Breaking out of the vicious cycle of ransomware attacks

Ransomware has quickly become one of the most prevalent cyber threats facing organizations today. The cyber criminal community has latched onto this attack method because infections can quickly cause devastating damage to the victim, and strikes are incredibly easy to launch at scale.  In this article, cybersecurity expert Ed Williams of Trustwave SpiderLabs, discusses what happens when ransomware hits the network and how organizations can stop themselves falling victim to ransomware again and again.
Ransomware has quickly become one of the most prevalent cyber threats facing organizations today. The cyber criminal community has latched onto this attack method because infections can quickly cause devastating damage to the victim, and strikes are incredibly easy to launch at scale. 
In this article, cybersecurity expert Ed Williams of Trustwave SpiderLabs, discusses what happens when ransomware hits the network and how organizations can stop themselves falling victim to ransomware again and again.

Ransomware has quickly become one of the most prevalent cyber threats facing organizations today. Unfortunately, the cybercriminal community has latched onto this attack method because infections can quickly cause devastating damage to the victim, and strikes are incredibly easy to launch at scale. 

There were more than 300 million recorded attacks in 2020 – amounting to over 8,000 a day. This staggering figure represents a 64% increase over the previous year, and the trend is set to continue. Even if the vast majority manage to recover without paying the ransom, the threat actors can count on a payday from the minority that do pay up with enough victims.

With so many attacks, every organization on the planet is likely to be targeted multiple times. And being hit by ransomware isn’t a one-off lightning strike. Once a business has been hit once, it will likely be hit again – probably by the same criminals coming back for more. 

So, how can organizations break the cycle and stop themselves from falling victim again and again? 

Starting at the beginning

The first step in reducing the risk of ransomware is understanding how the attacks take place. One of the reasons ransomware is such a formidable threat is that it’s relatively easy to deliver, and most attacks will use the same handful of vectors. 

Firstly, unpatched software vulnerabilities are one of the easiest routes into the system, particularly when it comes to externally facing infrastructure such as a VPN. 

Secondly, hijacking user credentials remains a common weakness as people tend to do a poor job of choosing a strong or random password. Weak passwords may be brute-forced with automated tools, or attackers may first steal them via a phishing attack. 

Ransomware can also be delivered via malicious files sent over in emails. Attackers have adapted their techniques to evade signature-based email security solutions, hiding their malware code with macros or exploiting filesharing tools like SharePoint. 

What happens once the ransomware is inside the network? 

Most ransomware we encounter today is coded with a set of instructions that it will automatically begin carrying out once it is placed within the network and activated. This begins by scoping out options for gaining more network privileges. Once it has gained more system access, the ransomware will begin moving laterally through the system and start wreaking havoc. Most organizations are still not good at segmenting their networks or keeping credentials for privileged accounts such as administrators safe, so the ransomware typically has an easy job. 

Many ransomware variants will seek out assets that contain large amounts of data as a priority, such as SQL databases and CSB files, as these will likely cause the greatest disruption for the victim. More sophisticated threat actors may also directly take control of escalation and lateral movement, waiting to trigger the attack until they have access to the most valuable data and systems. 

What is the impact on the victims? 

Whether the ransomware attack is triggered automatically or placed deliberately within the system, victims often don’t know about it until they suddenly find their files locked down or receive a ransom demand. 

A ransomware outbreak will have three major areas of impact for the target. Most obviously, the organization will suffer from having its critical files and systems locked down. Unless the infection is checked before it can spread too far, this could result in almost every asset the company has been encrypted, including everything in its cloud environments. 

Some variants are designed to prioritize seeking backups, denying the victim the easy route of restoring everything to its pre-infected state. If the network has not been segmented, the ransomware can discover and encrypt backups both on-premises and in the cloud. 

Finally, attacks are also increasingly using a two-pronged approach, coupling encryption with exfiltration. The malware will copy any valuable or sensitive assets it finds and send it back to the attacker’s command and control center. This ensures that even if the victim can restore their systems without caving in to ransom demands, the attackers still have a path to profit by blackmailing them with the stolen data. In many cases, stolen data will still be sold on the dark web regardless of if the victim pays up.

How can victims recover from ransomware? 

Don’t panic. That’s easier said than done when the worst-case scenario occurs but keeping a cool head will go a long way to mitigating the damage. Security teams need to resist the urge to focus entirely on the immediate challenge of getting the company operational again and spare some thought for longer-term activity. 

