The scourge of ransomware is still raging, with a record number of more than 2,150 notices in the context of ransomware cyberattacks announced by CNIL in its latest 2021 report.
An increase of over 76% compared to 2020, with attackers expanding into vertical industries and targeting critical infrastructure. The number of ransom requests has also increased. According to IT Governance, the average price for an attacker’s decryption keys is $140,000, yet many organizations find themselves paying much more than that.
Ransomware threats are evolving at a faster rate than organizations are able to keep up with these threats. A common misconception is that malware is usually delivered through phishing emails. While this is true in many cases, newer forms of ransomware are more likely to be sent by an intruder who has already compromised the network. In fact, the real challenge for companies now is to monitor activity within their environment as well as the need to educate and protect users from unknown links.
In the long list of misconceptions is that regular backups are the best recovery strategy. If this is true for smaller attacks, an attacker already within a network not only has the ability to hack backups, but also has the potential to compromise critical data.
Back doors: an important entry point
The most common entry point for attackers is Remote Desktop Protocol (RDP), which allows a computer to communicate with others over a network. RDP vulnerabilities continue to proliferate, and many are the result of a configuration error or patch failure.
As the recent $Lapsus attacks have shown, accessing RDP can be an effective way to provide those critical raw inputs. Once inside, the ransomware payload itself can arrive hours or days later. Conducting early reconnaissance allows intruders to target vulnerabilities/attacks for maximum impact. The increasing precision of attacks is one reason ransom demands are on the rise, even as organizations take more proactive steps to protect themselves.
Focusing prevention efforts on spotting attacks before they happen is like closing the door to a sheepfold when the wolf is already inside. In fact, the attack is often the last stage of the violation.
3-step tactic: slicing, detecting, and monitoring
Due to the massive amount of data being transferred to the cloud and growing, it becomes an attractive target for cybercriminals looking to get hold of this data. Under these circumstances, it is essential to provide uniform data protection across user devices, web traffic, and cloud computing environments.
With a Security Service Edge Policy (SSE) that includes Data Loss Prevention (DLP) capabilities, security teams will be able to automatically block data theft, preventing common double extortion threats posed today.
The principles of a zero-trust architecture are related to the basic principles of least privilege, i.e. the user is given only the minimum levels of access or permissions necessary to perform his tasks, without ever exposing the network. This allows security teams to constantly authenticate users and connect them directly to applications, rather than trusting traffic from an internal network or a corporate device. Partialization is another basic concept of mistrust. It consists in restricting access to applications and resources so that attackers who break into one cannot affect the others. It also helps combat traditional “land and expand” techniques that hackers use to jump from an entry point to other targets on the network.
Assessing user activities after initial login, to include user traffic, access to organizational assets, and the context in which they are operating, is fundamental to detecting ransomware threats that develop covertly.”
It’s been ten years since ransomware first came to mainstream attention and this scourge has not shown any signs of abating. On the contrary, the number of attacks and the amount of ransoms are skyrocketing. Although there is no guaranteed protection against ransomware, keeping abreast of trends and preventive measures can help organizations and especially security teams reduce the risk of damage.