Ransomware is very difficult to stop, mostly because the attackers are adept at locking up a network long before anybody in an organization even sees a ransom note. In many attacks, the malware combines an encryption payload with automated propagation.
This potent combination can be delivered using various attack techniques which enable threat actors to bypass delivery and execution security measures by leveraging compromised credentials. The ransomware is then able to rapidly encrypt the data of one endpoint after another — until a network is crippled.
Over the past few years, the growing sophistication of the ransomware ‘industry’ has spawned niche players and specialized variants. For example, Hades (a variant of WastedLocker) almost exclusively targets large organizations — a practice known as “big game hunting.”
Given the risk, it is hard to believe that many organizations practically invite attacks by leaving Remote Desktop Protocol (RDP) ports open to the internet. Although RDP uses modern encryption, it lacks multi-factor authentication (MFA) in its default state, thereby exposing organizations to attack.
Another self-inflicted weakness is the widespread failure to apply security patches to protect against Common Vulnerabilities and Exposures (CVEs).
How to Prevent and Contain Ransomware Attacks
The first step is to create a robust cyber defense readiness strategy to stop, or at least contain, an attack from the outset. However, because of the multiplicity of access vectors and the diversity of techniques, there’s no magic bullet. Organizations should consider the following preventative measures:
Deploy Identity and Access Management
To mitigate the spread of ransomware, it is imperative to incorporate Least Privilege and Zero Trust principles using Identity and Access Management (IAM). This should include multi-factor authentication, which helps to minimize risk of ransomware spreading in the event of a compromised account. All of these capabilities reduce the attack surface and limit unauthorized access.
Provide Security Awareness Training
To diminish the effectiveness of phishing, which is the largest attack vector used by ransomware, organizations need to educate their employees about how to identify malicious emails — and to do so on a continuous basis.
Leverage the Power of Continuous Cyber Skills Development
To keep on top of the latest developments in ransomware, cybersecurity professionals need to continuously learn and train so they can be as informed as the attackers.
The most effective way to conduct continuous cyber skills development is to do so in a controlled environment via hands-on, interactive exercises using real IT infrastructure, tools, and malware. This approach enables IT staff to hone their skills and learn how to successfully identify and respond to real-world threats, and stop the criminals from winning the ransomware game.
Security Orchestration Automation and Response (SOAR). This is a stack of compatible software that helps automate Incident Response by collecting security event information and using threat intelligence to identify threats and respond to them rapidly with minimal human assistance.
Next-Generation Firewall (NGFW). Using sophisticated analysis of network traffic and downloaded objects, an NGFW can detect known strains of malware through signatures and heuristics.
Endpoint Detection and Response (EDR). Behavioral and signature-based endpoint detection is fundamental for stopping known malware threats. EDR uses application execution controls to prevent malware from running on a machine.
Adopt Threat Intelligence
A Threat Intelligence Platform (TIP) can play a vital role in enabling security teams to proactively defend against ransomware as it provides real-time information on current threats. An additional benefit of a TIP is its automation and machine learning capabilities, which assist incident response strategies.
Public-facing Asset Protection
Secure Web Gateway (SWG). This provides deep visibility into internet-bound traffic to detect known malware samples and command and control (C2) traffic.
Segment Security Architecture
A great way to contain threats in a given area is to implement network segmentation and micro-segmentation. Such segmentation prevents threats or attacks from moving laterally in data centers, clouds, and campus networks. Ideally, every threat is contained in a segment of the network, thus reducing the impact of the ransomware.
Protecting against ransomware is difficult, but not impossible. Armed with the right cyber defense strategy, tools, and security controls, organizations can defend themselves against these attacks. The key weapon in every organization’s arsenal is, of course, knowledge — which has to be nurtured continuously and extensively via hands-on skills development for IT staff.