How to Bridge the Ransomware Security Gap

It is hard to believe how far ransomware has evolved since its origins in the early 1980s.  Today’s big game ransomware attacks — which threaten everything from critical infrastructure, major corporations, hospitals, and schools — trace their roots to a UK doctor who shook down AIDS researchers with a bootloader virus (delivered on floppy disks) that locked down their computers and demanded cash. Since then, attacks and targets have only become bigger and more sophisticated.

In fact, according to recent reports, ransomware attacks increased by 80% in the first half of 2022 compared to the first half of 2021. Today’s attackers are breaking into networks, spending time enumerating and reconning victims, positioning ransomware on as many devices as possible, and then staging it to execute and encrypt all at once. The impacts can be devastating and costly, as illustrated by incidents like the Colonial Pipeline episode.

Bad actors have also moved past traditional single extortion attacks and have moved to double and triple extortion attacks. In a double extortion attack, hackers don’t just encrypt data, but steal it and hold it for ransom. In a triple extortion attack, they also steal partner and consumer data or execute a DDoS against services.

Many mid-market organizations struggle to understand the layers of security required to mount a formidable defense. While email is still a common threat vector, the paths of a ransomware attack can vary widely. To help overcome these challenges, let’s explore the elements needed to bridge the ransomware security gap facing many organizations.

The first is simple — patching. Updating corporate software, especially on any publicly available resource, like web applications or web servers, is vital. More often than not, attackers simply exploit old vulnerabilities (there are few true zero-day ransomware vulnerabilities). But for IT admins running a hybrid organization with uptime requirements, patching can pose a serious challenge.  

Next is implementing strong password practices. There is an old saying in cybersecurity: “hackers don’t break in; they log in.” Much of the time, an attacker uses a stolen credential that they capture from a phishing email or find on the dark web. This allows the attacker to get access and elevate to the root of an organization. Strong passwords are generally long and random (32 characters). Password managers make life easier for users by not only creating and storing complex passwords but also reducing the memory burden to just a single master password.

Relying on passwords alone, however, is weak protection. That’s where multi-factor authentication (MFA) comes in. MFA is a much stronger way to validate the trusted identity of users. A password is just one factor or type of token; users can also have a biometric as a token or a certificate as a token image, etc. Anyone trying to access a corporate network is required to provide two of these factors. Any one factor alone can be broken without enabling unauthorized access.

Backup is also critical to protecting against ransomware. If an organization can recover encrypted files from a backup, it eliminates the threat of a single-extortion ransomware attack. It’s also good practice for disaster recovery. But there are nuances to how to approach backup as part of a ransomware defense strategy. Attackers often target backup services and disable them before an attack. Therefore, organizations should practice what’s called 3-to-2 backup, which sends backups to multiple sources or services. It’s also wise to have a copy of critical data backed up offline.

Advanced malware prevention is also essential to a strong ransomware defense. In recent decades, malware detection and prevention has primarily been signature based — or based on patterns and specific files. That approach is reactive. If an attacker releases some sort of new malware — let’s say it’s ransomware — the signature-based antivirus analyzes it, verifies it’s bad, and looks for some sort of unique pattern, whether a hash for the file or something else. A rule is then created to match and identify that file moving forward. But today’s malware has become very evasive and polymorphic (WannaCry, for example, can have thousands of versions). In fact, according to recent research , close to 80% of malware evades signature-based detection. Advanced malware detection uses machine learning algorithms and behavior detection to stop zero-day malware (which is often used to gain access to a system and then drop ransomware).

Another useful strategy is using endpoint detection and response (EDR). New “living off the land” techniques hijack legitimate parts of an operating system (like Windows PowerShell) to give attackers access and launch malware directly into a legitimate process without the need for any malware files. Catching this type of attack requires monitoring memory , running processes, and looking for things like DLL or process injection. EDR solutions look at post-execution activities and anomalies to identify and help remediate attacks.

Finally, organizations must not overlook the value of end-user training, as even the most robust security strategy is only as strong as its weakest link. Phishing and spear phishing are common vectors for ransomware,  so organizations must ensure that every user knows the basics of email security and understands how spear phishing works.

The risks posed by ransomware are just one part of the increasingly complex cybersecurity landscape. While no single solution can stop ransomware attacks, a layered defense (including network perimeter, MFA, and endpoint) can ultimately make organizations safer.

Want to learn more about how advanced endpoint protection can help stop a ransomware attack?