On November 30, 2021, the Canadian Centre for Cyber Security released its Ransomware playbook (ITSM.00.099). The document can help organizations understand their business and security requirements and implement relevant policies and procedures related to cybercrime. It provides a helpful explanation of ransomware and practical tips for defending against cyber threats and recovering from ransomware.
What is ransomware?
Ransomware is a type of malware that denies a user’s access to files or systems until a sum of money is paid. It has the potential of devastating organizations by disrupting business processes and critical functions reliant on network and system connectivity. More specifically, there can be considerable major impacts, including privacy and data breaches, reputational damage, productivity loss, legal repercussions, recovery expenses, and damage to infrastructure and operations.
Ransomware’s main goal is to either lock the screen or encrypt the files, preventing access to the information and systems on devices. Additionally, threat actors can use a compromised network to spread the ransomware to other connected systems and devices.
There are several ways that this can occur, some of which include phishing, drive-by download, malvertising, and supply chain attacks. Users may visit an unsafe website, open certain emails, click on links in emails or social media, insert an infected USB flash drive, or neglect to use multi-factor authentication—the end result will be that they receive a notice on the screen saying that their files are encrypted and inaccessible until the ransom is paid. The message comes with instructions on how to pay and unlock the device to retrieve the files. Payment options typically involve digital currency like bitcoin and prepaid credit cards or gift cards. The message also states that if the ransom is not paid by the time limit, the ransom amount may increase, the files may be deleted permanently, the data may be leaked, or the data may be released to the public.
It is common for these attacks to work in combination; for instance, there could be a phishing email sent to the organization and a simultaneous brute force attack that uses extensive login attempts or password guessing to gain access to systems and networks. In fact, the three main access vectors are brute force, exploiting vulnerabilities in the software, and executing phishing attacks.
Figure 1 of the document sets out an excellent visual of the threat actor gaining access, taking control, and impacting organizations. The Canadian Centre for Cyber Security suggests that ransomware victims will likely continue to give in to ransom demands due to the severe costs of not paying—such as losing business and rebuilding networks—but it also points out that paying the ransom does not guarantee access to the encrypted data or systems. Organizations need to decide whether to pay after considering the risks involved. Some of these risks could include situations where threat actors:
- use wiper malware (altering or permanently deleting the files) once the ransom is paid
- use the ransom payment to fund and support other illicit activities
- demand more money
- continue to infect the devices
- re-target the organization with a new attack
- copy, leak, or sell the data
Ultimately, ransomware is one of the most common types of malware and can be one of the most damaging to organizations—it is critical that organizations focus on defence against cyber threats.
How can organizations defend against ransomware?
It is recommended that a defence-in-depth strategy be used, whereby a multi-layer approach protects devices, systems, and networks from ransomware, and also other types of malware and cyber attacks. In particular, it is important to include many layers of defence with a number of mitigation measures or security controls at each layer.
In order to effectively enhance an organization’s cybersecurity posture, these main security controls can be implemented:
- develop and implement a backup plan for the organization
- develop an incident response plan
- develop a recovery plan
- manage user and administrator accounts
When using a defence-in-depth defence model, there are several cybersecurity controls that can be used to protect the security, confidentiality, integrity, and availability of networks, devices, and information:
- establish perimeter defences
- implement logging and alerting
- conduct penetration testing
- segment the networks
- constrain scripting environments and disable macros
- patch and update
- create an application allow list
- use protective domain name system
- apply password management
- use email domain protection
There are helpful explanations of these above-mentioned concepts in the document. And Figure 6 provides a useful visual showing how these cybersecurity controls are used during the three stages of a ransomware incident to defend against ransomware.
How can organizations recover from ransomware?
An advantageous approach is to assume that the organization will encounter some form of malware at some point—this can help when it comes to developing a planned response and speeding up the recovery processing time.
There are recommended actions that can be taken to immediately respond, as seen in the checklist in Table 3. The main action items include:
- determine what is infected and isolate
- report to law enforcement
- assemble the Cyber Incident Response Team
- change credentials
- wipe and reinstall
- run security software
Moreover, once these steps are completed and backups and devices are clear of any malware or viruses, it is important to begin the recovery process:
- remediate the point of entry
- implement the backup plan
- restore systems
- engage cybersecurity professional assistance
- inform stakeholders
- analyze the incident
What else can organizations do?
Another thing that organizations can do is correct actions and strategies that did not go as planned following an incident—there are opportunities to revise incident response plans based on lessons learned.
Organizations are urged to report ransomware incidents to law enforcement (local police and the Canadian Anti-Fraud Centre) and online via the Cyber Centre’s My Cyber Portal.
Organizations are also recommended to view the Canadian Centre for Cyber Security’s document, ITSAP.40.002 Tips for backing up your information, ITSAP.40.004 Developing your IT recovery plan, ITSAP.10.094 Managing and Controlling Administrative Privileges, and ITSAP.30.032 Best Practices for Passwords and Passphrases.
- Recent proposal for an American federal privacy law - April 19, 2024
- Bill 149 receives royal assent March 21, 2024 - April 1, 2024
- Reasonable expectation of privacy in Internet Protocol (IP) addresses - March 26, 2024