Lessons learned from pre-incident Ransomware situations
„We have an up-to-date Antivirus solution implemented. That means we are protected against Ransomware attacks."
While an Antivirus solution is an important security control that can detect malicious files and documents that are downloaded on the endpoint, these Antivirus solutions can be circumvented. It is important to consider that limitations in Antivirus scanning techniques are often exploited by attackers who obfuscate the files in such a way that the Antivirus scanner does not recognise them as malicious. Each time an attack is concealed in a new way there is a delay before the Antivirus solution is updated to detect it, giving attackers a window of opportunity.
Another often overlooked risk is the fact that these scanners only scan for malicious content. An attacker who has gained high-enough privileges can simply disable it. For this reason, behaviour-based endpoint monitoring systems which monitor the entire endpoint for any suspicious behaviour. For example, if a user tries to execute unexpected commands or use abnormal high risk programs, the monitoring system will prohibit these actions and draw attention to the potential breach.
„We have implemented Multi-Factor Authentication (MFA). So, we have a strong protection mechanism against Ransomware attacks."
„We have (automatic) Software Update Procedures which means we are protected against vulnerabilities that may lead to a Ransomware attack."
Vulnerabilities in software that allow an attacker to gain access to a corporate network without any authentication are a serious threat and often the initial step of a successful Ransomware attack. For example, an ‘authentication bypass vulnerability’ in a VPN endpoint could circumvent an MFA solution. Naturally, the timely implementation of patches is very important. It is not however the full story.
Internal patch processes for mitigating vulnerabilities need to be in place and should also take into consideration situations where a serious susceptibility is made public but a software patch from the vendor is not yet available. Take for instance the “Citrix Vulnerability” in 2019: The vulnerability was exploited numerous times after it was reported but before patching was available. A company’s internal monitoring and manual mitigation processes are extremely important in situations like this and should not rely solely on the official patch.
Lessons learned from post-incident Ransomware situations
„We have a Backup solution. Hence, we are protected against the consequences of Ransomware attacks."
A good Backup strategy that is tested on a regular basis is an essential component of every disaster recovery plan and therefore also important for a Ransomware incident. However, it remains crucial that there is no possibility for an attacker to encrypt or plant further malicious triggers into the Backup. To reduce the risk of compromise, the Backup and storage systems should be hardened and kept separate from the corporate network. There is evidence that shows Ransomware groups will actively search for a company’s Backups before starting encryption, since locking them improves their negotiating position.
Backups can also be compromised when an attacker plants an additional malicious file, the so-called ‘Time Bomb’, into the Backup which is then executed after the initial recovery. For this reason, a thorough post-recovery investigation is highly recommended, or alternatively, a verification that the Backups have not been altered in any way.
„We have a Disaster Recovery Plan. So, we are prepared for a Ransomware attack."
„Paying the ransom will get our data back."
The payment of a ransom demand may allow access to encrypted data, but it is not always a solution to the underlying problem. There are many uncertainties involved when paying a ransom. For example, there is no guarantee that a victim will receive a ‘fully functioning’ key after paying the attackers.
In addition, the length of time taken to decrypt such large amounts of data could keep a business offline for days or even weeks. What’s worse, even after successfully decrypting all data and having corrected data and system synchronization, the same hackers may be able to launch another attack due to unresolved vulnerabilities or back doors left open in the system.
These examples highlight that here is no 100% security in digital life – and that even a company’s conscientious action plan can fall prey to a vulnerability and an overlooked risk. The fallibility of individual controls means that the implementation of a risk-based and multi-layered information security architecture is a necessity.
Munich Re’s Cyber division has made significant investments in traditional insurance expertise in underwriting, accumulation and claims management, as well as in dedicated cyber experts with deep technical cyber security knowledge.
With this market-leading expertise we guarantee the best cyber (insurance) solutions that may be individually tailored for our clients. These solutions range from the development of up-to-date wordings, best-in-class cyber risk assessment and pricing as well as accumulation modelling. In addition we also provide access to our top-rated cybersecurity service provider network. By doing this we contribute to a sustainable and growing cyber insurance market. This is essential for a digital future, resilient to the ever-changing cyber risks and threats. Get in contact with us to find out more about our holistic approach to tackle cyber risks for each client segment and branch.