CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

The Aftermath of a Ransomware Attack: How to Recover and Better Prepare

The recent Kaseya VSA ransomware attack compromised approximately 60 MSPs and 1,500 of their respective clients’ systems, resulting in more than one million individual lockups. Even if your organization wasn’t affected by this most recent attack, there is ample reason to be vigilant: With 304 million attacks worldwide in 2020 alone (a 64 percent increase from 2019), the prevalence of ransomware attacks has warranted concern in recent years.

And, they’ll cost you: there was an alarming 171 percent increase in ransomware payouts between 2019 and 2020 with the trend continuing today. While the downstream impact of this attack has been a focal point for many, the uptick in ransomware attacks regardless of the network being targeted or the ransom amount shows a trend in exploiting unsuspecting (and often under-trained) employees for efforts of much larger scale than consumer-level scams. This calls attention to the nascent ways that attackers can exploit security vulnerabilities, as ransomware evolves in severity.

When it comes to the recent Kaseya attack, there are lingering questions that need to be answered: Is it over? What is stopping threat actors from doing it again or something else?

We can agree that these are not ethical humans we are dealing with. They are financially motivated actors that may already have a foothold in your environment. Knowing the likelihood that your system will be compromised a matter of when, not if IT leaders must prepare for a surge in attacks of this nature, while planning for recovery in tandem.

How to Recover and Better Prepare

When remediation is necessary, incident response teams (DFIR) are typically engaged and should provide information on the initial infiltration method and post exploitation techniques used to deploy the ransomware. As you recover and learn more about how the attack unfolded, keep these considerations in mind:

  1. Initial Infiltration: How did the bad actor enter your system? Typically, this happens in the form of phishing or weak remote access controls. Remember, ransomware is the final payload. Before the ransomware is deployed, the attackers need to infiltrate, use tools to move laterally, and exfiltrate network information as reconnaissance and critical data for extortion (in most recent cases). Understanding the moves that have been made will go a long way for your security beyond the initial incident.

    How you can be proactive moving forward: Mitigate risk with foundational capabilities like security awareness, secure email gateways, and multi-factor authentication. Limiting remote access and closely monitoring any remote entry points will also give you solid footing to identify bad actors early for remediation. Deception techniques are also a valid way in identifying potential malicious behavior early.

  2. Post Exploitation: What should you do immediately after the attack? After exploitation, 30-day efforts should focus on hunting for malware that may be sitting dormant that would have been used as a delivery mechanism for the ransomware. This can come in many forms, but recently we’ve sought out modular malware like Dridex, Trickbot, Emotet, Qakbot, and others. If these are not discovered and eradicated, the attacker can once again use them as a backdoor to do more damage. In some cases, we have seen a new ransomware attack six months after the original attack caused by the same backdoor technique. It could be the same group, or even a scenario where compromised devices were sold to the next financially motivated bad guy on the dark web with a “100% guarantee that this victim will pay.” Once some remote access trojan or other attacker is in your environment, there are some things you can put in place to mitigate future damage.

    How you can be proactive moving forward:
    • Antivirus protection provides a basic layer of defense, despite being weaker and more outdated than other methods. Make sure it is updated and always on.
    • Patching is absolutely critical. The current state of patch management programs is pretty bad: Your vulnerable systems will be the first to be targeted, if not actively monitored and updated.
    • Invest in an application audit. Understanding what “normal” looks like for your applications will better alert you to what is deemed suspicious. While application whitelisting may cause reservations for some IT teams, if a company has a handle on what apps are running and required from a business standpoint, it helps security prioritize what is a true threat. Audits increase confidence to ensure there is important context surrounding what is whitelisted and any exceptions.

  3. Monitoring Nefarious Activity: What haven’t you considered? Once the environment is sanitized, it’s time to start taking proactive steps to avoid similar vulnerabilities in the future. By thinking about how an attack is carried out, you can better map the ongoing security you need to prevent and remediate others.

    How you can be proactive moving forward: Technology can only take you so far when protecting against increasingly adaptive, creative, and sophisticated attackers. Learn to think like the bad guys by investing in continuous threat hunting. With a spirit of resourcefulness and deep industry expertise, threat hunters notice patterns, build connections between real-world events, investigate interactions on the dark web, and more to catch things that other alerts and solutions miss.

Latest Trustwave Blogs

The Power of Red and Purple Team Drills in Enhancing Offensive Security Programs

Despite investing in costly security solutions, keeping up with patches, and educating employees about suspicious emails, breaches still occur, leaving many organizations to wonder why they are...

Read More

Balancing Innovation and Security: How Offensive Security Can Help Navigate the Tech Industry’s Dual Challenges

Two of the greatest threats facing technology-focused organizations are their often-quick adoption of new technologies, such as artificial intelligence (AI), without taking security measures into...

Read More

Trustwave Government Solutions (TGS) Salutes New Mexico’s New Cybersecurity Executive Order

New Mexico Governor Michelle Lujan Grisham issued an Executive Order to shore up the state’s cybersecurity readiness and better safeguard sensitive data by conducting a state-wide security assessment...

Read More