Month: May 2021

Ransomware Mitigations to Protect Your Business

It has been a particularly bad year for ransomware attacks on businesses. Many of the attacked businesses have been unprepared for a ransomware attack and did not implement sufficient ransomware mitigations. Had proactive steps been taken, many of the attacks could have been prevented.

Recently, the DarkSide ransomware operation attacked a critical infrastructure firm and brought fuel delivery to the Eastern Seaboard in the United States to a halt. The fuel pipelines that delivered 45% of the fuel required by the U.S. East Coast were shut down for 5 days due to the attack. Better preparation and more extensive ransomware mitigations could have prevented the attack or at least hastened recovery. The company could also have avoided the $5 million ransom payment and major losses from disruption to operations.

The DarkSide ransomware gang had also attacked the second largest chemical distribution firm in the United States earlier in May, again causing major disruption to operations. In that case, a ransom of around $4.4 million was paid to the gang for the keys to unlock files and to prevent the release of sensitive business data stolen in the attack. The ransom payment was negotiated down from $7.5 million, and as part of that negotiation and payment process, the attacker provided details about how network access was gained. The attacker had purchased stolen credentials from another threat actor. The DarkSide ransomware affiliate also provided some useful advice – Improve your antivirus software and implement multi-factor authentication. These are two important ransomware mitigations that could well have stopped the attack dead.

These are just two examples of recent attacks by one ransomware gang. There are currently more than 17 ransomware gangs that steal data prior to encrypting files and many more that simply encrypt files and demand a ransom for the keys to unlock the encryption. The threat from ransomware also continues to grow. The Verizon 2021 Data Breach investigations Report shows ransomware attacks increased by 6% in 2020 an accounted for 10% of all data breaches.

Ransomware gangs, and their affiliates that conduct the attacks, use a range of different method to get the network access they need. Vulnerabilities in software and operating systems are exploited, and attacks are conducted on Remote Desktop Protocol (RDP) and remote access solutions such as VPNs. Phishing is commonly used to steal credentials that provide access to accounts, malware such as remote access Trojans are used to gain access to networks, along with several other tactics. Consequently, there is no single cybersecurity measure that can be implemented to block these attacks. Multiple ransomware mitigations are required to block each of the attack vectors.

Ransomware Mitigations to Prevent Attacks and Ensure a Fast Recovery

There are several ransomware mitigations that can be implemented to reduce the risk of ransomware attacks and limit the severity of an attack should a network be compromised.

Implement a robust spam filter – A robust spam filter will block phishing attacks and malware delivered via email. Phishing is one of the most common methods of gaining access to networks.

Implement multi-factor authentication – Stolen credentials, including those obtained in phishing attacks, allow ransomware actors to access networks. Multi-factor authentication is an effective measure for preventing stolen credentials from being used.

Conduct end user security awareness training – Ensure employees know how to identify phishing emails and are taught cybersecurity best practices and discourage risky behavior.

Filter network traffic with a web filter – Implement a web filter to block access to malicious websites and prevent communications with known malicious IP addresses.

Purchase top-grade AV software – Implement an advanced anti-virus solution, ensure it is set to update automatically, and conduct regular scans of all IT assets for malware.

Patch promptly and update software – Prompt patching is important to prevent the exploitation of vulnerabilities. Prioritize patching to address the most critical vulnerabilities first. Most vulnerabilities exploited in attacks are months old, yet patches were not applied. Also ensure software and operating systems are updated regularly.

Restrict access to network resources – Apply the principle of least privilege and severely limit administrative access and the ability to install and execute programs.

Restrict or block Remote Desktop Protocol (RDP) – Assess whether RDP is required and block if possible. If needed, ensure originating sources are restricted and implement multi-factor authentication.

Disable macro scripts in Office files – Disable Office macros on all computers unless there is a business need for allowing them. Open Office files sent via email using Office Viewer software rather than the full Office application.

Use application allowlisting – Only permit applications and systems to execute programs allowed by your security policy. Block the execution of programs from commonly used ransomware locations such as temporary folders and the LocalAppData folder.

Implement a strong backup policy – Ensure backups of critical data are regularly created and tested to ensure file recovery is possible. Store a copy of the backup in a secure offline location.

Implement network segmentation – In the event of an attack, it is important that the attackers cannot access all systems and networks. Use network segmentation to limit the harm that can be caused.

Block inbound connections from Cobalt Strike servers – Also block the use of other post-exploitation tools as far as is possible.

Block inbound connections from anonymization services – Block access from Tor and other anonymization services to IP addresses and ports where external connections are not expected or necessary.

New WebTitan Cloud Release Includes Support for Azure Active Directory and Filtering for Chromebooks

A new version of WebTitan Cloud has been released – WebTitan Cloud 4.16 – that includes support for Azure Active Directory and introduces a new school web filtering solution – WebTitan OTG (on-the-go) for Chromebooks.

The new version of WebTitan Cloud includes DNS Proxy 2.06 which supports filtering of users in Azure Active Directory, in addition to on-premise AD and directory integration for Active Directory. Further directory services will be added to meet customer needs and ensure they can enjoy the benefits of per-user filtering with exceptional ease of management. – Further information on the Azure AD app is available here.

Existing WebTitan customers need do nothing to get the latest WebTitan Cloud release as the solution will be updated automatically.

WebTitan OTG for Chromebooks

Using WebTitan OTG for Chromebooks provides an effective way to apply filtering policies to your Chromebooks from the cloud.

WebTitan OTG for Chromebooks is a new web filtering solution for the education sector that allows schools to carefully control the websites that can be access by students both in the classroom and offsite, including in student’s homes.

Schools can easily devise filtering policies for all pupils or specific age groups and apply those filtering polices in the cloud. The solution allows schools to enforce the use of Safe Search and prevent access to age-inappropriate web content to keep students safe.

WebTitan OTG for Chromebooks delivers fast and effective user- and device-level web filtering and empowers students to discover the Internet in a safe and secure fashion, while also ensuring compliance with federal and state laws such as the U.S. Children’s Internet Protection Act (CIPA).

The solution is cost effective for schools to implement, setup and management is quick and easy, and administrators can schedule or run usage reports on demand and have full visibility into Chromebook users’ online activities and locations. It is also possible to lockdown Chromebooks to prevent students from circumventing the web filtering controls.

As with all WebTitan Cloud solutions, there is no need for any on-premises hardware, no proxies or VPNs required, and there is no impact on Internet speed as filtering takes place at the DNS-level before any content is downloaded.

“This new release comes after an expansive first quarter. The launch of WebTitan Cloud 4.16 brings phenomenal new security features to our customers,” Said TitanHQ CEO, Ronan Kavanagh. “After experiencing significant growth in 2020, TitanHQ expects these product enhancements and new features to make 2021 another record-breaking year.”