Written by:
Anne Gotay Ransomware is arguably the most devastating threat facing businesses today. It targets known weaknesses and can strike a company before they know what hit them. According to CISA, the most common tactics hackers use to carry out ransomware attacks are email phishing campaigns, RDP vulnerabilities, and software vulnerabilities.
A single attack can paralyze a business; if adequate controls aren’t in place, the results can go far beyond basic service outages. The consequences of falling victim to ransomware range from temporary service disruption and loss of productivity to the theft of proprietary data or even the leakage of protected sensitive customer and employee data.
Ransomware is Expanding Beyond Endpoints
This problem is not one to be ignored. Ransomware attacks are only getting worse as time goes on. In 2021, these attacks increased by 105% and 232% globally since 2019. This led to a whopping 68% of organizations being infected by ransomware in 2021 alone. 15% of those experienced over 10 separate ransomware infections.
Ransomware has evolved beyond impacting a single endpoint and now is the harbinger of a more powerful attack. Ransomware allows cybercriminals to launch more complex and invasive attacks to steal data across the organization, expanding to everything within reach of the endpoint. Once the stolen data is in their hands, it can be sold or used for extortion.
Ransomware Creates Backdoors for Attackers
The ransomware attack process is far more complex than when it was first imagined. What started as a single system being compromised and left in an encrypted and unusable state has dramatically evolved. There has been no change in cybercriminals still demanding large amounts to recover the system. However, ransomware is now implanting backdoors during an attack and exfiltrating data as leverage to further their demands.
Once attackers get in the backdoors, they are behind standard perimeter security and can attack adjacent endpoints that are accessible. As internal networks are notoriously insecure, they can scale the attacks far and wide, increasing the systems to ransom and data stolen. Attackers do not remain cordoned off to end user endpoints. They target shared resources such as shared drives, servers, and databases using the same level of access as the endpoints they started on.
The stolen data creates a secondary revenue stream where attackers can sell the data on the dark web or use it for secondary extortion. In these attacks, even if the victim paid to unlock their endpoint, the cybercriminals demand additional payout not to release the stolen data publicly. This is especially damaging if the data is of a highly sensitive variety, such as healthcare information or payment information, where additional fines and penalties for non-compliance from regulatory agencies will follow.
The Cloud is Not Immune
The cloud is not a safe haven from attackers. With end-users frequently using cloud solutions as mounted file stores, the cloud has also become a prime target. Attackers use the same approach for pushing into cloud infrastructure to drive their attacks to internal shared resources. So when a user becomes infected with ransomware, mounted storage becomes targeted by attackers, thereby spreading the infection. When another user sharing the same storage attempts to access data, they not only are blocked from reading it as the data has been encrypted, but they may also become infected in the process.
The Use Case for Cloud is More Than Dynamic Servers
Cloud solutions are no longer restricted to dynamic servers and automated processes. Cloud systems’ cheap and fast storage has rapidly replaced internal shared storage for end-users. In the past, end-users have directly mapped drives to NAS and SAN devices. Now, they map to shared cloud assets. With this approach, organizations can circumvent the regional access challenges of a global and remote workforce. Cloud resources are available to users no matter where they reside and work.
Unfortunately, using cloud solutions for storing data also comes with additional risks. Misconfigurations in how the access is set up can lead to the exposure of data with high public visibility. It also places the data stores in a location where attackers can more readily launch direct attacks against it rather than residing behind a traditional security perimeter. These attacks lead to data compromises and can set the stage for ransomware infections by compromising and infecting stored data.
Defending against Ransomware with a Layered Approach
Defending against ransomware is not a one-step fix. Instead, organizations must create layers of defense to build an entire cybersecurity lifecycle into their architecture. Creating a strategy and process for a combination of prevention, detection, and recovery forms a holistic data-security solution. It blocks ransomware attacks on multiple levels, ensuring that even if the ransomware bypasses one of the levels, there are still other layers along the way to stop it and to reduce the blast radius.
