The threat of ransomware continues to keep security leaders awake at night. Organizations of all sizes get their data and critical systems held hostage until they send untraceable cryptocurrency payments to malicious actors. The security community is coming around to the fact that ransomware is here to stay regardless of how many security tools are available. But why is the threat not going away and what can you do about it? This article aims to answer those questions.
Relentless Ransomware
Colonial Pipeline, JBS, Kia Motors—the recognizable ransomware victims appearing in news headlines during 2021 were just the tip of the iceberg. An IDC survey found that 37 percent of organizations worldwide experienced a ransomware attack over the previous 12 months.
In a world where tons of prevention-focused security tools are available to organizations, it’s natural to wonder why these tools aren’t able to keep ransomware out. Here are some possible answers for the relentlessness of this threat.
Collaboration Among Threat Actors
A game-changing moment in ransomware history came in 2015 when security researchers discovered the first ransomware-as-a-service (RaaS) tool on the dark web. Known as Tox, the tool’s developers let any threat actor use their ransomware strain in return for a 20% take of the profits.
RaaS is now the norm for many of today’s most high-profile ransomware operations. Smaller groups of threat actors sign up as affiliates and use various strains of ransomware in their attacks. This collaboration among threat actors means organizations are getting hit with far more intrusion attempts than ever before. All it takes is one successful attempt to bypass preventative controls.
To make matters worse, one investigation uncovered evidence of two different well-established cybercrime groups collaborating in the same attack. The incident bore the hallmarks of FIN7’s unique tactics for getting inside a network and establishing a foothold. Then, threat actors installed Ryuk’s ransomware strain in the same network.
Porous Perimeters
Network perimeters are more porous than ever, and opportunistic threat actors will find any gaps. Hybrid workforces and cloud infrastructures make it harder to define and secure the boundary of a network. It’s not that perimeter controls are obsolete, but they don’t provide the level of protection that they once did.
Some security leaders believe that businesses need to treat identity as the new perimeter. This belief calls for the adoption of a zero trust strategy that implements watertight access controls. But zero trust is not something you implement overnight, so it’s not going to rapidly transform the ransomware landscape.
Consider a hypothetical example where a remote employee goes to do some work at a local cafe. The employee connects to an unsecured public Wi-Fi network on which a lurking adversary captures traffic packets and compromises the employee’s login credentials to your corporate VPN. Armed with those login credentials, ransomware attacks can easily occur despite having a perimeter control (VPN) to restrict network access.
User Errors
Practicing good information security hygiene is not something that comes naturally to people. Compounding this issue is that security awareness training is often treated as a box to tick rather than an important and ongoing part of an organization’s activities and mission. Furthermore, today’s ransomware attackers deploy deceiving phishing campaigns that are difficult to spot to the untrained eye.
The margins are narrow when it comes to user errors; one click of a malicious link or one opening of a seemingly trustworthy email attachment could spell disaster. In light of today’s porous perimeters, initial entry points into networks can take advantage of user errors without your business ever knowing about it.
Some of the user errors that provide ransomware attackers with an entry point to your network include:
- Using default passwords that are easy to guess and easy to brute force hack. Even in 2021, the most common passwords include 123123 and 1234567890, both of which take under one second to crack.
- Not backing up sensitive data so that your business can’t rely on backups of files encrypted with ransomware.
- Reusing the same password across multiple accounts so that one data breach can provide an entry point into several different accounts.
- Disabling security tools or not running software updates on personal BYOD laptops and smartphones connected to corporate networks.
The Need for Visibility, Threat Detection and Response
There is a real need for better visibility into what’s happening on your endpoint devices and within your network if you want to get a better handle on ransomware. Relying on prevention with firewalls, demilitarized zones and web filters is not enough because sophisticated actors tend to eventually find a way in if they’re determined enough. Seeing what’s happening inside your environment and acting quickly can deter threat actors from progressing to encrypted files.
Businesses that have 24/7 visibility into their environments and 24/7 ability to detect and respond to attacks are far better equipped to combat ransomware threats. Proactive cybersecurity is the name of the game. Alongside the traditional preventative tools, proactive strategies, such as better security training, strengthening access controls, and monitoring your environment for attacks with the latest threat detection tools give your business the best defense.
Not every business has the resources to stop ransomware attackers in their tracks with ongoing cyber threat detection and rapid incident response. Cyebrsecurity talent shortages make it a daunting task to find enough skilled analysts that bring visibility, threat detection and response capabilities to your business.
Thankfully, the managed security service provider (MSSP) option provides businesses of all sizes with an affordable, scalable way to protect their IT environments. An MSSP serves as an extension of your IT security team and hones in on those critical functions of visibility, threat detection and response that can thwart in-progress ransomware attacks before they lock down key systems or exfiltrate your sensitive data.
