Ransomware’s increased threat to business uptime and critical data has been on the minds of cybersecurity professionals for years now. But who would have predicted that ransomware might become so pervasive that even our non-tech friends became familiar with the term? That odd new reality arrived in the aftermath of recent attacks like the Colonial Pipeline breach that caused gasoline shortages and panic hoarding across the southeastern USA, and the JBS attack that halted operations at Australian and American meat processing plants.
Threaten someone’s post-Covid road trip or backyard barbecue, and suddenly everyone starts talking about it.
The rise in frequency, sophistication and destructiveness of ransomware suggests that businesses have some major gaps in their defense strategies. The question is how do they address the problem?
At a recent Acronis virtual conference, several cybersecurity minds suggested the need for a multi-layered approach that centers on adopting the right tools, improving processes, and preparing people for the worst.
New Tech Weapons Against Ransomware
Ransomware attacks increasingly take on the profile of advanced persistent threats (APTs), where attackers quietly reside inside business networks for weeks, gathering intelligence and secretly exfiltrating data. Nevertheless, many techniques used in the early stages of the attack are simple and familiar, like phishing to steal credentials and download initial malware payloads.
Topher Tebow, senior cybersecurity researcher at Acronis, noted that “94% of successful malware attacks start with phishing, so if you haven’t updated your email security lately or deployed URL filtering, it’s time to take another look at them. Stopping phishing emails from hitting users’ inboxes, and stopping malware payloads when users click backlinks or attachments, is a quick way to cut down a ransomware attack before it starts.”
Another favored attack technique is to target unpatched known vulnerabilities. The obvious response here is to wield more programmatic patch management. As Dylan Pollock, senior network engineer at NASCAR’s Hendrik Motorsports, noted, “Known vulnerabilities left open in your OSes, apps and hardware are like catnip to cybercriminals. If you’re struggling to keep up with the burden of patching, maybe it’s time to invest in tools to help automate your vulnerability scanning and patch management routines.”
But what about the unknowns? With cybercriminals creating new ransomware iterations each day, every new attack is a zero-day that signature-based defenses will miss. “That points to the need for more adaptive defenses that detect and stop threats based on their behavior, not a previously-known fingerprint,” recommended Candid Wüest, VP of cyber protection research at Acronis. “Machine intelligence that can learn new patterns of attack behavior and automatically add appropriate responses in real time has become crucial ammunition in the ransomware fight.”
Adjustments to Processes
Throwing new tech at the problem is not enough, especially as experts say that no company will escape ransomware unscathed. In fact, most organizations already have ransomware quietly spreading inside their networks.
Graham Cluley, cybercrime researcher and host of the Smashing Security podcast, said, “Given that ransomware compromise is inevitable, it cannot be overstated how important a well-thought-out and religiously executed backup program is as a final line of defense. But you have to test it regularly to make sure your backups are secure … You don’t want to end up paying the ransom anyway because your backups were too slow or unreliable.”
“Living off the land is an important new strategy for ransomware attackers,” said Wüest. “They will use common operations tools lying around the target’s environment, like RDP and Mimikatz to steal passwords, escalate privileges and commandeer powerful remote-desktop tools. These make stealing data and spreading the encryption attack much easier. So you need to lock those tools down, enforce rigorous password discipline with multi-factor authentication, and be much less generous with elevated privileges.”
New People Skills
Companies also cannot overlook the people part of their cyber protection operation, from training end-users against social engineering to getting tech operations to think more strategically.
“Security awareness training is as important as endpoint security technology,” said Pollock. “If we could get users to think just two more seconds before they click on a suspicious email, many ransomware attacks would never get a toehold in our businesses.”
While Cluley added that security teams have done a decent job against the fast-evolving ransomware threat, now is no time to rest on laurels. “Keep thinking multiple layers of protection, shoring up security awareness, and fine-tuning and rehearsing your incident response plan, and you’ll have a fighting chance.”
A replay of my extended interview with these expert practitioners and researchers — which formed the centerpiece of the Acronis virtual conference, “See Inside a Live Ransomware Attack, Then Learn How to Prevent All of Them”.