Ransomware Mitigation – Texas Shows How It Is Done

We recently wrote about the upsurge in ransomware attacks, and one of the examples in that article was the recent attack on about two dozen governmental and educational networks in the state of Texas.  Texas was initially tight lipped about what they were doing to mitigate the attack, in an effort to prevent the attackers from learning about their defensive strategies and systems, and adapting their attack vectors in response.

The State of Texas Department of Information Resources (DIR) took charge of the situation, and was able to provided a central point for coordinating their response.  A large part of their success was the cybersecurity  incident response plan (CIRT) that was already  in place.  This plan helped first responders to know what to do and who to notify and involve in the process.  Within 4 days all the affected sites had been visited, and 25% of the sites were remediated.  Within a week’s time, all of the sites had fully recovered from the attack.

The DIR recently went public with a list of cybersecurity practices that it believes are best suited to heading off crypto-ransomware attacks.

  • Create and maintain a cybersecurity incident response plan and train an IR team.
  • For remotely managed severs in a cloud services environment, only allow authentication to remote access software from inside the Cloud service provider’s location.
  • Use two factor authentication on remote administration tools.
  • Use VPNs for remote connections instead of RDP (remote desktop protocol.)
  • Block inbound network traffic from TOR exit nodes, which interferes with the exploit’s ability to connect and gain traction.
  • Block outbound network traffic to Pastebin, which is a favorite site to store stolen information.
  • Detect unusual Powershell processes by using Endpoint Detection and Response solutions.

This is good advice for anyone who is responsible for protecting a larger commercial or governmental network.  Considering the increased activity by ransomware groups, security professionals should get busy implementing these concepts.

1

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Comments

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.