Security Experts:

Defending Against the Latest Ransomware Surge

With Many Employees Working From Home, the Enterprise Attack Surface Has Increased Significantly

To slow the spread of COVID-19, millions of employees have been instructed to work from home which places them outside the secure office network and no longer under the protection of IT professionals. Threat actors are taking full advantage of this exposure by launching a wave of new cyber-attacks, leveraging tactics such as phishing, credential stuffing, and ransomware. Ransomware attacks alone have seen a 900 percent increase this year, according to research by VMware Carbon Black. This led the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to re-issue guidance on cyber readiness and defensive measures for employees and businesses. Given the current uptick in ransomware attacks, let’s consider steps organizations can take to minimize the risk of being victimized.

Holding someone or something for ransom is a simple yet effective strategy that has been used by criminals for thousands of years. Today, cyber criminals are exploiting these ancient techniques using modern technologies. Ransomware is most commonly delivered via spam emails whereby the crimeware is deployed when a victim clicks on a malicious attachment or URL. Upon infection, ransomware often has a devastating impact since encrypting and blocking access to sensitive data can shut down business operations. A good example were the WannaCry and NotPetya attacks in mid-2017 that spread like wildfire across the globe, crippling banks, logistics firms, manufacturing plants, and many other industries. 

While these wide-spread attacks led to the deployment of additional defensive mechanisms, cyber criminals have also created more sophisticated attacks, using spear-phishing emails that target specific individuals and seed legitimate websites with malicious code. Targeted attacks might affect fewer organizations but have a much higher success rate. It’s part of the evolution of ransomware.

Recently, we have seen the emergence of a new trend whereby ransomware attacks not only encrypt an organization’s systems, but also exfiltrate data and threaten to release it publicly if the ransom is not paid.  To date, only a small percentage of ransomware attacks have taken this extra step, likely because it exposes cyber criminals to an increased risk of detection and identification by law enforcement. The threat actors that have gone down this path, as in the case of the Energias de Portugal incident, were likely motivated by the larger payout they would receive if the company acquiesced.

Basic Steps to Increase Cyber Resilience 

The following fundamental measures can help organizations minimize their exposure to ransomware attacks:

• Implement cybersecurity training to educate employees on how ransomware is being deployed and how to recognize and avoid spear-phishing attacks.

• Regularly update anti-virus and anti-malware with the latest signatures and perform regular scans.

• Back up data regularly to a non-connected environment and verify the integrity of those backups regularly.

While these best practices are table stakes, many organizations are aware that they need to look beyond basic cyber hygiene and pursue a more comprehensive cyber defense strategy. Unfortunately, many companies have recently been forced to downsize staff and delay planned IT security projects. As a result, it’s more important than ever to focus on security measures that assure the biggest bang for the buck. While security awareness training, as well as regular anti-malware updates and data back-ups cover the essentials, organizations need to recognize that ransomware is just one form of exploit. It can easily be replaced by another. According to Forrester, an estimated 80 percent of data breaches are tied to privileged access abuse.

Address the Low Hanging Fruit

By implementing identity-centric privileged access management (PAM) based on Zero Trust principles, organizations can kill two birds with one stone. They can defend against the leading source of data breaches — privileged access abuse — while simultaneously containing the impact of a ransomware attack by preventing malware from running or at least limiting its ability to spread across the network. In this context, the combination of PAM and Zero Trust enables an organization to: 

• Isolate its network infrastructure from remote access laptops and workstations that become compromised by viruses or ransomware; 

• Zone off access and enforce multi-factor authentication in order for admin users to reach assets outside the pre-defined zone; 

• Vault shared local accounts to minimize the damage of ransomware attacks that attempt to perform privilege escalation; and

• Apply the concept of least privilege to granularly control what access admin users have and what privileged commands they can run. Without the ability to install files or at least elevate privilege when installation is necessary, ransomware cannot spread undeterred through a network.

With the majority of organizations’ employees working from home, the enterprise attack surface has increased significantly compared to just several months ago. Ransomware is just one of the many tactics, techniques, and procedures (TTPs) that threat actors are using to attack organizations by compromising remote user devices. Nevertheless, by focusing on mitigating the common thread that spans all TTPs ― access credential abuse ― and treating identity as a security perimeter, it is possible to prevent most cyber breaches.

view counter
Torsten George is currently a cyber security evangelist at Centrify, which helps organizations secure privileged access across hybrid and multi-cloud environments. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 25 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).