Breaking out of the vicious cycle of ransomware attacks

Ransomware has quickly become one of the most prevalent cyber threats facing organizations today. The cyber criminal community has latched onto this attack method because infections can quickly cause devastating damage to the victim, and strikes are incredibly easy to launch at scale.  In this article, cybersecurity expert Ed Williams of Trustwave SpiderLabs, discusses what happens when ransomware hits the network and how organizations can stop themselves falling victim to ransomware again and again.
Ransomware has quickly become one of the most prevalent cyber threats facing organizations today. The cyber criminal community has latched onto this attack method because infections can quickly cause devastating damage to the victim, and strikes are incredibly easy to launch at scale. 
In this article, cybersecurity expert Ed Williams of Trustwave SpiderLabs, discusses what happens when ransomware hits the network and how organizations can stop themselves falling victim to ransomware again and again.

Ransomware has quickly become one of the most prevalent cyber threats facing organizations today. Unfortunately, the cybercriminal community has latched onto this attack method because infections can quickly cause devastating damage to the victim, and strikes are incredibly easy to launch at scale. 

There were more than 300 million recorded attacks in 2020 – amounting to over 8,000 a day. This staggering figure represents a 64% increase over the previous year, and the trend is set to continue. Even if the vast majority manage to recover without paying the ransom, the threat actors can count on a payday from the minority that do pay up with enough victims.

With so many attacks, every organization on the planet is likely to be targeted multiple times. And being hit by ransomware isn’t a one-off lightning strike. Once a business has been hit once, it will likely be hit again – probably by the same criminals coming back for more. 

So, how can organizations break the cycle and stop themselves from falling victim again and again? 

Starting at the beginning

The first step in reducing the risk of ransomware is understanding how the attacks take place. One of the reasons ransomware is such a formidable threat is that it’s relatively easy to deliver, and most attacks will use the same handful of vectors. 

Firstly, unpatched software vulnerabilities are one of the easiest routes into the system, particularly when it comes to externally facing infrastructure such as a VPN. 

Secondly, hijacking user credentials remains a common weakness as people tend to do a poor job of choosing a strong or random password. Weak passwords may be brute-forced with automated tools, or attackers may first steal them via a phishing attack. 

Ransomware can also be delivered via malicious files sent over in emails. Attackers have adapted their techniques to evade signature-based email security solutions, hiding their malware code with macros or exploiting filesharing tools like SharePoint. 

What happens once the ransomware is inside the network? 

Most ransomware we encounter today is coded with a set of instructions that it will automatically begin carrying out once it is placed within the network and activated. This begins by scoping out options for gaining more network privileges. Once it has gained more system access, the ransomware will begin moving laterally through the system and start wreaking havoc. Most organizations are still not good at segmenting their networks or keeping credentials for privileged accounts such as administrators safe, so the ransomware typically has an easy job. 

Many ransomware variants will seek out assets that contain large amounts of data as a priority, such as SQL databases and CSB files, as these will likely cause the greatest disruption for the victim. More sophisticated threat actors may also directly take control of escalation and lateral movement, waiting to trigger the attack until they have access to the most valuable data and systems. 

What is the impact on the victims? 

Whether the ransomware attack is triggered automatically or placed deliberately within the system, victims often don’t know about it until they suddenly find their files locked down or receive a ransom demand. 

A ransomware outbreak will have three major areas of impact for the target. Most obviously, the organization will suffer from having its critical files and systems locked down. Unless the infection is checked before it can spread too far, this could result in almost every asset the company has been encrypted, including everything in its cloud environments. 

Some variants are designed to prioritize seeking backups, denying the victim the easy route of restoring everything to its pre-infected state. If the network has not been segmented, the ransomware can discover and encrypt backups both on-premises and in the cloud. 

Finally, attacks are also increasingly using a two-pronged approach, coupling encryption with exfiltration. The malware will copy any valuable or sensitive assets it finds and send it back to the attacker’s command and control center. This ensures that even if the victim can restore their systems without caving in to ransom demands, the attackers still have a path to profit by blackmailing them with the stolen data. In many cases, stolen data will still be sold on the dark web regardless of if the victim pays up.

How can victims recover from ransomware? 

Don’t panic. That’s easier said than done when the worst-case scenario occurs but keeping a cool head will go a long way to mitigating the damage. Security teams need to resist the urge to focus entirely on the immediate challenge of getting the company operational again and spare some thought for longer-term activity. 

The first priority should be to locate the source of the attack and ensure this vulnerability is closed, whether it was a compromised user account or an unpatched application. Next, it is essential to track down any remaining malware on the system. Attackers will frequently deploy ransomware through another malware, which remains hidden and can be used again later on. Follow up strikes may occur as much as six months down the line once the victim has lowered their guard. 

Threat hunting is one of the most effective ways of searching out well-hidden modular malware. This approach sees a team of skilled security professionals combine their experience and intuition with automated tools to uncover vulnerabilities and attack paths missed by automated scans. 

How do we stop it happening (again)?

With thousands of attacks every day, most businesses will be hit eventually, but that doesn’t mean each attack needs to be an unadulterated disaster for the victim. With the right precautions, it is possible to reduce the average malware attack to a minor inconvenience.

This means setting up hurdles to make it difficult for the attacker and their ransomware every step of the way.

First, deny them easy access to the system by closing off those common attack paths. A well-managed patching process will ensure that software vulnerabilities are quickly resolved before they can be exploited, with priority placed on high-risk applications. Implementing stronger password processes and credential management solutions will also make it harder for attackers to gain control of user accounts, while more effective email security and awareness training will reduce the chances of email-bound threats. 

Next, the network needs to be configured and secured to stop ransomware from having free reign if it does slip past defences. It is essential to have a good understanding of what is on the network. All too often, when conducting a penetration test, we find assets that the company wasn’t aware of, or that they thought they had disconnected. 

Organizations need to conduct a thorough audit of their entire IT estate to get a clear picture. From here, they can start implementing barriers to slow and stop ransomware and other threats. Network segmentation is useful as it prevents the intruder from easily achieving lateral movement. If an outbreak does occur, it will be contained to a limited area, making it easier to find the source and resolve the threat. 

Implementing a least privilege approach will also mean that all users only have access to systems they need for their job role, greatly reducing the damage that can be wrought by a single compromised account. 

READ MORE:

By taking steps now to fortify their IT infrastructure against attacks and slow down those intruders that make it through, organizations can greatly reduce their chances of falling victim to a ransomware attack, whether it’s a first strike or greedy criminals coming back around for more. 

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Ed Williams

Ed Williams is a seasoned cybersecurity specialist with 10 years directly focused on penetration testing and consultancy for Government and private sector organisations. He heads up penetration testing within Trustwave’s elite team of forensic investigators, researchers and ethical hackers, Spiderlabs, as Director for EMEA.

Britain’s Uplevelling Plan

Amber Coster • 26th April 2022

Remote work could enable over 13 million Brits* to seize the opportunity to live and work outside the major cities, helping to spread economic opportunity across the UK, according to research released today by ClickUp, the all-in-one productivity platform.

The Heroes Of Technology

Steven Johnson • 26th April 2022

We tend to worship great business leaders, but there are thousands of innovators whose ideas — from tiny features to complicated algorithms — have made our lives easier, healthier, safer, and more convenient. Meet Hidden Heroes, a new publication designed to tell their stories and pay them the tribute they deserve.