Cyber threats are increasing in scope and magnitude with every passing day. Among the different attacks, ransomware attacks have become very potent.
Ransomware started as a floppy disk-based attack in the 1980s, with a modest ransom demand of $189. Today, enterprises that fall victim to ransomware pay $233,217 to the hackers, on average, and suffer 23 days of downtime following an attack.
The 2017 WannaCry ransomware attack infected 200,000+ PCs worldwide. The attack took the form of crypto-ransomware worms. These worms infiltrated Windows PCs and encrypted critical files. Victims had to pay ransom in bitcoins to regain access to the files. The sheer scale of Wannacry brought ransomware to centerstage.
Enterprises soon improved their backup and data recovery process to avoid paying the hackers. But cybercriminals soon launched double extortion multistage attacks. They encrypted data and published the data on the dark web if victims did not heed the ransom demands.
Victims paying up emboldened the attackers and attracted more threat actors. Competition among attackers results in innovation, leading to more sophisticated attack methods. Enterprising cybercriminals now even offer ransomware as a service.
Ransomware attacks surged during the COVID-19 pandemic induced lockdowns. Enterprises, forced to set up remote work options overnight, could not pay cyber security the attention it deserved. Also, the increase in online businesses led to more significant opportunities for hackers.
The ransomware attack on Colonial Pipeline, the US fuel transportation company, is the most devastating in history so far. DarkSide, the notorious hacker group, breached the network and launched the attack that lasted from 6 May 2021 to 12 May 2021. The attack resulted in a nationwide panic and led to a spike in retail gasoline prices. Colonial paid a ransom of about $5 million in cryptocurrency to regain access to their servers.
Of late, attackers have realized the implications for the company if their sensitive customer data leaks. Many ransomware attackers do not encrypt data. They just steal the data and threaten to publish it. They especially target health-care providers, educational institutions, and any enterprise that handle large volumes of customer data.
Here are the strategies to avoid such situations.
1. Get the basics right
Ransomware operators, like all hackers, infiltrate the network to encrypt the files. They use various tactics such as malicious links, social engineering, and email phishing. They also exploit vulnerabilities in unpatched software.
Enterprises who get their basics right in network security often keep ransomware operators at bay.
- Enable multi-factor authentication on company accounts, including service accounts and social media accounts
- Train employees to identify phishing emails and other threats. Make them aware of the modus operandi of the threat actors. Without a proper understanding of the latest modus-operandi, even highly aware and cautious users fall prey to phishing attacks.
- Identify and monitor high-risk employees. High-risk profiles include employees with administrative rights who may launch insider attacks.
- Assess the cybersecurity programs and protocols of vendors who access company data.
- Test backup systems. Make sure backups remain segregated from other company systems.
- Develop an enterprise response plan or SOP that details an action plan in case of ransomware attacks.
- Conduct periodic security drills to validate the effectiveness of the security deployments.
Powerful tools such as CrowdStrike enable risk-based conditional access. CrowdStrike uses proprietary tools to analyze user behavior and authenticates legitimate traffic. The tool integrates with the existing security architecture and syncs with existing tools with minimal friction.
2. Undertake deep network monitoring
Ransomware operators undertake thorough research and launch orchestrated attacks on their targets. Once they breach the network, they immediately exfiltrate data. Conventional deployments, such as perimeter protection, rarely stop these sophisticated attacks. Only real-time, deep network monitoring detects the hackers’ presence.
Falcon identity threat detection tool detects identity-based attacks and anomalies in real-time. The tool offers real-time monitoring of the network traffic, and offers deep visibility without ingestion of log files. Unified visibility into the cloud and on-premise stacks of the enterprise enables complete and comprehensive protection.
The insights:
- Identifies shadow administrators, stale accounts, shared credentials, and other attack paths.
- Detects abnormal user behavior and account misuse, to protect against insider and lateral threats.
- Detects anomalies to authenticate traffic.
- Enable frictionless remote access with step-up multi-factor authentication.
3. Enforce zero-trust security
Effective defense against ransomware requires a zero-trust approach. Enterprises need to verify each asset and transaction before granting network access.
The enterprise may impose various levels of verifications, including:
- Ensuring the systems requiring access have the latest patches installed
- Implementing password-less multi-factor authentication (MFA)
- Deploying unified endpoint management (UEM).
The success of the zero-trust approach depends on network transparency. Unless the enterprise knows about its network endpoints and the connected devices, it cannot apply the zero trust filters.
About 80% of network infiltration occurs due to compromised identities. CloudStrike Falcon identity protection tool deploys advanced AI for identity protection. The tool enforces risk-based conditional access based on behavioral analysis. On detecting behavior changes or risky traffic, it triggers step-up authentication with MFA only if the risk increases or the behavior changes.
4. Deploy advanced AI tools
The scale and complexity of today’s network make conventional tools redundant. AI-based tools powered by Machine Learning algorithms rise to the task. AI-based tools:
- Identify and block phishing pages and emails in real-time. Cybercriminals need access to the network to siphon off data. They send phishing emails or messages to trick users into revealing credentials.
- Stop data exfiltration in real-time.
- Analyze domains and subdomains to distinguish between legitimate and malicious domains.
- Aggregate and prioritize events based on severity and threats.
- Spread threat intelligence. Consider an incident of compromise in a cloud instance. The tool passes on such information to other endpoints, enabling prompt countermeasures.
CrowdStrike leverages industry leading threat intelligence and telemetry solutions, such as MITRE ATT&CK, to stop ransomware. CrowdStrike’s OverWatch team deploys sophisticated techniques to relentlessly hunt and stop even the stealthiest of threats.
Dodging ransomware requires a holistic view, with deep visibility, integrated preventive measures, and proactive counterstrikes. Solutions such as CrowdStrike offers an effective remote access solution for enterprises, cutting across sizes.