Through Aamir Lakhani, Senior Security Strategist for Fortinet’s FortiGuard Labs
As the world of technology continues to evolve, so do the types of ransomware attacks that can impact organizations. For most businesses, data is their most valuable asset, and without ransomware protection, employees can put themselves and their organization at risk of losing critical information. Having a ransomware protection strategy that incorporates cyber hygiene best practices should be a priority for businesses and their employees. We’re joined by Aamir Lakhani, Global Security Strategist and Researcher at FortiGuard Labs, to discuss the different types of ransomware attacks as well as ransomware best practices to protect you and your business from an attack.
Can you tell us briefly about your role at FortiGuard Labs?
Aamir: My responsibilities as Senior Security Strategist at Fortinet’s FortiGuard Labs include researching the latest attack techniques and ensuring that we can defend against not only specific attacks using those techniques, but also any new attacks that may use the same logic. To do my job effectively, I need to understand networking, reverse engineering, digital forensics and incident response. Additionally, I need to understand the risks and business objectives of our clients. Security should enable organizations to work more efficiently, without hampering their existing business objectives. As a Principal Researcher at FortiGuard Labs, I work with clients to evaluate the best options for delivering IT security solutions to large companies and government organizations based on their unique needs. I have over 22 years of experience in the cybersecurity industry.
What are the different types of ransomware attacks?
Aamir: There are certainly a variety of different ransomware strains, but they can be broken down into five main ransomware attacks by types:
- Crypto Ransomware or Encryptors: Probably one of the best known variants, this malware encrypts various files and data within a system, making infected content inaccessible without a decryption key. This may also include lockers.
- Lockers: Similar to encryptors, but they completely lock the user out of their system. Typically the lock screen will display the ransom and demands, and in severe cases will include a countdown timer to pressure victims into paying.
- Scary Software: Fake software that claims to have detected a virus or similar problem with your system and asks the user to pay to fix the problem. Some variants will block the user from accessing other system features, while others will flood the screen with pop-up alerts without causing harm.
- Doxware/Leakware: As the name suggests, the leakware threatens to spread sensitive information or corporate files online and pressures the user to pay a fee to prevent data from entering the domain. audience.
- Ransomware as a Service (RaaS): Malware executed and managed by a professional hacker. The service is privately paid for and all aspects of the attack, from distributing the malware to collecting payment and restoring access, are performed by hired professionals.
Who should be most concerned about a ransomware attack? Are they mainly businesses or individuals?
Aamir: Ransomware is becoming increasingly sophisticated and destructive. As a cybersecurity researcher, ransomware, to most people’s surprise, isn’t always the most exciting attack to watch. Attacks targeting artificial intelligence brains, industrial control systems, and automobiles are high-tech attacks. However, ransomware has an immediate and visible impact on all sectors and often on individuals. If a business is attacked by ransomware and cannot recover, the business may be at risk. This has real-world consequences, such as people unable to work or support their families.
Who should be called first after learning of a ransomware attack? The local police? The FBI? A cybersecurity expert?
Aamir: The first step is to inform your cybersecurity management team, whether it is the CIO or the security manager of an internal security operations center (SOC) team or platform that an individual uses for their personal computer. Depending on the severity and nature of the attack, the security professional will be able to guide you from there on the next steps. The top priority should be to bring the attack to the attention of a qualified security expert so that the problem can be resolved as quickly as possible.
Individual organizations may have their own legal or internal reporting requirements that must be followed, but it is important to remember that a cyberattack is an attack and can be as deadly as a physical attack. You must minimize your exposure and understand the problem before reacting.
What are the most common mistakes you’ve seen businesses make that leave them vulnerable to ransomware attacks?
Aamir: One of the most common mistakes companies make is not having complete coverage of all aspects of a system. With the prevalence of remote work and email being one of the most common vectors for ransomware, organizations need to ensure that there are no details in the system that hackers could exploit. For example, lack of integration can mean too many point products and poor visibility. It can also mean less effective cybersecurity overall. Maintaining proper security measures puts a business in the best possible position to protect against ransomware. Consolidation and integration are essential to maintain visibility, but also mitigation and remediation, for example.
“Maintaining appropriate security measures puts a business in the best possible position to protect against ransomware. Integration and consolidation into a cybersecurity platform is important.”
What would you recommend to CISOs to help limit the frequency and severity of these attacks?
Aamir: First and foremost, equip all systems with the latest cybersecurity defense and detection solutions. Advanced endpoint detection and response (EDR) is a great example because it can detect and mitigate ever-changing threats. This is highly relevant given the reality that WFA organizations face today. Additionally, ensuring that employees are properly trained on threat trends is paramount to prevention, as network employees will then be able to avoid suspicious activity and report it correctly. In many cases, keeping systems up-to-date and patched, limiting administrator access, and running common security defensive tools properly configured are good starting points. Training users to find cybercriminals and raising awareness can exponentially increase your defensive posture to mitigate attacks. These basic tasks are commonly referred to as good cyber hygiene. The Fortinet Training Institute is a good example of how training can make a difference.
What are ransomware best practices to protect yourself or your business from an attack and why?
Equipping all aspects of the network, from databases to Bluetooth devices, with the latest security measures is key to preventing ransomware. Deflecting attacks entirely or detecting them as soon as there is a breach is the best thing a company can do to protect its assets. You need to think about the endpoint and down to the Linux kernel. You should also think about maximizing AI/ML technologies to detect anomalies etc. Segmentation along with services such as a digital risk protection service can help proactively find vulnerable issues to fix.
Train network members in good security practices
Training employees on security best practices and the proper reporting procedure is essential for the transition to remote working and will ensure that security teams are informed immediately in the event of a potential threat.
Report early to prevent malware from lingering
Notify your service provider and security team as soon as a threat begins to appear. Allowing malware to live in a system will give it the ability to spread to other network entities and compound the damage that can be done.
Gather as much information as possible about the potential threat
When a threat emerges, gather as much information about the source and nature of the attack to patch the system for future prevention. Learning how the ransomware gained access to the network will expose vulnerabilities hackers may have exploited. Reporting the details to law enforcement will also help track down threat actors to prevent repeat attacks.
Learn more about Fortinet FortiGuard Laboratories Fortinet’s FortiGuard AI-based global threat research and intelligence organization and security services wallet. Register to receive our threat research blogs.