With its destructive nature, Ransomware encrypts essential files needed for everyday job functions and contains sensitive data. Cybercriminals typically first access a specific network through internet-facing vulnerabilities, such as unpatched Remote Desktop Protocols (RDP), or by an employee clicking on malicious links or phishing emails. Afterward, they will drop ransomware on their way out of a system after residing in the network collecting data. Cyberattackers will then ask for payments to, allegedly, return everything to normal.
Unfortunately, being encrypted is usually just the tip of the iceberg for organizations. Since cyberattackers can stay undetected between 40 to 200 days in average, organizations are risking total shutdown of their systems and a full-scale data breach.
1. Require multi-factor authentication for remote access to OT and IT networks; Yes, FIDO2 could do miracles.
2. Enable strong spam filters to prevent phishing emails from reaching users. Filter emails containing executable files from reaching users;
3. Implement a user training program and simulated attacks for phishing to discourage employees from visiting malicious websites or clicking on malicious attachments, as well as reinforce the appropriate user responses to phishing emails;
4. Filter network traffic to prevent ingress and egress communications with malicious IP addresses by implementing URL blocklists and/or allow lists;
5. Update software, including operating systems, applications, and firmware on IT network assets. Consider using a centralized patch management system using a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program;
6. Limit access to resources over networks, particularly by restricting RDP. After assessing risks, if RDP is regarded operationally necessary, restrict the originating sources and require multi-factor authentication;
7. Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures. Use risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware;
8. Implement unauthorized execution prevention.
Until your IT/OT organization falls victim to a ransomware attack in the future (Yes, it's just a matter of time), you should apply the following mitigations:
- Implement and ensure robust network segmentation between IT and OT networks to limit the attackers from pivoting to the OT network even if the IT network is compromised, by defining a demilitarized zone that eliminates unregulated communication between the IT and OT networks;
- Organize OT assets into logical zones by taking into account criticality, consequence, and operational necessity.
- Identify OT and IT network interdependencies and develop workarounds or manual controls to ensure ICS networks can be isolated if the safe and reliable operation of OT processes are compromised;
- Regularly test manual controls so that critical functions can be kept running if ICS or OT networks need to be taken offline;
- Implement regular data backup procedures on both the IT and OT networks;
- Ensure user and process accounts are limited through account use policies, user account control, and privileged account management.
The rich can pay a ransom for their lives, but the poor won’t even get threatened... Anyway, it's up to you to decide if you want to be protected or not. If you're wondering how to implement such preventive measures, get in touch with cybersecurity experts.