05/08/2023 | Press release | Distributed by Public on 05/08/2023 18:48
The devastating effects of ransomware have continued to grow over the past two decades, which have seen ransomware shift from just being opportunistic "smash-and-grab" style attacks to carefully orchestrated attacks. Individuals and business organizations alike have continued to fall prey to ransomware where, in 2022, victims were forced to pay an average ransom of $925,162, up 71 percent from 2021.1
Thankfully, there are measures you can take to stay safe and stop ransomware attacks from affecting your network data security.
Ransomware describes a class of malware used to digitally extort victims into payment of a specific fee. Once the victim's computer is locked or encrypted, ransomware actors will often attempt to extort money from the victim by displaying an on-screen alert. Victims are notified that unless a ransom is paid, access will not be restored.
Ransomware actors know how lucrative their campaigns can be and have expanded the scope of their attacks to not only extort individual users but disrupt entire businesses and critical infrastructure.
Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website, and then malware is downloaded and installed without the user's knowledge.
Ransomware developers have incorporated capabilities like worms into their malware, so it will spread throughout corporate networks automatically. This ensures their ransomware persists even if the computer that was initially accessed is remediated.
As mentioned earlier, ransomware cybercriminals have shifted their tactics. Starting around 2019, they shifted from opportunistic, smash-and-grab attacks to more calculated, advanced persistent threat (APT)-style attacks. This attack style allows cybercriminals to exfiltrate sensitive data prior to encrypting affected hosts, opening the doors to multi-level extortion. They will move beyond extorting organizations to decrypt the affected hosts to extorting organizations to prevent the release of sensitive data. This strategy has yielded them much greater profits.
These multi-level extortion threats gave attackers more leverage, so their victims were pressured into paying. The demands could be very high, as the initial asking price of $34 million during the Foxconn attack showed, and we expect this trend to grow through the rest of this year and the next.
Ransomware is a general label for a group of different malware types. They all have the common feature of demanding a ransom payment for removal, but they don't all behave the same way. That's why it's important to have a plan to stop ransomware in all its forms.
The following are some of the most common types:
A number of these steps are often considered ransomware prevention and security best practices for a mature security program. These steps ensure your organization has the right policies, processes, and procedures in place to reduce the risk of a ransomware attack. Here are the nine steps you should be taking to stop ransomware attacks.
Vulnerable applications and operating systems are the targets of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
Your organization should perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Note that network-connected backups can also be affected by ransomware; critical backups should be isolated from the network for optimum ransomware prevention.
Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response and notification procedures for a ransomware incident.
Consider developing policies and baselines around specific controls like firewalls, email scanning, application allow-listing, and remote access.
Modern ransomware attackers are dwelling on victims' networks to steal sensitive data and maximize the impact of their extortion. As a result, they are maintaining persistence, moving laterally, leveraging remote access tools, and escalating their privileges. All of these actions generate network traffic that can be detected and remediated by a security team with network visibility.
A person who knows what to look for will be more effective at countering potential phishing or social engineering attacks. Implement a security awareness and training program that teaches employees how to assess whether an attachment, link, or email is trustworthy.
Good antivirus suites are essential in stopping ransomware. They will alert users as soon as they locate a problem and can also remove the infection easily. Some antivirus applications provide free ransomware decryption tools for malware with low-level encryption.
Threat hunting is the practice of proactively searching for cyber threats that are lurking undetected in a network. Cyber threat hunting digs deep to find malicious actors in your environment that have slipped past your initial endpoint security defenses.
Threat hunting is highly complementary to the standard process of incident detection, response, and remediation. As security technologies analyze the raw data to generate alerts, threat hunting is working in parallel - using queries and automation - to extract hunting leads out of the same data.
Proactive hunting allows your security team to stop a potential threat before the attacker can deploy ransomware in your environment.
Implementing a Zero Trust security posture places ransomware defense on user identity and access management. This is apt since human error is the root cause of most ransomware attacks.
Zero Trust helps reduce the attack surface significantly, as internal and external users only have access to limited resources, and all other resources are completely hidden away. Additionally, Zero Trust provides monitoring, detection, and threat inspection capabilities, which are necessary to prevent ransomware attacks and the exfiltration of sensitive data.
The short answer to this question is yes: Every small- to medium-sized company, enterprise, and organization is fair game, especially in light of recent ransomware attacks.
The long answer is more complicated. Your vulnerability and ability to prevent ransomware can depend on how attractive your data is to cybercriminals, how much visibility you have into your network traffic, how mature your security posture is, and how vigorously you keep employees trained about phishing emails, among other factors.
Fueled by easier access and greater financial payoffs, the number of ransomware attacks will likely continue to grow throughout the rest of 2022 and beyond. We predict that cybercriminals will target large enterprises, critical infrastructure, government, education, and even healthcare.
Effective ransomware prevention requires comprehensive network visibility paired with an effective threat detection and incident response capability.
Stop ransomware attacks that traditional tools miss with Gigamon.
Hear from our experts on the latest trends and best practices to optimize your network visibility and analysis.
People are talking about this in the Gigamon Community's Security group.
Share your thoughts today