On May 11, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint advisory (Advisory) that encourages critical infrastructure (CI) asset owners and operators (e.g., companies in the communications, energy, defense, and transportation sectors, among others) to “adopt a heightened state of awareness” in light of the recent DarkSide ransomware attack on a U.S. pipeline operator. The Advisory recommends a number of actions that CI entities should consider implementing to prevent and mitigate the effects of ransomware attacks. The Advisory comes days after the ransomware attack led to the shutdown of the operations of a U.S. pipeline operator.
This OnPoint summarizes the mitigation recommendations from CISA and the FBI and provides practical tips for businesses to prepare for and defend against ransomware attacks.
Preventing an Attack: The Advisory includes several recommendations for businesses to mitigate the risk of ransomware attacks. These include: requiring multi-factor authentication (MFA) for remote access to company networks; enabling strong spam filters to block phishing emails; conducting user training on phishing attacks; regularly updating software and conducting security patches; filtering network traffic to block known malicious IP addresses; limiting access to resources over networks, including by restricting and/or securing remote access functionalities; using antivirus and antimalware programs to regularly scan IT network assets; and implementing unauthorized execution prevention though steps such as disabling macro scripts from files transmitted via email, implementing application allow listing, monitoring/blocking inbound connections from anonymization services, and deploying signatures to detect and/or block inbound connection from post exploitation tools such as Cobalt Strike servers.1
Reducing Impact of an Attack: The Advisory also contains mitigation recommendations for CI entities to reduce the risk of severe disruptions in the event of successful ransomware attacks. These recommendations include: implementing and ensuring robust network segmentation between IT and operational technology (OT) networks; organizing OT assets into logical zones; identifying OT and IT network inter-dependencies and developing workarounds or manual controls; regularly testing manual controls; implementing regular data backup procedures; and ensuring user and process accounts have limited access rights.
During an Attack: Finally, the Advisory also recommends that, in the event of a ransomware attack, businesses should isolate affected systems, turn off other computers and devices, and secure backups.
The Advisory also states that CISA and the FBI “do not encourage paying a ransom to criminals,” noting that “paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities.” The decision as to whether to pay a ransom demand is fact- and circumstances-specific and must account for legal considerations, such as whether the threat actor is on the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned-entity list.
With the migration to a work from home environment last year, cyberattacks of every kind increased exponentially in 2020 and into 2021, but the headline for 2020 was ransom attacks. Ransom attacks were up 150% in 2020. 2021 has only seen an increase in this activity, with high-profile ransom attacks against critical infrastructure, private companies and municipalities grabbing headlines. The amount of ransom demanded in these attacks also has increased dramatically in 2021, with demands reaching into the tens of millions of dollars. In addition to increasing sophistication and frequency, the methods used by threat actors have changed as well. Along with encrypting company systems with ransomware, threat actors also are gaining access to servers and exfiltrating sensitive and confidential company files—sometimes as much as a terabyte of information—and then contacting the company with an extortion demand, i.e., a cryptocurrency payment to keep the data private.
In addition to the technical recommendations from the Advisory, there are a number of steps that companies should consider taking now to reduce the risk that a ransom attack occurs, and that if it does, the company has reduced the risk of damage. These include:
1) The Advisory notes that the DarkSide threat actors were observed using CobaltStrike.