Written by:
Anne Gotay Ransomware is a persistent evil for organizations to combat. According to SonicWall, there were 236.1 million ransomware attempts in the first half of 2022 alone, with businesses in the United States seeing over 9 times more volume than in any other country. With this volume of attack attempts, it’s not a question of if an organization will become a target but when they become a target.
Organizations must be prepared because ransomware has evolved rapidly over the last few years, bringing in new functionality to steal data and set up widespread compromises throughout an organization. A single ransomware attack can paralyze a business, causing a widespread interruption of productivity as technicians work to contain the spread.
This article explores how ransomware continues to evolve and what steps your organization can take to defend itself against the latest variations.
Ransomware Is Evolving
Ransomware used to be a one-time attack where a single endpoint was compromised, and organizations could pay the ransom or lose the data if backups were unavailable. Making the attacks even more attractive to attackers is that cybercriminals running the operations are hard to track down. Payments are made via cryptocurrencies which help to obfuscate the individuals behind the transaction.
As cyber criminals are greedy, the traditional model was still not profitable enough. Attackers already knew that once they had a level of access to launch their ransomware, they could use that access to escalate too far more lucrative attacks. So they added features and functionality to the malware to conduct more invasive attacks. These attacks focused on data theft and penetrating deep within the organization to compromise numerous endpoints simultaneously, creating a widespread breach rather than a minor incident.
Extortion Attacks
Cybercriminals conduct ransomware attacks to profit. In 2021, these profits were up 64% year over year. Part of what has driven the increase in value is adding an extortion component to the ransomware attack. As the ransomware embeds itself, it either steals data on its own, sending it back to the attackers, or it opens backdoors for cyber criminals to step in and identify valuable data to extract.
Once the attackers have their hands on the data, it no longer matters if the organization pays to recover from the ransomware, the stage is set for another demand. Cybercriminals can come back at any point in the future to demand payment not to sell or release the stolen data. Organizations may be unaware they were breached during the ransomware attack, which causes additional trouble if the data stolen is highly regulated. In these cases, just the notification that a breach has occurred causes a compliance failure that may come with business disruption, fines, and penalties.
Staging Larger Attacks
A backdoor setup for stealing data also sets attackers up with a position to launch more extensive and complex attacks against an organization. Once they are in the door, they are behind the traditional security perimeter, allowing them to attack accessible adjacent endpoints. Internal networks are notoriously insecure. Cybercriminals leverage this, spreading their attack and planting ransomware and backdoors throughout the IT ecosystem.
The attack becomes even worse when shared storage systems are accessible to the attackers, especially if it connects to cloud infrastructure. Once an attacker has access to an endpoint, they share the same level of access as the user on the endpoint they already compromised. Poorly secured shared storage systems allow widespread access to company data that can be resold, ransomed, or locked with malicious encryption.
Stopping the Threat
Even though ransomware has evolved, there are still ways to restrain it. Using a layered defense, your organization can stop the new tactics used by ransomware. Access controls make it difficult for attackers to access data to steal it, and anomaly detection will prevent it from propagating throughout the organization. Using these in tandem constrains the ransomware, limiting the blast radius in the event of an infection.
Preventing Extortion
The first step to preventing ransomware extortion is to make it harder for ransomware to reach out and steal data. Using fine-grained access assigned to role-based access controls (RBAC), information can be assigned only to those who need access. This limits the scope of information that attackers can steal.
Augmenting this is using preventative encryption at rest, in transit, and in use, to secure data, making it entirely unreadable to attackers. So even if an attacker can use an exploit to circumvent RBAC and view data they should not, the encryption guarantees that the information is inaccessible to them. Stopping theft prevents cybercriminals from extorting your organization after the attack or selling the stolen data.
Blocking Escalation
Using anomaly detection powered by machine learning is the next stage of defense against an escalating ransomware threat. Anomaly detection creates a baseline of usage for every individual with access to your resources. It identifies when overuse or access misuse occurs and cuts off access, generating alerts to technicians to contain the breach. So even when using a hijacked system, the change in utilization will trigger the detection, stopping the attack’s spread.
More advanced versions of anomaly detection scale into the cloud and integrate into a complete anti-ransomware solution. They detect the first signs of ransomware infections by tracking the access and hardware utilization changes. With these solutions, the attacks are stopped cold, protecting valuable cloud infrastructure from the spread of ransomware.
Sotero
Sotero’s data protection platform is designed to combat the evolving threat of ransomware and other threats to your data. Sotero uses advanced behavior-based anomaly detection to identify even zero-day ransomware threats, blocking their spread into your cloud infrastructure. With advanced encryption and data access controls, Sotero rounds out the data defense to block the ability of ransomware-based threats to steal sensitive information and spread it through the organization.
Contact us today to learn more about how Sotero can defend your data from the evolving ransomware threat.