Tristan Morris and Victor Wieczorek, published January 28, 2022 10:00am

Unless you’ve been hiding under a rock (or live in an off-the-grid cabin with no internet access in rural Alaska) you probably already know that 2021 was a whopper of a year for ransomware attacks. Major attacks on US-based organizations that made the news in 2021 include:

• Colonial Pipeline
• JBS Foods
• Kaseya
• Agricultural supply chain cooperatives, Crystal Valley and New Cooperative
• Large US-based financial and insurance corporation
• Several major US media companies
• A slew school districts, universities, hospitals, health care centers, police departments, and municipalities

And beyond the attacks themselves, the ransomware gangs behind them also dominated headlines with names taken straight from the depths of cyberpunk fanfiction, including BlackMatter, REvil, DarkSide, LockBit, Babuk, Clop, Conti, and Netwalker.

In the last blog we wrote covering this, we didn’t pull any punches about the risks that ransomware poses to every organization, no matter how large or small. We made it clear that it can happen to you, too. But we also ended that blog on a positive note: ransomware is becoming so common and commodified that we’re getting better and better at stopping it as an industry. Like a human immune system that sees the same virus repeatedly, each time with slight variations on the genetic code. Whenever a new one pops up, we know better how to fight it or even cut it off before it can spread to the whole system.

I could write a book on the various minute complexities that differentiate each ransomware strain and the tactics, techniques, and procedures (TTPs) of the gangs behind them, but a quick search on your engine of choice can tell you the same thing. And the truth is that you don’t need every last detail about each unique form of ransomware in order to build out good defenses. 

Instead, what I’d like to focus on is some of the similarities in these attacks and how many of them could’ve been avoided by applying some basic “cybersecurity 101” protection.

According to industry research–and backed up by my experience in attack simulation–the majority of ransomware attacks happen one of three ways (the 2021 attacks included):

• Stolen credentials/passwords
• Phishing
• Vulnerabilities/exploits

If you want specific examples, consider these: In the Colonial Pipeline attack, the attackers found and weaponized a password for an old VPN account that was no longer in use, but apparently still accessible. What about the agricultural co-op known as New Cooperative? Security researchers reported that passwords for staff and systems were available on a database of previously stolen credentials. And clearly, some of them still worked. In fact, when they searched the database, passwords for New Cooperative came up 653 times, including security nightmares like “chicken1” (which was used at least ten times by New Cooperative staff).

So that covers credential theft and reuse, but what about phishing? As recently as a month ago, the TrickBot botnet was being leveraged to deliver Conti ransomware. It starts with a simple phishing email and a tainted attachment that installs TrickBot or BazaarBackdoor when it’s opened. TrickBot leads to CobaltStrike (or any other C2 malware), CobaltStrike to Conti. After they’ve crawled the network for lateral movement opportunities and high-value target data, of course.

And finally, let’s not forget the ever-present list of vulnerabilities that seems to grow faster than anyone could hope to keep up with. In late November 2021, industry researchers discovered the BlackByte ransomware targeting organizations with unpatched Microsoft ProxyShell vulnerabilities. The vulnerability is used to perform unauthenticated, remote code execution (RCE) on unpatched systems, and from there an attacker is only a few steps away from giving a CISO an absolutely miserable day.

So yes, it can happen to anyone

The perpetrators of ransomware, whether it’s an established gang or a lone wolf, will gladly steal food from a child–which they quite literally do when they attack school districts–if they think there’s a buck to be made. After all, if pulling off a ransomware attack is as easy as firing off a phishing email or even just hiring a “firm” to do it for you, why do so many victims still seem to get caught with a deer-in-the-headlights look, surprised that their company has been attacked?

What the ransomware story of 2021 tells us, if anything, is that businesses need to quit waiting for government actions and retributions, or a mythical all-in-one tool that halts ransomware in its tracks. Even if someone came out with a one-size-fits-all Ransomware Stopper 5000 tomorrow, not every company would have the budget or staff to turn around and implement it. 

We have the tools we need to stop so many of these incidents before they start. We just need to revisit some cybersecurity-101 basics.

The 5 basic security tools every business should have to combat ransomware

While not every company has the budget or staff for an elaborate security infrastructure that includes pentesting, risk assessments, and a security operations center (SOC); not every business needs to jump to that level of security maturity. But what every business does need is a basic set of tools and processes that can minimize the chances that a ransomware attack will happen.

Email Security

Since Elwood Edward’s first uttered the phrase “You’ve got mail!” into a microphone, a reliable email security solution has been a critical piece of any security stack. And sure, there are more technologically advanced solutions out there, but the fact remains that a solid email security tool is still one of the best ways to detect emails that contain malware that could lead to a ransomware attack.

Endpoint Security

You can’t catch everything before it hits your systems, and if the last few decades of cybersecurity have resulted in a fundamental axiom of the universe, it’s this: If it’s bad and it hits an endpoint, a user will click on it. And when that happens, an endpoint detection and response solution may draw the line between “Well… that could have been rough” and “I’d be polishing my résumé if I could access it.”

Access Management & Privileged Access Management

Remember a few paragraphs back when we talked about the attack that involved access to defunct VPNs? That’s a problem. Removing access when an employee leaves is critical, especially because it’s not unlikely that they’ll end up reusing familiar passwords at their new jobs. If their new employer gets hit, LinkedIn has all the info an attacker would need to turn around test those creds on your network. But if there’s a solid privileged access management (PAM) solution in place, that likelihood goes way down. Access management solutions help businesses identify and classify assets, map out user types and access patterns, analyze integration requirements, and manage authentication, so incidents involving “weaponized passwords for old VPN accounts” don’t happen.

Multifactor Authentication & Password Management

Something you know, something you have, and something you are. The Triforce of authentication security. If using stolen usernames and passwords is an attacker’s trip down easy street, MFA implementation is the pop-up spike strip in the road. Of course, you have to balance access and security so you don’t have an angry mob of users chasing you through the office, but a simple one-time-code or push notification to a user’s personal device is enough to stop an attacker using pilfered passwords.

But when those passwords pop up, it’s important to have an easy way for your users to create, store, and manage passwords that comply with your policy. Some MFA solutions include those features, or you may choose to go with a separate solution. Either way, breaking users out of the “cheeseburger1” to “cheeseburger2” cycle is critical. 

Vulnerability Management

The sheer volume of vulnerabilities and zero-days announced almost daily can feel like a nightmare to manage. Ransomware operators will always look for the path of least resistance, and unpatched software is smooth sailing. To alleviate concerns related to unpatched bugs, a vulnerability management solution can help organizations minimize the likelihood that an attacker will leverage an unfixed bug in their system. 

Apply these 5 Basics and Be Prepared

Ransomware may be the current horror waiting to happen, but prevention doesn’t need to involve extravagant security solutions or expensive security architectures. The basic security tools and principles that have been around for decades now still apply today, will apply tomorrow, and will most likely always be a part of our defense strategies.