As the world of technology continues to evolve, so have the types of ransomware attacks that can impact organizations. For most businesses, data is their most valuable asset, and without protections against ransomware in place, employees can put themselves and their organization at risk of losing critical information. Having a ransomware protection strategy that incorporates cyber-hygiene best practices should be top of mind for businesses and their employees. We’re joined by Aamir Lakhani, Global Security Strategist and Researcher at FortiGuard Labs, to discuss the different types of ransomware attacks along with some ransomware best practices to protect yourself and your business from an attack.
Aamir: My responsibilities as a senior security strategist at Fortinet’s FortiGuard Labs include hunting for the latest attack techniques and making sure we can defend against not only specific attacks using those techniques but any new attacks that may be using the same logic.
To do my job effectively, I need to understand networking, reverse engineering, digital forensics, and incident response. Moreover, I need to understand our customers' business risks and goals. Security should enable organizations to work more efficiently, not impede their existing business goals.
As a FortiGuard Labs senior researcher, I work with customers to assess the best options for providing IT security solutions to major enterprises and government organizations based on their unique needs. I have over 22 years of experience in the cybersecurity industry.
Aamir: There are certainly a variety of different ransomware strains, but they can be broken down into five primary ransomware attacks by types:
Aamir: Ransomware is getting more sophisticated and more destructive. As a cybersecurity researcher, ransomware, to most people’s surprise, is not always the most exciting attack to look at. Attacks targeting artificial intelligence brains, industrial control systems, and automobiles are cutting-edge attacks. However, ransomware has an immediate and visible impact across all industries and many times individuals. If a business is attacked by ransomware and cannot recover, it is possible that the business may be at risk. This has real-world consequences, such as people not being able to work or provide for their families.
Cyber-attacks are non-discriminate in who they target. Private individuals, businesses, and anyone with an internet connection is at risk. While certain types of ransomware may be better suited for specific targets, all individuals need to make sure systems on their network are sufficiently covered.
If a business is attacked by ransomware and they cannot recover, it is possible that the business may be at risk. This has real world consequences such as people not being able to work or provide for their families.
Aamir: The first step should be notifying your cybersecurity management team, whether that is the CIO or security manager for an internal security operations center (SOC) team or the platform that an individual uses for their personal computer. Depending on the severity and nature of the attack, the security professional will be able to guide you from there on next steps. The top priority should be bringing the attack to the attention of a trained security expert so that the issue can be resolved as quickly as possible.
Individual organizations may have their own legal or internal notification requirements that must be followed, but it's important to remember a cyberattack is an attack and can be as deadly as a physical attack. You need to minimize your exposure and understand the problem before reacting.
Aamir: One of the most common mistakes made by companies is not having complete coverage of all aspects of a system. With the prevalence of remote work and email being one of the most common vectors for ransomware, organizations must ensure there are no loose ends in the system for hackers to exploit. For example lack of integration can mean too many point products and poor visibility. It can also mean less effective cybersecurity overall. Maintaining proper security measures puts an enterprise in the best position possible for protecting against ransomware. Consolidation and integration are key to maintaining visibility but also mitigation and remediation for example.
Aamir: First and foremost, equip all systems with the latest in cybersecurity defense and detection solutions. Advanced endpoint detection and response (EDR) technology is a great example because it can detect and mitigate evolving threats. This is very relevant given the WFA reality organizations face today. In addition, ensuring employees are properly trained on threat trends is paramount for prevention, as employees within the network will then be apt to avoid suspicious activity and report it properly. In many cases, keeping systems updated and patched, limiting administrator access, and running common security defensive tools configured correctly are good starting points. Training users to be on the lookout for cybercriminals and raising awareness can exponentially increase your defensive posture to mitigate attacks. These basic tasks are commonly referred to as good cyber hygiene. The Fortinet Training Institute is a good example of how training can make a difference.
Equipping all aspects of the network, from databases to Bluetooth devices, with the latest security measures is essential for preventing ransomware. Deflecting attacks entirely or detecting them as soon as there is a breach is the best thing a business can do to protect its assets. You need to think about the endpoint and all the way to the Linux kernel. Also you need to be thinking about maximizing AI/ML technologies to detect abnormalities, etc. Segmentation and also services such as a digital risk protection service can help proactively find vulnerable issues to address.
Educating employees on best security practices and proper reporting procedure is key for the shift to telework and will allow security teams to be informed immediately when there is a potential threat.
Notify your service provider and security team as soon as a threat begins to emerge. Allowing malware to live within a system will give it the opportunity to spread to other entities within the network and further the damage that can be done.
When a threat emerges, gather as much information on the source and nature of the attack to patch the system for future prevention. Learning how the ransomware was able to access the network will expose the holes hackers were able to exploit. Reporting details to law enforcement will also aid in tracking down threat actors to prevent repeat attacks.
Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.