The recent tsunami of ransomware has brought to life the fears of downtime and data loss cybersecurity pros have warned about, as attacks on the energy sector, food supply chain, healthcare industry, and other critical infrastructure have grabbed headlines.
For the industry experts who track the evolution of this threat, the increased frequency, sophistication, and destructiveness of ransomware suggests that businesses still have some major gaps in their defense strategies.
It's no surprise that a new, multi-layered approach to protection is needed to stem the damage caused by ransomware. But what changes should an IT team implement to close those gaps?
During a recent panel, a team of cybersecurity experts outlined a three-step plan to do just that -- centered around embracing new technologies, improving security processes, and ensuring their people know how to help curb the threat.
1 — New Strains Overwhelm Old Defenses
Many new ransomware strains now act like advanced persistent threats (APTs), laying dormant in the corporate network for weeks, quietly gathering information and stealing data.
This trend is why some analysts predict data exfiltration will overtake encryption as the preferred approach of ransomware attackers.
Despite their change in approach, attackers still rely on familiar techniques early in these attacks, such as phishing to steal credentials and inject malware. In fact, Topher Tebow, senior cybersecurity researcher at Acronis, says that 94% of successful malware attacks now begin with phishing.
To deny attackers entry, he advises organizations to update their email security and deploy URL filtering if they had not already done so. These defensive layers can block phishing emails from reaching a user's inbox and prevent a malware payload from infecting the system. Simple tech investments like these, Tebow notes, can be an easy, effective way to end a ransomware attack before it starts.
Dylan Pollock, a senior network engineer at NASCAR's Hendrik Motorsports, adds that attackers also love to target known vulnerabilities that remain unpatched in order to target operating systems, applications, and devices. Unpatched vulnerabilities "are like catnip to cybercriminals," which is why he recommends organizations consider adopting tools that can automate vulnerability scanning and patch management efforts.
Organizations cannot continue to rely solely on signature-based defenses to stop cyber threats.
That's because, as Acronis VP of Cyber Protection Research Candid Wüest points out, cybercriminals are creating new versions of ransomware every day. That means each new attack is a zero-day threat that traditional signature-based defenses will miss.
Wüest says what organizations need is more adaptive defenses that use behavioral-based detection to identify and stop threats. Solutions powered by machine intelligence – the next stage of artificial intelligence and machine learning – that are adept at recognizing new patterns of attack behavior and automatically respond in real-time to mitigate the attack.
2 — Better Processes Stop Ransomware
While using modern solutions to defeat modern threats is critical, upgraded defenses alone are not enough in a world where ransomware is considered an inevitability by experts. The procedures organizations use to safeguard their data need to address that reality. "It cannot be overstated how important a well-thought-out and religiously executed backup program is as a final line of defense," warns Graham Cluley.
A cybercrime researcher and host of the Smashing Security podcast, Cluley quickly adds that backups alone are not enough. Regular testing of those backups is required to ensure they enable an organization to restore quickly after an attack – otherwise, the company may end up paying the ransom anyway.
When it comes to examining processes, Wüest adds that organizations need to lock down all of the operational software used in their environment. That's because ransomware attackers increasingly are using a "living off the land" strategy, where they hijack common tools such as RDP and Mimikatz to steal passwords, escalate privileges, and take control of remote desktop tools.
That makes stealing and encrypting data much easier. He recommends that in addition to restricting elevated privileges, companies should enforce rigorous password procedures such as multi-factor authentication.
3 — People Aware of Ransomware Avoid It
Combatting ransomware falls down, though, if people aren't involved in protecting the company. Security awareness training is as vital to endpoint security as is defensive technology. Just training end-users to recognize and avoid social engineering attempts could go a long way to preventing an attack from succeeding, advises Pollock.
"If we could get users to think just two more seconds before they click on a suspicious email, many ransomware attacks would never get a toehold in our businesses," he noted.
Security teams have successfully adapted to combat ransomware, but Cluley cautioned against letting up on the gas. Cybercriminals continue to modify and advance their attacks, so organizations must constantly improve as well – deploying multiple layers of protection, ensuring security awareness, and testing their incident response plan. Then, he said, "you'll have a fighting chance."
Hear these cybersecurity experts' full recommendations in the recording of their Acronis virtual conference panel, "See Inside a Live Ransomware Attack, Then Learn How to Prevent All of Them."