Five Questions Your Organization Must Ask to Prepare For a Ransomware Attack

Since last week, I’ve been speaking with Splunk customers and our own team about the cyberattacks impacting the Kaseya software platform. While Splunk was not impacted by the ransomware attack, as a security leader we want to help the industry by providing tools, guidance and support. It’s critical that we work together as a community to counter cybersecurity threats and share information about events like these. 

Here’s what we know about the attack so far: 
On July 2, reports of a "supply chain ransomware" attack began circulating on Reddit. Those rumors were later confirmed by Kaseya VSA —  developers of remote monitoring management software. 

The software maker said in a statement they believed the cyberattack was carried out by a ransomware criminal group known as REvil. The hacking collective reportedly used Kaseya's software to distribute ransomware to its on-premises customers. 

It’s important to understand the alleged hackers and the unique nature of this attack. The REvil payload is a notorious ransomware-as-a-service (RaaS) attack. In a RaaS attack, malicious actors partner with affiliates to extend their botnets and reap profits from new additions and attacks brought to them by affiliates. The profit is shared with the affiliates, which encourages them to infect more victims. For those interested in a deeper technical dive on the attack and how to protect your organization, read "REvil Ransomware Threat Research Update and Detections," a blog post recently written by the Splunk Threat Research Team.

This attack is the latest example of how security vulnerabilities continue to come from the most unexpected places. And with the pace of ransomware only accelerating, this trend will doubtless continue. Over the past two years, 84% of organizations suffered a major security incident, according to findings from Splunk’s own State of Security report. More than 30% of those incidents were ransomware attacks. 

So what questions should organizations be asking themselves and what steps should they take to prevent or mitigate the next ransomware threat? I’ve put together a quick set of questions we’re asking at Splunk that can help you.

1. Can We Defend Against a Ransomware Attack? 

Organizations need to start with a threat hunting exercise to evaluate the various avenues of ransomware compromise and the strength of their defenses. Like all attacks, hackers need an entry point to carry out a ransomware campaign. Whether it’s through unpatched systems, compromised credentials, spear phishing or a compromised vendor, the attacker has to get an initial foothold into your systems. As the interconnected cloud services that organizations rely on daily have grown increasingly diverse and complex, their attack surfaces have also grown. 

Increasingly, a key part of defending against ransomware involves proactively assessing your software supply chain and technology vendors for ransomware mitigations, and remediating vulnerabilities on your systems before they are exploited. There are early indications the Kaseya attack had elements of a supply chain attack like the SolarWinds attacks we saw late last year. We shouldn’t be surprised. The State of Security report found that 78% of companies expect another SolarWinds-style supply chain attack, yet only 23% of organizations have reassessed or changed their policies toward vendor risk management.

2. Do We Have a Plan to Detect and Contain a Ransomware Attack? 

The next step to tackling the threat of a ransomware attack is to spell out the plan to not only to detect and respond to ransomware, but also procedures to confirm resiliency against ransomware attacks that have made the news or shared by your threat intelligence partners.  

Building your response plan starts with understanding the reality of your network and assets. What does it actually look like and where does your organization have blind spots? 

Your ransomware runbooks need to proactively confirm whether your organization has been exposed to an attack and whether it’s protected against new ransomware strains or supply chain ransomware attacks as they become public. 

Your response plan also needs to address considerations beyond technical containment. In fact, ransomware response cuts across multiple processes, management layers and functions within your organization, such as restoration of operations, internal and external communications, decisions on paying the ransom, specialized professional services firms and more. Lastly, your plan needs to be tested through cross-functional tabletop exercises that simulate a ransomware attack before a real one occurs. 

As for detecting ransomware in your network, it’s usually not that hard because your users will tell you. Perhaps more critical is finding how the adversary got the ransomware onto the endpoint or server to start with. The good news is, many ransomware attacks look just like any other attack. Adversaries usually use spear phishing, second-stage malware downloaders, and remote desktop sharing tools to install and propagate ransomware, according to the 2021 Verizon DBIR report. 

The above actions are left of the ransomware "boom" event of encrypting your critical data. Using traditional techniques, you can detect the adversary before they begin installing, encrypting and exfiltrating your data. You should focus your detections on the highest value: Preventing the ransomware installation from happening in the first place.

3. Do We Have Access to the Data We Need to Understand the Impact of a Ransomware Attack?

The key resource in countering ransomware attacks is having access to the right data. The fingerprints of an attack are recorded in data, as Splunk CEO Doug Merritt talked about in his recent RSA keynote. Organizations need the ability to systematically contact-trace their data during a ransomware attack to understand how and how far an attacker penetrated their networks. Then, they need to work out whether any related systems in their supply chains, customers and partner networks have also been compromised through lateral movement.

4. What Processes Do We Have in Place to Ensure We Are Constantly Evolving Our Approach?  

Ransomware attacks in 2021 are not the same as they were five years ago. While the motivations may broadly remain the same, tactics will continue to evolve. Adversaries have a variety of methods for encrypting and publicly shaming victims into paying. It’s also worth noting that some insurance companies are increasingly reluctant to pay ransomware demands, and there are broader industry calls for both victims and insurance companies not to pay ransoms. 

All of these changes will inevitably change how organizations respond to ransomware threats and attacks, so organizations need to be prepared for constant evolution, and maintain an updated framework on how to prevent, detect, and respond to ransomware by introducing improvements based on threat intelligence and high-profile attacks, such as the one impacting Kaseya VSA.

5. Are We Moving Fast Enough?

To effectively respond to ransomware, organizations need to move fast to understand the scope of the compromise and contain the incident. Your mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR) are key. Tools like Splunk SOAR allow you to act faster than a human can double-click. From isolating networks to sinkholing malicious domains, it’s vital to have the right level of security automation to effectively counter a ransomware attack.  

Preparing For the Inevitable Next Attack

The threat of ransomware isn’t going away. Organizations need to ask hard questions about just how prepared they are to respond. Acknowledging the threat ransomware poses and building an approach around data to detect and respond to it’s the best chance we have of navigating this constantly evolving threat. 

Attacks like Kaseya and SolarWinds remind us to make sure our own organizations are prepared for an attack. The Splunk Threat Research Team continually monitors and evaluates security risks reported by the industry and in the news. When news of a major attack hits, we take immediate action to confirm the safety of our systems and code. We did this after the SolarWinds attacks and again during this attack. We also work to constantly confirm all of our patches and security protocols are up to date. 

Unfortunately, ransomware and supply chain attacks are here to stay — which is why all of us at Splunk remain vigilant and committed to identifying ways we can better help our customers, partners and industry organizations prepare for them. 

----------------------------------------------------
Thanks!
Yassir Abousselham