From Encryption Ransomware to Extortion Ransomware Part II

This is part two of my piece on extortion ransomware. The first part is here – you should read it before continuing.

Extortion Ransomware

There are many tools offered by high end systems, such as Microsoft 365, E3 and E5 versions, to help mitigate the reach and impact of both encryption ransomware and extortion ransomware – suitable for corporations but maybe not so suitable for smaller organisations.

So what steps can you take to mitigate some risk with the tools offered by Microsoft 365? (Although I am using Microsoft 365 as an example Google Workspace will achieve similar results.)

Document Classification

To start to defend against extortion ransomware you need to know the exact files and information you do not want threat actors to be able to read. You might say everything, and if this is so then it is time to think about upgrading your systems to the corporate level – if you could reconsider to “most or some” then we can move forward.

Where to start with document classification?

Let’s look at four of the most commonly used categories across our clients, with a note or two about some of the uses:

Internal use only – useful for keeping documents used for creating quotes under control.
External – marketing materials, prepared quotes etc – files destined for the public domain.
Management – internal use only but confidential from some of your team.
Confidential – controlled access needed – the stuff you really do not want any unauthorised people seeing. This includes HR information, company documentation, intellectual property, embarrassing documents – if you are not sure what they are, do you have reports on clients that you would rather they did not see for example?

You can expand on these categories, but do not make them too complicated as they may not get used. Once this exercise is done, exert control over the information by enforcing access control. In SharePoint this may mean having to reorganise the file storage to meet the access control requirements based on the roles of the users logging in. For your CRM or accounts package, say, you may need to create custom profiles to meet the task requirements of your team members with different levels of responsibility. Read more about authentication, accessibility and accountability here:

Why you should care about the TLA AAA!

File level encryption

But the threat actors still get into your system – the credentials of one of your managers were compromised – and they had access to what that manager could see, and they also had access to some management and confidential files. This is where file level encryption will help. (Connolly, Lang, Taylor and Corner. 2021)

Microsoft apps – Word, Excel, PowerPoint and OneNote all offer client-side file encryption – make sure you use it on those files that are the most confidential. For this to be effective you will need to:

Decide on those files that are really confidential.
Have a system in place for managing the encryption passwords.

Encrypting everything on the client-side will offer the best protection, but it will really interfere with your workflow and will probably lead to your team not bothering with it.

Extortion Ransomware – what next?

Once the threat actors are inside with valid credentials, it is hard to stop them stealing your information – you can make it hard for them to read the most sensitive stuff by using encryption and MFA but the best course of action is to keep them out in the first place. That is where good cyber security tools and effective cyber security awareness training is essential.

Clive Catton MSc (Cyber Security) – by-line and other articles

References

Connolly, L. Y., Lang, M., Taylor, P., & Corner, P. J. (2021). The evolving threat of ransomware: From extortion to blackmail.