Cyber

A False Sense of Security: Common myths in Ransomware mitigation

There has been a large amount of attention, both in the insurance industry and wider society, about the increasing frequency and severity of Ransomware attacks experienced by companies around the world.  Because we have been dealing with cyber risks since the turn of the century and thanks to the resulting expertise and continued investment, we can identify “innovations” in ransomware attacks, derive lessons learned and develop effective risk mitigation steps to reduce exposure.

04.09.2020

In the case of highly complex companies, a considerable underwriting effort is required to precisely understand an insured’s ability to prevent, detect and, in a worst-case scenario, recover from Ransomware or other types of attacks. We must strive to ask the right questions in order to understand how effectively high-level controls are being implemented. A thorough exposure assessment can’t be made by evaluating responses to simple questions about high level controls. With that in mind, let’s examine how some technical protection approaches can still leave hidden perils. 

Lessons learned from pre-incident Ransomware situations

A deep understanding of security risks and controls is key in supporting the sustainable growth of the Cyber insurance market for the future. Here is a list of some common remarks which do not always provide the effective mitigation which they appear to. 
We have an up-to-date Antivirus solution implemented. That means we are protected against Ransomware attacks.

While an Antivirus solution is an important security control that can detect malicious files and documents that are downloaded on the endpoint, these Antivirus solutions can be circumvented. It is important to consider that limitations in Antivirus scanning techniques are often exploited by attackers who obfuscate the files in such a way that the Antivirus scanner does not recognise them as malicious. Each time an attack is concealed in a new way there is a delay before the Antivirus solution is updated to detect it, giving attackers a window of opportunity.

Another often overlooked risk is the fact that these scanners only scan for malicious content. An attacker who has gained high-enough privileges can simply disable it. For this reason, behaviour-based endpoint monitoring systems which monitor the entire endpoint for any suspicious behaviour. For example, if a user tries to execute unexpected commands or use abnormal high risk programs, the monitoring system will prohibit these actions and draw attention to the potential breach.

We have implemented Multi-Factor Authentication (MFA). So, we have a strong protection mechanism against Ransomware attacks.
The use of Two-factor or Multi-factor provides a higher level of security than just a username and password authentication and is highly recommended since it makes it harder for attackers to use stolen credentials to attack a system. However, in order the be fully effective, it needs to be implemented on all relevant endpoints. It may seem obvious, but companies with complex IT landscapes that are regularly supported by diverse IT teams, often with differing standards and security guidelines, can find it a challenge to achieve uniform implementation of MFA on all systems. With one compromised endpoint, an attacker then has the potential to gain access to the entire network.
We have (automatic) Software Update Procedures which means we are protected against vulnerabilities that may lead to a Ransomware attack.

Vulnerabilities in software that allow an attacker to gain access to a corporate network without any authentication are a serious threat and often the initial step of a successful Ransomware attack. For example, an ‘authentication bypass vulnerability’ in a VPN endpoint could circumvent an MFA solution. Naturally, the timely implementation of patches is very important. It is not however the full story.

Internal patch processes for mitigating vulnerabilities need to be in place and should also take into consideration situations where a serious susceptibility is made public but a software patch from the vendor is not yet available. Take for instance the “Citrix Vulnerability” in 2019: The vulnerability was exploited numerous times after it was reported but before patching was available. A company’s internal monitoring and manual mitigation processes are extremely important in situations like this and should not rely solely on the official patch.

Lessons learned from post-incident Ransomware situations

We have a Backup solution. Hence, we are protected against the consequences of Ransomware attacks.

A good Backup strategy that is tested on a regular basis is an essential component of every disaster recovery plan and therefore also important for a Ransomware incident. However, it remains crucial that there is no possibility for an attacker to encrypt or plant further malicious triggers into the Backup. To reduce the risk of compromise, the Backup and storage systems should be hardened and kept separate from the corporate network. There is evidence that shows Ransomware groups will actively search for a company’s Backups before starting encryption, since locking them improves their negotiating position.

Backups can also be compromised when an attacker plants an additional malicious file, the so-called ‘Time Bomb’, into the Backup which is then executed after the initial recovery. For this reason, a thorough post-recovery investigation is highly recommended, or alternatively, a verification that the Backups have not been altered in any way.

We have a Disaster Recovery Plan. So, we are prepared for a Ransomware attack.
Of course, every company should have implemented their own Disaster Recovery Plan. Yet, it is of utmost importance to test it on a regular basis and as realistically as possible. This will ensure the relevant parties understand their roles and encounter unforeseen issues, such as which areas of the business to restore first. It also should not be a purely technical drill. For example, involving a PR department (or provider) in the simulation can reduce the negative fallout of an attack and promote a speedier recovery. Early involvement of insurance partners or external responders can also be a smart move as they can provide insights from other incidents. 
Paying the ransom will get our data back.

The payment of a ransom demand may allow access to encrypted data, but it is not always a solution to the underlying problem. There are many uncertainties involved when paying a ransom. For example, there is no guarantee that a victim will receive a ‘fully functioning’ key after paying the attackers.

In addition, the length of time taken to decrypt such large amounts of data could keep a business offline for days or even weeks. What’s worse, even after successfully decrypting all data and having corrected data and system synchronization, the same hackers may be able to launch another attack due to unresolved vulnerabilities or back doors left open in the system.

Conclusion

These examples highlight that here is no 100% security in digital life – and that even a company’s conscientious action plan can fall prey to a vulnerability and an overlooked risk. The fallibility of individual controls means that the implementation of a risk-based and multi-layered information security architecture is a necessity.

Munich Re’s Cyber division has made significant investments in traditional insurance expertise in underwriting, accumulation and claims management, as well as in dedicated cyber experts with deep technical cyber security knowledge.

With this market-leading expertise we guarantee the best cyber (insurance) solutions that may be individually tailored for our clients. These solutions range from the development of up-to-date wordings, best-in-class cyber risk assessment and pricing as well as accumulation modelling. In addition we also provide access to our top-rated cybersecurity service provider network. By doing this we contribute to a sustainable and growing cyber insurance market. This is essential for a digital future, resilient to the ever-changing cyber risks and threats. Get in contact with us to find out more about our holistic approach to tackle cyber risks for each client segment and branch.

We use cookies to improve your browsing experience and help us to improve our website.

By continuing to use our websites, you consent to the use of cookies. Please see our cookie policy for more information on cookies and information on how you can change your browser's settings.
You can disable cookies, however please note that disabling, deleting or disallowing cookies will affect your web experience.