The first priority should be to locate the source of the attack and ensure this vulnerability is closed, whether it was a compromised user account or an unpatched application. Next, it is essential to track down any remaining malware on the system. Attackers will frequently deploy ransomware through another malware, which remains hidden and can be used again later on. Follow up strikes may occur as much as six months down the line once the victim has lowered their guard. 

Threat hunting is one of the most effective ways of searching out well-hidden modular malware. This approach sees a team of skilled security professionals combine their experience and intuition with automated tools to uncover vulnerabilities and attack paths missed by automated scans. 

How do we stop it happening (again)?

With thousands of attacks every day, most businesses will be hit eventually, but that doesn’t mean each attack needs to be an unadulterated disaster for the victim. With the right precautions, it is possible to reduce the average malware attack to a minor inconvenience.

This means setting up hurdles to make it difficult for the attacker and their ransomware every step of the way.

First, deny them easy access to the system by closing off those common attack paths. A well-managed patching process will ensure that software vulnerabilities are quickly resolved before they can be exploited, with priority placed on high-risk applications. Implementing stronger password processes and credential management solutions will also make it harder for attackers to gain control of user accounts, while more effective email security and awareness training will reduce the chances of email-bound threats. 

Next, the network needs to be configured and secured to stop ransomware from having free reign if it does slip past defences. It is essential to have a good understanding of what is on the network. All too often, when conducting a penetration test, we find assets that the company wasn’t aware of, or that they thought they had disconnected. 

Organizations need to conduct a thorough audit of their entire IT estate to get a clear picture. From here, they can start implementing barriers to slow and stop ransomware and other threats. Network segmentation is useful as it prevents the intruder from easily achieving lateral movement. If an outbreak does occur, it will be contained to a limited area, making it easier to find the source and resolve the threat. 

Implementing a least privilege approach will also mean that all users only have access to systems they need for their job role, greatly reducing the damage that can be wrought by a single compromised account. 

READ MORE:

By taking steps now to fortify their IT infrastructure against attacks and slow down those intruders that make it through, organizations can greatly reduce their chances of falling victim to a ransomware attack, whether it’s a first strike or greedy criminals coming back around for more. 

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Ed Williams

Ed Williams is a seasoned cybersecurity specialist with 10 years directly focused on penetration testing and consultancy for Government and private sector organisations. He heads up penetration testing within Trustwave’s elite team of forensic investigators, researchers and ethical hackers, Spiderlabs, as Director for EMEA.

How E-commerce Marketers Can Win Black Friday

Sue Azari • 11th November 2024

As new global eCommerce players expand their influence across both European and US markets, traditional brands are navigating a rapidly shifting landscape. These fast-growing Asian platforms have gained traction by offering ultra-low prices, rapid product turnarounds, heavy investment in paid user acquisition, and leveraging viral social media trends to create demand almost in real-time. This...

Why microgrids are big news

Craig Tropea • 31st October 2024

As the world continues its march towards a greener future, businesses, communities, and individuals alike are all increasingly turning towards renewable energy sources to power their operations. What is most interesting, though, is how many of them are taking the pro-active position of researching, selecting, and implementing their preferred solutions without the assistance of traditional...

Is automation the silver bullet for customer retention?

Carter Busse • 22nd October 2024

CX innovation has accelerated rapidly since 2020, as business and consumer expectations evolved dramatically during the Covid-19 pandemic. Now, finding the best way to engage and respond to customers has become a top business priority and a key business challenge. Not only do customers expect the highest standard, but companies are prioritising superb CX to...

Automated Testing Tools and Their Impact on Software Quality

Natalia Yanchii • 09th October 2024

Test automation refers to using specialized software tools and frameworks to automate the execution of test cases, thereby reducing the time and effort required for manual testing. This approach ensures that automation tests run quickly and consistently, allowing development teams to identify and resolve defects more effectively. Test automation provides greater accuracy by eliminating human...

Custom Software Development

Natalia Yanchii • 04th October 2024

There is a wide performance gap between industry-leading companies and other market players. What helps these top businesses outperform their competitors? McKinsey & Company researchers are confident that these are digital technologies and custom software solutions. Nearly 70% of the top performers develop their proprietary products to differentiate themselves from competitors and drive growth. As...

The Impact of Test Automation on Software Quality

Natalia Yanchii • 04th October 2024

Software systems have become highly complex now, with multiple interconnected components, diverse user interfaces, and business logic. To ensure quality, QA engineers thoroughly test these systems through either automated or manual testing. At Testlum, we met many software development teams who were pressured to deliver new features and updates at a faster pace. The manual...