researcher, I work with customers to assess the best options for providing IT security solutions to major enterprises and government organizations based on their unique needs. I have over 22 years of experience in the cybersecurity industry.
What are the different types of ransomware attacks?
Aamir: There are certainly a variety of different ransomware strains, but they can be broken down into five primary ransomware attacks by types:
- Crypto Ransomware or Encryptors: Probably one of the most well-known variants, this malware encrypts various files and data within a system, making the infected content inaccessible without a decryption key. This can also include lockers.
- Lockers: Similar to encryptors, but they lock the user out of their system entirely. Generally, the lock screen will display the ransom and demands, and in severe cases, will include a countdown clock to pressure victims into paying.
- Scareware: A fake software that claims to have detected a virus or similar issue with your system and directs the user to pay to solve the issue. Some variants will lock the user from other functionalities of the system, while others will flood the screen with pop-up alerts without causing any damage.
- Doxware/Leakware: As the name suggests, leakware threatens to distribute sensitive information or company files online and pressures the user into paying a fee to prevent data from being entered into the public domain.
- Ransomware-as-a-Service (RaaS): Malware that is carried out and managed by a professional hacker. The service is paid for by an individual, and all aspects of the attack—from the distribution of the malware to payment collection and access restore—are carried out by hired professionals.
Who has to be most concerned about a ransomware attack? Is it primarily businesses or private individuals?
Aamir: Ransomware is getting more sophisticated and more destructive. As a cybersecurity researcher, ransomware, to most people’s surprise, is not always the most exciting attack to look at. Attacks targeting artificial intelligence brains, industrial control systems, and automobiles are cutting-edge attacks. However, ransomware has an immediate and visible impact across all industries and many times individuals. If a business is attacked by ransomware and cannot recover, it is possible that the business may be at risk. This has real-world consequences, such as people not being able to work or provide for their families.
Cyber-attacks are non-discriminate in who they target. Private individuals, businesses, and anyone with an internet connection is at risk. While certain types of ransomware may be better suited for specific targets, all individuals need to make sure systems on their network are sufficiently covered.
If a business is attacked by ransomware and they cannot recover, it is possible that the business may be at risk. This has real world consequences such as people not being able to work or provide for their families.
Who should be called first after one is aware that they are the victim of a ransomware attack? The local police? The FBI? A cybersecurity expert?
Aamir: The first step should be notifying your cybersecurity management team, whether that is the CIO or security manager for an internal security operations center (SOC) team or the platform that an individual uses for their personal computer. Depending on the severity and nature of the attack, the security professional will be able to guide you from there on next steps. The top priority should be bringing the attack to the attention of a trained security expert so that the issue can be resolved as quickly as possible.
Individual organizations may have their own legal or internal notification requirements that must be followed, but it’s important to remember a cyberattack is an attack and can be as deadly as a physical attack. You need to minimize your exposure and understand the problem before reacting.
What are the most common mistakes you have seen companies make that leave them vulnerable to ransomware attacks?
Aamir: One of the most common mistakes made by companies is not having complete coverage of all aspects of a system. With the prevalence of remote work and email being one of the most common vectors for ransomware, organizations must ensure there are no loose ends in the system for hackers to exploit. For example lack of integration can mean too many point products and poor visibility. It can also mean less effective cybersecurity overall. Maintaining proper security measures puts an enterprise in the best position possible for protecting against ransomware. Consolidation and integration are key to maintaining visibility but also mitigation and remediation for example.
What would you recommend CISOs do to help limit the frequency and severity of these attacks?
Aamir: First and foremost, equip all systems with the latest in cybersecurity defense and detection solutions. Advanced endpoint detection and response (EDR) technology is a great example because it can detect and mitigate evolving threats. This is very relevant given the WFA reality organizations face today. In addition, ensuring employees are properly trained on threat trends is paramount for prevention, as employees within the network will then be apt to avoid suspicious activity and report it properly. In many cases, keeping systems updated and patched, limiting administrator access, and running common security defensive tools configured correctly are good starting points. Training users to be on the lookout for cybercriminals and raising awareness can exponentially increase your defensive posture to mitigate attacks. These basic tasks are commonly referred to as good cyber hygiene. The Fortinet Training Institute is a good example of how training can make a difference.
What are some ransomware best practices to protect yourself or your business from an attack and why?
Equipping all aspects of the network, from databases to Bluetooth devices, with the latest security measures is essential for preventing ransomware. Deflecting attacks entirely or detecting them as soon as there is a breach is the best thing a business can do to protect its assets. You need to think about the endpoint and all the way to the Linux kernel. Also you need to be thinking about maximizing AI/ML technologies to detect abnormalities, etc. Segmentation and also services such as a digital risk protection service can help proactively find vulnerable issues to address.
Train members in the network on proper security practices
Educating employees on best security practices and proper reporting procedure is key for the shift to telework and will allow security teams to be informed immediately when there is a potential threat.
Report early to prevent malware from lingering
Notify your service provider and security team as soon as a threat begins to emerge. Allowing malware to live within a system will give it the opportunity to spread to other entities within the network and further the damage that can be done.
Gather as much information on the potential threat as possible
When a threat emerges, gather as much information on the source and nature of the attack to patch the system for future prevention. Learning how the ransomware was able to access the network will expose the holes hackers were able to exploit. Reporting details to law enforcement will also aid in tracking down threat actors to prevent repeat attacks.