It’s hard to believe how far ransomware has come from its origins in the early 1980s. Today’s big game ransomware attacks – which threaten everything from critical infrastructure, large corporations, hospitals and schools – goes back to a British doctor who rocked AIDS researchers with a bootloader virus (delivered on floppy disks) that locked their computers and demanded cash. Since then, attacks and targets have only grown larger and more sophisticated.
In reality, according to recent reports, ransomware attacks increased by 80% in the first half of 2022 compared to the first half of 2021. Today’s attackers break into networks, spend time enumerating and recognizing victims, positioning ransomware on as many devices as possible and then staging them to perform. and encrypt all at once. The impacts can be devastating and costly, as illustrated by incidents such as the Colonial Pipeline Episode.
Bad actors have also moved beyond traditional single extortion attacks to double and triple extortion attacks. In a double extortion attack, hackers not only encrypt data, but steal it and hold it for ransom. In a triple extortion attack, they also steal partner and consumer data or run a DDoS against services.
Many midsize businesses struggle to understand the layers of security needed to mount a formidable defense. Although email is always a common threat vector, the paths of a ransomware attack can vary widely. To help overcome these challenges, let’s explore what’s needed to bridge the ransomware security gap that many organizations face.
The first is simple: patching. Keeping enterprise software up-to-date, especially on any publicly available resource such as web applications or web servers, is vital. More often than not, attackers simply exploit old vulnerabilities (there are few true zero-day ransomware vulnerabilities). But for IT admins managing a hybrid organization with availability requirements, patching can pose a serious challenge.
Next comes implementing strong password practices. There’s an old saying in cybersecurity: “Hackers don’t break in; they connect. Most of the time, an attacker uses a stolen ID that they capture from a phishing email or find on the dark web. This allows the attacker to access and escalate to the root of an organization. Strong passwords are usually long and random (32 characters). Password managers make life easier for users not only by creating and storing complex passwords, but also by reducing the memory load to a single master password.
However, relying only on passwords is weak protection. This is where Multi-Factor Authentication (MFA) comes in. MFA is a much more efficient way to validate users’ trusted identity. A password is just one factor or type of token; users can also have biometrics as a token or a certificate as a token image, etc. Anyone trying to access a corporate network must provide two of these factors. Any factor can be broken without allowing unauthorized access.
Backup is also essential to protect against ransomware. If an organization can recover encrypted files from a backup, it eliminates the threat of a one-time extortion ransomware attack. This is also good practice for disaster recovery. But there are nuances in how to approach backup as part of a ransomware defense strategy. Attackers often target backup services and disable them before an attack. Therefore, organizations should practice what is known as 3-to-2 backup, which sends backups to multiple sources or services. It is also wise to have a copy of critical data backed up offline.
Advanced malware prevention is also essential for a strong defense against ransomware. Over the past few decades, malware detection and prevention has mostly relied on signatures, or based on specific patterns and files. This approach is reactive. If an attacker releases some kind of new malware – let’s say it’s ransomware – the signature-based antivirus scans it, verifies that it’s bad, and looks for some sort of unique pattern, which it be it a hash for the file or something else. A rule is then created to match and identify this file in the future. But today’s malware has become very evasive and polymorphic (WannaCry, for example, can have thousands of versions). In reality, according to recent research , nearly 80% of malware escapes signature-based detection. Advanced Malware Detection uses machine learning algorithms and behavioral detection to stop zero-day malware (which is often used to gain access to a system and then remove ransomware).
Another useful strategy is to use endpoint detection and response (EDR). New “living off the ground” techniques hijack legitimate parts of an operating system (like Windows PowerShell) to allow attackers to access and launch malware directly into a legitimate process without the need for files malicious. Catching this type of attack requires monitoring memory, running processes, and looking for things like DLLs or process injection. EDR solutions examine post-execution activities and anomalies to identify and help remediate attacks.
Finally, organizations should not overlook the value of end-user training, because even the most robust security strategy is only as strong as its weakest link. Phishing and spear phishing are common ransomware vectors. Companies should therefore ensure that every user knows the basics of email security and understands how spear phishing works.
The risks posed by ransomware are only part of the increasingly complex cybersecurity landscape. While no single solution can stop ransomware attacks, layered defense (including network perimeter, multi-factor authentication, and endpoints) can ultimately make organizations more secure.
Copyright © 2022 IDG Communications, Inc.