Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Defending Against the Latest Ransomware Surge

With Many Employees Working From Home, the Enterprise Attack Surface Has Increased Significantly

With Many Employees Working From Home, the Enterprise Attack Surface Has Increased Significantly

To slow the spread of COVID-19, millions of employees have been instructed to work from home which places them outside the secure office network and no longer under the protection of IT professionals. Threat actors are taking full advantage of this exposure by launching a wave of new cyber-attacks, leveraging tactics such as phishing, credential stuffing, and ransomware. Ransomware attacks alone have seen a 900 percent increase this year, according to research by VMware Carbon Black. This led the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to re-issue guidance on cyber readiness and defensive measures for employees and businesses. Given the current uptick in ransomware attacks, let’s consider steps organizations can take to minimize the risk of being victimized.

Holding someone or something for ransom is a simple yet effective strategy that has been used by criminals for thousands of years. Today, cyber criminals are exploiting these ancient techniques using modern technologies. Ransomware is most commonly delivered via spam emails whereby the crimeware is deployed when a victim clicks on a malicious attachment or URL. Upon infection, ransomware often has a devastating impact since encrypting and blocking access to sensitive data can shut down business operations. A good example were the WannaCry and NotPetya attacks in mid-2017 that spread like wildfire across the globe, crippling banks, logistics firms, manufacturing plants, and many other industries. 

While these wide-spread attacks led to the deployment of additional defensive mechanisms, cyber criminals have also created more sophisticated attacks, using spear-phishing emails that target specific individuals and seed legitimate websites with malicious code. Targeted attacks might affect fewer organizations but have a much higher success rate. It’s part of the evolution of ransomware.

Recently, we have seen the emergence of a new trend whereby ransomware attacks not only encrypt an organization’s systems, but also exfiltrate data and threaten to release it publicly if the ransom is not paid.  To date, only a small percentage of ransomware attacks have taken this extra step, likely because it exposes cyber criminals to an increased risk of detection and identification by law enforcement. The threat actors that have gone down this path, as in the case of the Energias de Portugal incident, were likely motivated by the larger payout they would receive if the company acquiesced.

Basic Steps to Increase Cyber Resilience 

The following fundamental measures can help organizations minimize their exposure to ransomware attacks:

• Implement cybersecurity training to educate employees on how ransomware is being deployed and how to recognize and avoid spear-phishing attacks.

• Regularly update anti-virus and anti-malware with the latest signatures and perform regular scans.

• Back up data regularly to a non-connected environment and verify the integrity of those backups regularly.

While these best practices are table stakes, many organizations are aware that they need to look beyond basic cyber hygiene and pursue a more comprehensive cyber defense strategy. Unfortunately, many companies have recently been forced to downsize staff and delay planned IT security projects. As a result, it’s more important than ever to focus on security measures that assure the biggest bang for the buck. While security awareness training, as well as regular anti-malware updates and data back-ups cover the essentials, organizations need to recognize that ransomware is just one form of exploit. It can easily be replaced by another. According to Forrester, an estimated 80 percent of data breaches are tied to privileged access abuse.

Address the Low Hanging Fruit

By implementing identity-centric privileged access management (PAM) based on Zero Trust principles, organizations can kill two birds with one stone. They can defend against the leading source of data breaches — privileged access abuse — while simultaneously containing the impact of a ransomware attack by preventing malware from running or at least limiting its ability to spread across the network. In this context, the combination of PAM and Zero Trust enables an organization to: 

• Isolate its network infrastructure from remote access laptops and workstations that become compromised by viruses or ransomware; 

• Zone off access and enforce multi-factor authentication in order for admin users to reach assets outside the pre-defined zone; 

• Vault shared local accounts to minimize the damage of ransomware attacks that attempt to perform privilege escalation; and

• Apply the concept of least privilege to granularly control what access admin users have and what privileged commands they can run. Without the ability to install files or at least elevate privilege when installation is necessary, ransomware cannot spread undeterred through a network.

With the majority of organizations’ employees working from home, the enterprise attack surface has increased significantly compared to just several months ago. Ransomware is just one of the many tactics, techniques, and procedures (TTPs) that threat actors are using to attack organizations by compromising remote user devices. Nevertheless, by focusing on mitigating the common thread that spans all TTPs ― access credential abuse ― and treating identity as a security perimeter, it is possible to prevent most cyber breaches.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The City of Oakland has disclosed a ransomware attack that impacted several non-emergency systems.