How to Stop Ransomware: Flagship Security Framework @ Work

Ransomware is a malicious cyberattack designed to block access to a computer system or data storage until the ransom money is paid to the cybercriminals. The Flagship Security Framework [insert link] can stop an attack before the criminal can gain a foothold in your infrastructure. The scenario described below is modeled after attacks in which Flagship has either thwarted the attack or helped the client recover afterwards.

Here is a typical scenario for how a ransomware attack is initiated and executed.

  1. The attacker starts by sending a malicious email to an employee.
  2. The employee opens the email and clicks the link, which could be a Microsoft Office document or other software that launches a reverse shell (i.e., establish a connection from a remote machine) back to the attacker’s system.
  3. The attacker gains control of the employee’s machine.
  4. The attacker uses custom scripts and built-in tools to move laterally across the network to gain access to as many other machines and servers as possible.
  5. Once satisfied with their newly gained footprint, they can withdraw confidential information back (e.g., financial data or personal information), which they used this data as collateral as ransom.
  6. They proceed to encrypt the compromised systems and demand a payment for the decryption key.
  7. The company must either pay the ransom or have an IT services company, such as Flagship Networks, to restore the data and regain control over their systems after the attack.

The Flagship Security Framework can stop this chain of events from the moment the email entered the network.

This shows how the Flagship Security Framework can stop the ransomware attack at each stage.
  • At the beginning, E-Mail Protection software can stop malicious emails from even getting to an employee’s mailbox.
  • Employees can also be protected by providing Security Awareness Training. With proper training, they might have known better than to open an unexpected attachment.
  • If the employee’s machine was not known to the IT staff (aka Shadow IT), it can be identified by a Network Asset Discovery solution. Then IT will know to install Anti-Virus software to detect and stop the malicious code from running.
  • IT can also detect the attacker’s traffic on the network with a Security Incident Event Management (SIEM) to collect logs from every system. A SIEM detects abnormal behavior of an attacker moving laterally, and even stopping it without any IT staff interaction. Sometimes attacks are done during off hours to give the attackers more time to do harm while most of the IT staff are not working. Proper alerting and escalation chains can play a major part is stopping an attack.
  • In the data exfiltration phase, an Incident Response Plan can stop the exfiltration of data. The plan can require that all affected systems be disconnected from the network as soon as the attack is detected. Having a policy and procedure to follow, when an event such as this takes place, can be instrumental to minimizing the effects.
  • In the data encryption phase, it is essential that all systems are backed up and those backups are properly protected. In this way, affected workstations and servers can be restored with minimal data loss.

To find our more about how our complementary assessments enable us to detect risks and determine if mitigation efforts are warranted, fill out the form below.

© 2020 Flagship Networks, Inc. All rights reserved.