Ransomware is now the most disruptive cyber threat facing global organizations, according to the CEO of the National Cyber Security Centre (NCSC). The scale of the problem is such that leaders at both the recent G7 and NATO conferences called on hostile nations such as Russia to take a harder line on the criminal groups they’re sheltering.
No organization is safe. From hospitals dealing with surges in COVID-19 cases to critical energy infrastructure in the US to UK train stations — the only rule businesses must learn is that it’s not a case of “if” but “when.” Attacks surged by 150% in 2020, with the average extortion amount doubling, according to some experts. This is down to three key factors:
- Ransomware-as-a-Service (RaaS) growth has lowered the barrier to entry for various affiliate groups.
- The large number of victim organizations choosing to pay extorters.
- Poor corporate cybersecurity.
Organizations must now factor into their risk modeling service disruption possibly lasting days and the theft of sensitive data and follow-on DDoS attacks. Over three-quarters of attacks directly involve the threat to leak exfiltrated data, and there’s strong evidence that even if a ransom is paid, data will not be deleted.
With this in mind, prevention or rapid detection and response are the best options for security teams. Here are five key strategies:
-
User Awareness Training
Phishing remains one of the top threat vectors for ransomware groups. While endpoint/email anti-malware capabilities are therefore key, so too is staff awareness training. If organizations can train employees on how to spot phishing emails, they create a valuable first line of defense that forces their adversaries to work harder.
-
Protect RDP
Remote desktop protocol (RDP) is the other primary vector for ransomware attacks. Threat actors often brute force log-ins or use previously breached credentials to hijack endpoints. Organizations have several strategies they can take to reduce their risk exposure. This includes forcing staff to use a VPN to log in, use strong passwords or multi-factor authentication and using a firewall to restrict RDP access. They could also change the RDP port so malicious scans may miss it and limit RDP for users who don’t need it, reducing the attack surface.
-
Prompt Patching Everywhere
A less common but still dangerous route to compromise is via vulnerability exploitation. Last year, bugs in popular VPNs were frequently targeted, along with legacy flaws such as CVE 2012-0158. Wherever there’s an opportunity, cyber-criminals won’t be far away. Although patch volumes have become increasingly difficult for sysadmins to manage, risk-based patching programs can help organizations to prioritize their efforts. Virtual patching capabilities also offer a useful option when systems can’t be taken offline to test regular patches.
-
Network Segmentation
As a key component of any zero trust approach, network segmentation can help to reduce the impact of ransomware. By controlling traffic flows between segments, organizations can limit the spread of malware, reduce the lateral movement of attackers and shield critical assets.
-
XDR
Extended detection and response (XDR) is a relatively new class of cybersecurity tooling which correlates threat information across multiple layers (email, cloud workloads, networks, servers, endpoints) for optimized visibility into ransomware attacks. XDR solutions prioritize alerts, allowing security operations teams to quickly isolate and remediate an attack before it impacts the organization.