Prevent and detect ransomware attacks Technologies and processes to consider

As we have shared in a recent blog post insight and trends on recently observed ransomware attacks organizations continue to hear about new ransomware incidents in the news and receive information from the authorities about ransomware attacks targeting an increased number of companies across the Nordic countries (and in the rest of the world). Last year’s huge increase of remote working has made employee awareness of phishing attempts and secure ways of working more important than ever.

Aon’s Nordic Cyber team is aware of the rapidly rising threat of ransomware attacks and the resultant risks faced by organizations and businesses today. These ransomware attackers often operate with the discipline and approach of a legitimate business, however with criminal intent. The ever-increasing sophistication of ransomware attacks demands innovative and specialist solutions to address this rapidly escalating risk.

Fortunately, there are strategies organizations can take to increase cyber security and reduce the risk of falling victim to a ransomware attack.

Organizations must act to protect themselves against these cyber-attacks. In the year ahead, strong defenses and a resilient cyber security posture require proactive technical measures and ransomware-relevant business continuity planning. It goes farther than basic notion of simply having backups.

Each of the below steps aligns closely with how attackers create and consummate their criminal activity. While some are costly, proactively implementing these steps can mitigate the costs of business interruption, reputational damage, incident response and/or a ransomware payment.

1. Phishing Awareness Training, to educate employees and end-users on how to spot phishing emails and know the red flags to drive down clicks on the malicious emails many ransomware attackers use to gain a foothold in a network.
2. Disabling Accessibility of Remote Desktop Directly from the Internet, to prevent ransomware attackers from brute-forcing Internet-facing RDP services to gain entry into a network.
3. Properly Configured URL Filtering and E-mail Attachment Sandboxing, to prevent malware contained in ransomware emails from executing or going unnoticed.
4. An Advanced Endpoint Detection and Response (“EDR”) Solution, to detect and potentially quarantine ransomware and other advanced malware, and also to facilitate enterprise forensics in the event of an attack.
5. An Advanced Malware Detection Tool that Inspects Network Traffic, to identify ransomware and other malicious packets or network traffic flowing over the wire.
6. 16+ Character Service Account and Domain Admin Passwords, to prevent ransomware and other hackers from cracking weak admin usernames and passwords. Optimally, these strong passwords should be rotated regularly, using a Privileged Access Management (PAM) tool. Ransomware attackers use these cracked credentials to move laterally and deploy their ransomware.
7. Lateral Movement Detection Tools. After gaining a foothold, ransomware actors typically move laterally using compromised IT credentials. Detecting that anomalous lateral movement normally enables the attack be shut down before ransomware is deployed.
8. A Properly Configured Security Information and Event Management (“SIEM”) Platform that aggregates event, security, firewall and other logs. Trying to respond to and recover from a ransomware attack without a SIEM is very difficult, as visibility through local, non-centralized logs is often poor.
9. A Continuous Security Monitoring Function, which provides continuous monitoring and threat hunting using collected logs and alerts.
10. Locking Down Software Deployment and Remote Access Tools (such as SCCM, PDQ, and PsExec) to a small set of privileged accounts with multi-factor authentication where possible. Once they have secured elevated privileges, ransomware attackers typically commandeer SCCM/PDQ/PsExec accounts to push the ransomware executable across the network.

Consider These 10 Critical Steps To Prevent And Detect Ransomware Threats

Link to previous blog post

A ransomware attack can threaten an entity’s reputation and goodwill, the complete risk of ransomware can never be fully mitigated. Accordingly, in practicing ransomware preparedness, organizations should consider obtaining appropriate cyber insurance coverage. In doing so, organizations should review how coverage addresses indemnification for financial loss, business interruption, fees and expenses associated with the ransom and incident response, as well as considerations for service providers, such as the ability to work with incident response providers of choice.

For further information and consultation please contact the Aon Nordic cyber team

Aon Norway
+ 47 67 11 22 00
frederik.fossum@aon.no

Aon Sweden 
+ 46 8 697 40 00
amine.menaa@aon.se

Aon Finland
+358 20 12 66 200
christa.heinonen@aon.fi

Aon Denmark
+45 32 69 70 00
soren.stryger@aon.dk

About Cyber Solutions: Aon’s Cyber Solutions offers holistic cyber security, risk and insurance management, investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets, and recover from cyber incidents.

This is for information purposes only. Professional advice should always be sought regarding specific risk issues.