How businesses can fight the rising tide of ransomware

From phishing attempts to DDoS attacks, organisations today are facing wave after wave of security threats.

But, amid an ongoing economic downturn, staffing shortages and seemingly endless cyberattacks, some businesses are struggling against the rising tide of ransomware.

The 2017 WannaCry outbreak is perhaps one of the best-known, most damaging examples of a ransomware attack. With the ability to self-replicate, this ransomware strain went viral, infecting more than 200,000 systems across 150 countries. The attack impacted organisations across many sectors, bringing business operations to a grinding halt.

Years later, the global threat of ransomware remains at peak levels, with half of the organisations across all sizes, regions and industries telling Fortinet that they fell victim in the last year.

This month, Cyber Magazine speaks with David Higgins, Field Technology Office at CyberArk, about the ways organisations can protect themselves against ransomware attacks as well as his thoughts on how the threat landscape will continue to evolve in future.

Ransomware has devastating consequences for businesses

One of the most serious and costly cyber threats facing businesses today, ransomware is a specific type of malware that extorts victims for financial gain. 

Ransomware attacks can have devastating consequences for businesses, such as disrupting operations, damaging reputation, exposing sensitive information, and incurring legal liabilities.

“When it executes, it prevents victims – usually by encryption – from interacting with their files, applications or systems,” explains Higgins. “Further, ransomware can also facilitate access to an organisation's internal systems, allowing criminals to look for more machines to encrypt, valuable data to extort, backups to disrupt, shadow copies to delete, and files to be unlocked. This maximises the impact of an attack. Some of the more sophisticated ransomware attacks can even leave backdoors or hidden identities that allow attackers a way in for the future. 

“Threat actors often target organisations based on their ability to afford large payouts and aim to hold their files and systems hostage until a ransom is paid. This is usually in the form of an untraceable cryptocurrency like Bitcoin. In some cases, victims are instructed to pay the perpetrator by a set time or risk losing access forever. In other cases, the perpetrator intermittently raises the ransom demands until the victim pays.”

How ransomware infects systems

As Higgins describes, by distributing ransomware in bulk using common “spray and pray” tactics – such as phishing, social engineering and exploit kits – attackers can target many organisations and infect numerous desktops, laptops and servers with minimal effort. 

“Attackers can also, however, go to great lengths to understand a victim’s technology stack so they can identify and exploit vulnerabilities while pinpointing the most valuable data to encrypt and hold for ransom,” he says. “They can be extremely patient, escalating privileges to circumvent security systems and evading detection for months – or longer – before deploying the ransomware payload. During this time, attackers often target data backups (if they exist) so the organisation can’t restore files after they’ve been encrypted.”

Whereas traditional anti-virus solutions use signature patterns to identify and block known malware variants, contemporary ransomware continuously morphs and can’t be detected using signature-based methods. As a result, anti-virus vendors can't keep pace with the evolving ransomware landscape.

“Organisations can defend against modern ransomware by taking a multi-layered, defence-in-depth approach to security,” Higgins explains. “This includes robust Identity Security controls to contain breaches and spread. By combining strong Identity and Access Management capabilities – like multi-factor authentication – with comprehensive endpoint privilege manager and privileged access management solutions, organisations can block and limit the extent that ransomware can execute and spread.”

Best practices to prevent ransomware attacks

As Higgins describes, organisations can make it more difficult for cybercriminals by restricting all network users to work under standard accounts with no admin rights. By cutting admin privileges and elevating certain users on an as-needed basis, security teams can shut off the ability for ransomware to run with escalated privileges and disrupt the attack. 

“This is just one of countless ways for attackers to launch ransomware attacks, exploit privileged credentials and start moving laterally towards sensitive IT systems to steal confidential data,” Higgins comments. “Additionally, threat actors can often retrieve cached credentials without ever needing admin privileges. Therefore, having the ability to automatically detect and block credential harvesting attempts is a crucial endpoint security layer.”

Additional supplementary steps include adding automated secrets and credentials management on critical targets, such as backup servers, to eliminate stolen tokens or keys as an entry method. “You can also use a combination of application performance monitoring and security information and event management solutions to develop an audit trail for compliance reporting, and closely observe any unusual behaviours that may indicate an intruder in your network,” adds Higgins.

The future of ransomware

Ransomware attacks are constantly evolving in complexity, scope and scale and, recently, a new trend has emerged: intermittent encryption. 

“Intermittent encryption is when ransomware forgoes encrypting the entirety of every file, instead only encrypting part of each file, often blocks of a fixed size or only the beginning of targeted files,” concludes Higgins.

There are several reasons attackers choose intermittent encryption over full encryption, according to Higgins: “The most obvious is speed: because files are only partially encrypted, intermittent encryption requires less time spent on each file, allowing the ransomware to impact more files in less time. This means that even if the ransomware is stopped before running to completion, more files will be encrypted, creating a more significant impact and making it more likely the ransomware will end up damaging critical files. 

“Additionally, some security solutions make use of the amount of content being written to disk by a process in their heuristics to identify ransomware. With intermittent encryption, less content is written, and, therefore, there is a smaller chance that ransomware will trigger such detections.

“Intermittent encryption starts to blur the line between corrupting files and making files truly unusable. However, because the malware can end up leaving a large portion of the files unencrypted, there are – fortunately – tools available that can extract data from the non-encrypted parts of the files and recover some of the unencrypted data.”