How to Protect Your Data When Ransomware Strikes
Originally published by Lookout here.
Written by Hank Schless, Senior Manager, Security Solutions, Lookout.
Ransomware is not a new attack vector. In fact, the first malware of its kind appeared more than 30 years ago and was distributed via 5.25-inch floppy disks. To pay the ransom, the victim had to mail money to a P.O. Box in Panama.
Fast forward to today, affordable ransomware-as-a-service (RaaS) kits are available on the dark web for anyone to purchase and deploy and attackers have an infinite number of channels available to them to infiltrate organizations as a result of reliance on cloud and mobile technologies.
Initiating a ransomware attack is all about discretely gaining access. And as employees can now access your data from anywhere, you have lost visibility into how they do so. To safeguard against these attacks, you’re not just looking for malware, you need continuous insights into your users, the endpoints they use and the applications and data they access.
I will use this blog to set up 1) the climate that resulted in $20-billion dollars in ransom payments in 2021, and 2) how you can protect your organization from these ongoing threats.
Work from anywhere improves both productivity and attacker infiltration
While the actual malware used to hold your data hostage is called “ransomware,” that’s not what you should focus on. Before anything is deployed, attackers need access to your infrastructure.
Today, users are accessing data using networks you don’t control and devices you don’t manage, rendering whatever on-premises security measures you had obsolete.
This means threat actors can launch phishing attacks to compromise user credentials, or exploit a vulnerable app with little consequence. And once they are inside your infrastructure, they quickly deploy malware to create persistent backdoors that enable them to come and go as they please. If they escalate privileges, it becomes nearly impossible to stop them from moving around laterally and holding your data hostage.
Step-by-step: how to protect against ransomware
There are a number of steps that happen between an attacker accessing your infrastructure and asking for a ransom. These steps are outlined on this anatomy of a ransomware attack infographic and here is a high level rundown of what happens and how you can protect your organization.
1. Block phishing attacks and cloak web-enabled apps
One of the easiest ways attackers gain access is by taking over a user account by compromising credentials with phishing attacks. It’s critical to be able to inspect web traffic on any device to block these attacks from affecting both PC and mobile users. This will ensure that ransomware operators can’t kick off their attack by compromising accounts.
Threat actors will also crawl the web to find vulnerable or exposed internet-facing infrastructure to exploit. Many organizations have apps or servers exposed to the web to enable remote access, but this means attackers can find them and look for vulnerabilities. Cloaking these apps from discovery is a key defense tactic. This helps you move away from the unbridled access provided by VPNs and make sure only authorized users access the data they need.
2. Detect and respond to anomalous behaviors
If attackers manage to enter your infrastructure, they will begin moving laterally to conduct reconnaissance. This is to find additional vulnerabilities with the ultimate goal of uncovering sensitive data. Some of the steps they could take include changing your settings to lower security permissions, exfiltrating data and uploading malware.
Some of these steps may not be outright malicious behavior but can be considered anomalous behavior. This is where an understanding of user and device behavior as well as segmenting access at the application level becomes essential. To stop lateral movement, you need to ensure no users have free roam of your infrastructure and that they aren’t acting in a malicious manner. It’s also crucial to be able to detect excessive or misconfigured privileges so that you can prevent changes to your app and cloud posture.
3. Render data useless for ransom with proactive encryption
The final step of a ransomware attack is to hold your data hostage. In addition to encrypting the data and locking your admins out, the attacker could also exfiltrate some data to use as leverage, then delete or encrypt what’s left in your infrastructure.
Exfiltration and impact are usually when the attacker finally reveals their presence. The changes they make to data, regardless of if it’s at rest or in motion, will set off alarm bells and they will demand payments. However, you can make all their efforts for naught if that data is encrypted proactively by your security platform and renders it absolutely useless to the attacker.
Encryption is a critical part of any data loss prevention (DLP) strategy, and triggering it off of contextual data protection policies can help you protect your most sensitive data from compromise.
Securing against ransomware: point products versus a unified platform
A ransomware attack isn’t just a single event; it’s a persistent threat. To secure your organization, you need a full picture of what is happening with your endpoints, users, apps and data. This ensures that you can block phishing attacks, cloak web apps, detect and respond to lateral movement, and protect your data even if it is exfiltrated and held for ransom.
Historically, organizations have purchased new tools to mitigate against new problems. But this type of approach will not work with threats like ransomware. While you may have some telemetry into your users' access activity, the health of their corporate-owned device and how your data is handled, your security team will have to manage multiple consoles that don’t work with each other.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.