Unfortunately the recent uptick in ransomware attacks on cities, counties, and school districts is nothing new. Previous municipal ransomware attacks include Atlanta in March 2018, Baltimore in May and two cities in Florida in June. Security threats to organizations of all types and sizes are now constant, pervasive, and dangerous to varying degrees.

In the attacks on municipalities, we’re seeing variations of the TrickBot/Ryuk one-two punch, most likely delivered through a series of fairly advanced malspam campaigns.

This is your wake up call

Security is a team sport and we always advocate for a layered approach. While an NGIPS can’t prevent the initial execution of ransomware, it can absolutely help in detecting its presence and potentially mitigating the damage.

An NGIPS that operationalizes crucial threat intelligence data is an even more proactive method of threat prevention and acts as an early notification system for communication with Command and Control (C2) servers. In some cases, the NGIPS will block ransomware communications based on either threat intelligence related to the C2 servers or detection of malicious traffic on the wire.

That said, although disrupting ransomware C2 communications can give you just enough time to locate the compromised machine and clean up things on your network, there are several other things you should do before it becomes a problem. They are …

Backups

A comprehensive backup strategy is an absolute must! We recommend an approach that keeps short, medium, and long-term backups separate from each other to mitigate the damage an infected workstation can have on your backups themselves. Don’t forget to test your backup/restore process regularly.

User Education

Ransomware primarily spreads through phishing and drive-by downloads and usually requires some form of user interaction. Don’t forget — your users are your first line of defense, so equip and train them accordingly. Unsolicited email attachments should not be opened, and files requesting unusual things like opening other files or running macros should be a giant, waving red flag. While most people emphasize security awareness training, we also think you should actively test the effectiveness of your training and phishing simulation services.

Technical Migrations

Insight into your endpoints is a critical part of a clean and well-maintained network. We highly recommend some form of endpoint control as well as disabling potentially dangerous features via group policy management including Office macros, Windows script host, and PowerShell execution.

Sound familiar? This is a fresh take on a blog originally posted on 04/26/2017.