#ExpectRansomware
Ransomware events lock users and organizations out of data and infrastructure, and the attackers demand a payment to access data and to not expose affected data. These events can have significant impact – in the worst cases, shutting down operations entirely and risking loss of critical information.
Due to the pandemic and the overall increase of technology use, successful ransomware attacks have increased significantly over the last year. In recent weeks, this trend has spiked even more after note worthy breaches netted attackers millions of dollars.
- Colonial Pipeline – approximately $4 million USD
- JBS Food Processing – approximately $11 million USD
- Ransomware demands estimated to have cost hundreds of millions of dollars in Canada in 2020
Strikingly, a larger number of public organizations such as hospitals, universities, and colleges are being targeted and extorted. For example, in June 2020, a U.S. Research University paid $1.14 million USD to recover research data.
When organizations pay ransom, it increase the incentive for attackers. It is critical for the University of Toronto units and individuals understand the risk and be well prepared to prevent ransomware attackers and effectively respond to limit the impact.
How can we pro-actively reduce the likelihood of a ransomware event?
There is not one approach that will mitigate all risk. Plans must take into account specific technology, threats, use of data, and ability to enable active protections.
Realistically, it is best to plan equally for protections to prevent a successful ransomware attack and planning in the unfortunate event of a successful attack.
At a minimum, in priority order:
- Ensure there are ransomware resilient backups. This includes testing your backups.
- Ensure all devices are updated regularly for security vulnerabilities.
- Have a ransomware specific incident response playbook.
- Use anti-virus software, and preferably next generation end point protection.
- Secure user account logins by using MFA.
Guidance for Units
Prepare
-
- Have a ransomware specific incident response playbook.
- Review the University of Toronto Incident Response Plan.
- Carry out a quick, light-weight ransomware table top exercise to prepare your team to respond quickly and effectively if there is an event.
Protect Data
-
- Ensure there are ransomware resilient backups. This includes testing your backups.
- Encourage users to use managed data storage, such as Microsoft 365.
- Review data retention policies. Keep data no longer than needed for business requirements.
- Perform information risk assessments of all unit systems, starting with systems with high priority research and administrative data to understand specific gaps.
Protect Devices
-
- Most critically, keep operating systems updated regularly for security vulnerabilities.
- Use anti-virus software, and preferably next generation end point protection.
- Ensure devices are securely configured and “hardened.”
Protect Users
-
- Promote the use of UTORMFA.
- Identify users to enroll in Microsoft 365 advanced threat protection.
-
Provide minimum security awareness training for all, and advanced content for expert users, and simulated phishing for high risk users.
Protect Inter-Connected System
-
- If you run your own Active Directory, ensure it is hardened specifically for ransomware attacks.
- If you run unix-based systems, ensure you are effectively using and managing ssh keys to prevent pivots.
- Use the least privileged account for any action e.g. limit the use of administrator credentials for non-administrative work. In Active Directory environments, use a Three Tier approach.
Guidance for Individuals
Especially these days of remote work, it is important to treat your personal and professional use of technology in comparable ways.
See detailed guidance at Remote Security Matters.
- Protect your data
- Back up your data!
- Use managed storage services to store your important documents and loved items like photographs.
- If possible, keep an “offline” copy of files.
- Back up your data!
- Protect your devices
- Use anti-virus software.
- Ensure all devices are updated regularly for security vulnerabilities.
- Protect yourself
- Use MFA for all of your personal accounts. It’s in your hands.
Resources
- Short Incident Response Playbook for Ransomware
- Ransomware Table Top Exercise
- Canadian Centre for Cyber Security: Ransomware: How to Prevent and Recover
- Canadian Centre for Cyber Security: Ransomware playbook
- CISA MS-ISAC Ransomware Guide
- Internal KPE: Protecting Your Data from Ransomware.
- The University has recently published its general Security Incident Response Plan (Incident Security Response Plan | Information Security and Enterprise Architecture (utoronto.ca)