Anti-malware Software
The first layer that most organizations turn to is anti-malware software. For on-premises ransomware that comes from known sources, this is solid protection. Unfortunately, malware rapidly evolves, with over 68,000 new mobile ransomware varieties alone in a single year, making it challenging for these solutions to keep their definition files current and effectively catch zero-day varieties.
Anti-malware solutions that use behavioral indicators to discover malware are more effective at identifying ransomware, even catching zero-day varieties in many cases. These solutions are more effective at creating a line of defense for on-premises, but only the most advanced types can work and scale in cloud environments.
Encryption
Encryption is the next layer of defense, ensuring that data cannot be stolen, even if ransomware manages to get into the organization. Encryption keeps data entirely unusable without access to the key, ensuring attackers cannot leverage extortion attacks due to ransomware.
A complete encryption solution is required to keep data protected throughout its lifecycle, not just when it is at rest. Modern encryption solutions can protect data in transit and in use, even in databases. This allows users to access sensitive data securely without impact on user experience, while ensuring that attackers cannot steal the data they are using.
Anomaly and Threat Detection
One of the first signs of ransomware is a change in how resources are utilized by an endpoint. The malware rapidly accesses files within its grasp, far faster than a typical user. It does this to attempt to steal and block as much information as rapidly as possible. The goal is to do damage before anyone notices and intervenes.
Modern anomaly and threat detection capabilities can identify when behavior changes from standard patterns. These solutions utilize machine learning (ML) to analyze large volumes of data, including performance, data access, and user behavior patterns, to determine an expected baseline of use. With this information, they can detect abnormal usage from ransomware.
Early detection and intervention allow your organization to stop the ransomware threat before it becomes deeply entrenched. Using automated responses, the threat can be eliminated far faster than could be accomplished manually, allowing data to be recovered and limiting the attack’s impact.
Backups As a Final Layer
If all of the other layers can be bypassed by ransomware, backups from your organization are the last line of defense. Rather than focusing on preventing or stopping the attacks, backups allow recovery from the infection. Keeping essential data reliably backed up on a consistent cadence creates a recovery window that you can step back to if attackers manage to encrypt your data maliciously.
Like all layers, backups are not foolproof as ransomware can also become embedded in files that are backed up, allowing the infection cycle to begin anew on restoration. Creating numerous backups over time ensures that safe, recoverable data exists for repair, even if some data in the backups were encrypted or infected. Modern solutions also integrate granular forensics which identify what files were altered, drastically shortening downtime for recovery by pinpointing the exact known-safe restore point, eliminating the human-error from identifying a safe restore point. This problem is reduced further by integrating encryption and anomaly detection for files located in backup or storage, ensuring that backups remain unaltered.
1) encryption + anomaly detection for files located in backups or storage that can be paired with any backup or storage vendor’s technology 2) Modern solutions allow organizations to have granular forensics to drastically shorten down-time and backup + recovery time by pinpointing exactly what files must be restored in what timeframe
Real Help
Sotero is a data security solution like no other, creating layers for data defense against ransomware. Being purpose-built in the cloud for the cloud, Sotero defends cloud resources against ransomware, blocking the threat of it spreading to internal resources that are mapped to the cloud . Sotero uses advanced behavior-based anomaly detection rather than only a legacy signature-based approach to form a comprehensive ransomware solution. Detection is based on advanced machine learning that creates access and utilization baselines across your cloud infrastructure to detect, monitor, flag, isolate, and stop suspicious activity in real-time.
Sotero ransomware protection gives your organization the advantage of detecting malware at the earliest stages of the attack. It cuts off access, generates alerts, and creates an entire auditable log trail before malware can take hold. With early prevention, your organization eliminates the risk of sensitive data exfiltration and drastically reduces the blast radius to save you costly downtime and recovery time.
To learn how you can stop ransomware attacks before they can take down your organization, contact a data security specialist today!