Cybersecurity has risen rapidly up the corporate agenda over the past 18 months, with particular methods of attack getting more airtime than others. Ransomware is the most notable, and it’s evolving rapidly to take advantage of the new fluid working landscape.
Cyber-criminals are no longer throwing mud at the wall and seeing what sticks – instead they’re creating bespoke, tailored attacks that can cause maximum damage. Operating higher impact campaigns enables them to charge more for the privilege of releasing a business’ valuable data, which has led to a leap in the average ransom paid by victims.
Everybody knows paying a ransom is never the recommended course of action when hit by an attack, with organizations such as the NCSC in the UK and the FBI in the US actively discouraging businesses from doing so. Also there is no guarantee the data will be released, buckling to the pressure and providing payment can make the business more vulnerable to future attacks.
The US Office of Foreign Assets Control (OFAC) recently took this advice one step further, publishing an advisory instructing victims of ransomware to engage with law enforcement and ensure they abide by economic sanctions and federal guidance.
With many cyber-attacks masterminded by gangs that rely on nation-state backing, payment of a ransom could equate to a violation of OFAC guidelines, meaning businesses would face legal ramifications and possible fines.
Is ransomware winning?
With the evolution of ransomware and the renewed focus on this attack method by government agencies, many people are wondering whether ransomware is winning. With the surge in recent attacks, they could be forgiven for believing this is the case.
With the impact of downtime in today’s work, learning and healthcare environments more detrimental than ever, it’s crucial organizations understand and know how to defend themselves from what is now often a sophisticated, three-stage attack.
Stage 1: infiltration - When looking to conduct a ransomware attack, cyber-criminals will first need to access an organization’s network. Often, hackers infiltrate an environment using social engineering techniques – such as phishing – which are becoming a larger issue now employees are working remotely.
However, it can also be achieved by exploiting vulnerabilities in a business’ software, credential stuffing or through weaknesses in remote desktop services. This stage is critical, as it is after infiltration that cyber-criminals will begin to locate sensitive data and vital systems to exploit and hold to ransom.
To prevent infiltration, the best bet an organization has is to ensure basic cyber hygiene practices are upheld. This is where continuous vulnerability management and timely patch management come into play to stop attackers accessing the network via a known vulnerability.
Constant cybersecurity education is also key to ensure employees don’t unwittingly allow access via a suspicious email or download link. Back on the IT and security side, teams must closely monitor application control, uphold privilege access management and implement two-factor authentication to further bar cybercriminals from entering.
Stage 2: exfiltration - If a malicious actor does manage to breach an organization’s outer barricades, their next step will be to collate and exfiltrate the valuable data discovered during their reconnaissance mission. In order to skirt monitoring tools, this is often done by leveraging trusted user accounts and tools.
Building on stage one’s defenses, businesses should look to implement an Endpoint Detection and Response solution. If executed effectively, EDR would enable cybersecurity professionals to continuously monitor for vulnerabilities and active threats on all endpoints across the environment.
Adopting a Zero Trust approach is another rapidly increasing strategy – whereby no user or device is implicitly trusted and must be authorized before it connects to the network each time – which further prevents cyber-criminals taking advantage of privileged accounts. EDR has to spot threat actors, but can be thwarted by a cunning adversary who has compromised credentials and can move about as someone you trust and tools you expect.
As they move to each additional system, Zero Trust Access Control forces the threat actor to take extra steps that allow defenders to better spot malicious activity. Together ZTA and EDR become a robust combination as ZTA creates more opportunities for EDR to detect malicious activity.
Stage 3: encryption - Finally, there is the stage at which the attack often becomes apparent to the organization and ransomware’s USP – encryption. Once encryption has begun at scale it can be very difficult to stop the attack. Network and system shut down is the only thing for it, which is why back-ups are critical.
Backing up and restoring data is critical to mitigate the impact of a ransomware attack – as payment shouldn’t be a consideration. If businesses can detect encryption, isolate it quickly and call on back-up data, they should be able to minimize the impacts of the attack.
There is an emerging set of solutions that move from watching for attack patterns, as EDR does, and instead shift to just watching the data. There is no need to spot a pattern if the files are being monitored. In this case, a threshold of encryption activity is all businesses need to know they are under attack.
It is early yet, but there are one or two solutions coming onto the market that focus on this ‘last line of defense’ mentality to isolate the data much quicker and reduce the amount of recovery that will be needed to get back up and running.
While it may seem like ransomware is winning, there is much that can be done to stop this trend. With a defense in depth approach that includes thorough patch management, employee education, privilege access management and continuous vulnerability management, an attack shouldn’t be able to breach a company’s walls. However, we all know it is still a possibility, which is why it is critical for businesses to expand their preview and ensure they are countering threat actors at all stages of next generation ransomware.
The bottom line is, if enterprises adopt more effective security strategies, they will be able to thwart this evolving threat.