Skip to main content

Don’t get held to ransom: Cause, prevention, recovery

ransomware
(Image credit: Pixabay)

Ransomware is one of the top earners of the dark economy, lining the coffers of cybercriminals. Expected to generate over $265bn USD in revenue for bad actors within the next decade, ransomware continues to pose an acute threat to businesses.  

It’s no wonder then that cybercriminals have commoditized their skills in ransomware as a service to maximize their return on investment. They understand how to build a successful business from recruiting top talent, creating versatile frameworks that include tools for all parts of ransomware attacks, to reconnaissance, lateral movement, data exfiltration, encryption, and the payment systems and decryption that are essential to them getting paid. 

But the victims on the receiving end of an attack simply can’t afford it. Either, they can’t afford the downtime and damage to productivity caused by an incident, or they simply don’t have the cash to pay out. So, what steps can organizations take to reduce the risk of breach and mitigate impact in the event of an attack?

It doesn’t start with ransomware…  

Despite ‘ransomware’ being the term that usually makes it into the headlines, social engineering, email phishing, and malicious email links are the major vectors that criminal organizations use to infiltrate environments and deploy their malware. The Verizon 2021 Data Breach Investigation Report notes phishing as the root cause of 36 percent of all breaches.  

After clicking on a link, users are directed to a website that will look to harvest their credentials and then potentially drop, install, and execute a malicious exploit script onto their mobile device or within running random access memory (RAM) used by fileless malware. As malware infiltrates further into an enterprise through privilege escalation, it can gain control over more sensitive files and the most critical infrastructure, triggering incidents like the Colonial Pipeline attack.  

Unpatched vulnerabilities in software are another common point of entry into organizations’ ecosystems. Keeping software up to date is a frequently forgotten or disregarded part of cybersecurity hygiene, due in part to the resources needed to patch every vulnerability manually.  

Unpatched vulnerabilities leave those organizations unprotected from malicious cyber threat actors exploiting known vectors to get a foothold into connected endpoints. They then move laterally up the cyber kill chain to evolve into an advanced persistent threat (ATP). These APTs are often undetected and live dormant within a victim company’s network before they strike.

Prevention measures  

End-users are often the weakest link in cybersecurity. Deploying a multi-layered zero-trust strategy takes the onus away from end-users and IT teams though, to deliver a ‘never-trust, always verify’ approach to security.  

Within a zero-trust model, the most effective method of controlling user credentials is to remove passwords from the threat landscape entirely. Failing that, investing in multi-factor authentication (MFA) that utilises a device’s biometric capabilities is a necessity. Tying a physical attribute of a user to the access management process will help ensure the user is who they say they are.  

As part of a multi-layered zero trust strategy, organizations need to improve device hygiene through patch and vulnerability management too. Hyper-automation technologies like deep learning, supervised learning and unsupervised learning, can allow IT teams to monitor what will be patched in real-time as the information is gathered from a range of online resources.  

Additionally, combining patch management and privilege management in one solution enables devices and applications to be patched via a cloud component when they are outside the company network so IT departments remain in control of the process.  

Hyper-automation can also help ensure that endpoints, edge devices and data are discovered, managed, secured and serviced. Finally, organizations should couple these device hygiene and user identity security measures with an effective detection and response solution to identify questionable behavior and enable successful threat hunting.

Employees are the frontline of defense  

Education also plays a key role in preventing breaches, especially in regard to email phishing. The Verizon report highlights the “human element” as a factor in 85 percent of attacks. Although mail gateways and similar solutions filter out a lot of phishing emails as spam, an unwitting worker can still click on a link and compromise their credentials. Providing training sessions so employees recognize the warning signs of a malicious email is one way to educate, but they may not be the most engaging.  

Sending out fake phishing campaigns to staff has proved effective at Ivanti. They give IT teams an opportunity to educate staff during the day when their guard is most likely to be down. If an employee clicks on a phishing link, they will be directed to a page that explains what they have done wrong and what signs they may have missed. If employees then start to look out for emails from their own IT teams, they’ll adopt the same vigilance they need to avoid real threats.

To pay or not to pay?  

Paying ransom doesn’t guarantee the recovery of your files or ensure the code is removed from your corporate systems. For that reason, government cybersecurity authorities, like the NCSC (National Cyber Security Centre), don’t advocate emptying your wallet. Additionally, by paying ransom greedy cybercriminals will only be encouraged to continue their plight. But a ransomware strategy that priorities defense and thorough recovery should mean that you won’t need to pay.   

If an organization doesn’t have a recovery plan in place, then the ability to not pay the ransom is somewhat jeopardized. Preparing for ransomware attacks with drills to make sure a thorough recovery plan is in place is crucial. Simply restoring data from a backup onto corrupted systems isn’t an option. You need to reimage hundreds or thousands of systems, prior to putting the data back on. A blueprint will be needed for what can be a huge operation.    

A zero-trust strategy is made up of three key elements: access, user, and device. When looking at what tools to deploy to protect against ransomware, these elements need be top of mind. The critical weakness of today is access request, which is at the core of zero-trust. Bolstering strong authentication measures with hyper-automation, education, and a practiced recovery plan will help organizations avoid a ransomware pay-out and supply the best security strategy against future attacks.

Nigel Seddon, VP of EMEA West, Ivanti