With the Travelex ransomware situation in the news, it is important for all information security folks to review ransomware mitigation strategies and be sure that plans are in-place should the worst happen.
Firstly, there is not, and is unlikely to be any further detail on the Travelex situation. Any speculation as to what and how it happened is unhelpful and unnecessary. I have no doubt that Travelex will currently be unpicking their situation, and have all appropriate resources in place to remediate their problems.
For the purposes of this blog, we are going to look at fundamental mitigation techniques for ransomware attacks.
- Employee Training. Most ransomware arrives as an email attachment or through other end-user messaging services. Generally, your staff are the first line of defence. Security awareness training for end-users will help mitigate the risk of this attack vector.
- Anti-Malware. The wonderful game of whack-a-mole which is anti-malware software is a key component of the onion-skin of security to mitigate all kinds of malware including ransomware. Where the staff fail and an end-user clicks a ransomware attachment, the anti-malware could well pick that up and prevent execution. As always, engines and signatures must be maintained up-to-date.
- Patching & Vulnerability Management. Most ransomware exploits common vulnerabilities in operating systems and application software. Ensuring all systems have critical security patches applied greatly reduces the ability of ransomware to infect your systems. As always, trust but verify. Make use of vulnerability assessments to ensure that critical security patches are correctly applied across your estate.
- Network Segmentation. In the event that ransomware does exploit your environment, network segmentation can limit how far it can spread. In the spirit of trust-but-verify, test the segmentation mechanisms regularly to ensure they are appropriate for your business needs.
- Incident Response. Have a plan should the worst occur. If you are unfortunate enough to be infected by ransomware, what are you going to do? The first stage is to understand the scope of the problem, and then contain it. This initial triage function is critical to limit the spread of the infection. Once the ransomware is contained, only then can you look to remediation and root-cause analysis. Ideally, you should have an experienced partner on retainer who can help with the initial triage, make recommendations on the remediation activities and provide an independent assessment of the root cause.
These fundamental recommendations are based upon what we have seen in the past and how our clients have successfully mitigated and recovered from ransomware attacks. They are simple controls which should already be in-place, however the general issue within organisations is about coverage. Most system components have anti-malware software, are well patched and critical systems are reasonably well segmented. This tends not to apply to ALL system components. Any areas without coverage are susceptible to ransomware attack, and once there is a toe-hold within the environment, the likelihood that the attack will spread increases enormously.
As with all forms of malware, you can never fully mitigate the risk, however with a few simple controls, the risk of infection and the cost of remediation can be minimised.