So let’s consider a high-level assessment of what ransomware is and show how organisations can prevent attacks.
Ransomware describes malware used to digitally extort victims into payment of a specific fee. Once the victim’s computer is locked or encrypted, ransomware actors will often attempt to extort money by displaying an on-screen alert. Victims are notified that unless a ransom is paid, access will not be restored.
Ransomware actors have expanded the scope of their attacks from extorting individual users to disrupting entire businesses and critical infrastructure.
Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. This occurs when a user unknowingly visits an infected website, then malware is downloaded and installed without the user’s knowledge.
Ransomware developers have incorporated capabilities like worms into their malware, so it will spread automatically throughout corporate networks. This ensures their ransomware persists even if the computer that was initially accessed is remediated.
Cyber criminals have shifted their tactics from opportunistic, smash-and-grab attacks to more calculated, advanced persistent threat (APT)-style attacks.
This attack style allows cyber criminals to exfiltrate sensitive data prior to encrypting affected hosts, opening the doors to multi-level extortion. They will move beyond extorting organisations to decrypt the affected hosts to extorting organisations to prevent the release of sensitive data. This strategy has yielded them far greater profits.
All malware types have the common feature of demanding a ransom payment for removal, but there are various types. Here are some of the most common:
- Locker ransomware locks users out of their computers and demands some form of payment. This often requires a system wipe to remove. Unfortunately, paying the ransom doesn’t always save a victim as some hackers have embedded password-stealing software even after the ransom has been paid.
- Crypto ransomware’s payment is demanded in the form of a cryptocurrency. Hackers often lock the users’ files and demand payment through an anonymous cryptocurrency address.
- Leakware works by stealing information and threatening to release the data if the victim doesn’t pay up. It’s a successful tactic that causes the victim to panic and respond.
- Scareware usually poses as fake security software. Once downloaded, it will alert a victim to issues that cost extra money to fix. Sometimes targets will be flooded with so many alerts and pop-ups that their computer is unusable until they take action.
- Ransomware as a Service (RaaS) is a meta-malware type employed by career criminals. Hackers hire out their services creating and distributing ransomware in exchange for a cut of the payment. This can be used by anyone wanting revenge and could target specific individuals.
How to prevent ransomware
The steps below are best practices for a mature security program. They ensure an organisation has the right policies, processes and procedures in place to reduce the risk of a ransomware attack.
1. Maintain up-to-date systems. Vulnerable applications and operating systems are the targets of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
2. Employ a data backup and recovery plan for critical data. An organisation should perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Network-connected backups can also be affected by ransomware, so critical backups should be isolated from the network for optimum protection.
3. Develop an incident response plan. Create, maintain and exercise a basic cyber incident response plan and associated communications plan that includes response and notification procedures for a ransomware incident.
4. Draft security policies and baselines. Consider developing policies and baselines around specific controls like firewalls, email scanning, application allow-listing and remote access.
5. Implement comprehensive network visibility. Today’s ransomware attackers are dwelling on victims’ networks to steal sensitive data and maximise the impact of their extortion. They are maintaining persistence, moving laterally, leveraging remote access tools, and escalating their privileges. All these actions generate network traffic that can be detected and remediated by a security team with network visibility.
6. Raise employee awareness. A person who knows what to look for will be more effective at countering potential phishing or social engineering attacks. Implement a security awareness and training program that teaches employees how to assess whether an attachment, link or email is trustworthy.
7. Protect devices with antivirus software. Good antivirus suites will alert users as soon as they locate a problem and can remove the infection easily. Some provide free ransomware decryption tools for malware with low-level encryption.
8. Implement a proactive threat-hunting capacity. Threat hunting is the practice of proactively searching for cyber threats lurking undetected in a network. It digs deep to find malicious actors in your environment that have slipped past your initial endpoint security defences.
Threat hunting is complementary to the standard process of incident detection, response, and remediation. As security technologies analyse the raw data to generate alerts, threat hunting is working in parallel, using queries and automation, to extract hunting leads out of the same data.
Proactive hunting allows a security team to stop a potential threat before the attacker can deploy ransomware in an environment.
9. Implement a Zero Trust security posture. This places ransomware defence on user identity and access management, which is apt since human error is the root cause of most ransomware attacks.
Zero Trust helps reduce the attack surface significantly, as internal and external users have access only to limited resources and all other resources are completely hidden away. Zero Trust provides monitoring, detection and threat inspection capabilities, which are necessary to prevent ransomware attacks and exfiltration of sensitive data.
Effective ransomware prevention requires comprehensive network visibility paired with an effective threat detection and incident response capability.
- hybrid cloud visibility – A :Hybrid Cloud Visibility fabric collects and aggregates all data in motion, including east-west, IoT/OT, and container-level traffic to eliminate blind spots
- TLS/SSL Decryption – Centralised SSL/TLS decryption from a chosen security vendor provides the visibility needed to expose hidden threats from adversaries using encryptd channels for C2 and similar activity
- Network Detection and ResponseINSIGHTtm – Guided-SaaS network detection and response closes the SOC visibility gap and provides high-fidelity adversary detection to enable rapid, informed responses