Sponsored Post: By CrowdStrike
While many ransomware operations rebranded in 2021, the overall number of functioning ransomware and extortion operations continue to increase. More adversaries are after victims’ data, as is well illustrated in the CrowdStrike 2022 Global Threat Report, which reported an 82% increase in ransomware-related data leaks in 2021 relative to 2020.
As ransomware campaigns grow more prevalent and severe, organizations are rethinking their strategies to defend against adversaries trying to find new and effective ways to carry out their attacks.
Part of the challenge is the rate at which threats evolve. With each passing month, threats become more sophisticated as criminal ecosystems find more efficient ways of putting companies at risk. All of this is happening against a backdrop of businesses grappling with understanding the different components of ransomware attacks and how they fit together. Why is ransomware evolving to become more advanced? What are the different phases that make up a ransomware/extortion operation? What should organizations understand about attackers’ strategies to strengthen their own defenses?
Ransomware’s evolution is partly linked to how attackers organize their operations. Many of the larger eCrime groups have formed a business-like structure. Instead of only hiring attackers with certain skill sets, these groups recruit for a range of responsibilities; they’ll need someone who specializes in gaining access, for example, and someone else who performs malware development. They’ll bring someone on to do administrative work; they may hire a blog writer. The more ransomware groups think like a business, the more efficient their operations become.
Together, these capabilities enable adversaries with a larger and more capable structure that’s harder to defeat using conventional cybersecurity methods. When today’s organizations think about why ransomware is rapidly changing in ways they can’t predict, this is a big reason why: Attackers often evolve faster than defenders can respond.
How do we defend against increasingly capable and dangerous attack groups? Defenders must let go of the belief that autonomous solutions alone will prevent sophisticated threats, including ransomware. In fact, there’s no single tool which, in and of itself, will protect your business without the investment of time and resources to build out your defensive strategy. More companies are looking to adopt Zero Trust, a powerful strategy designed to protect against advanced threats by abandoning the concept of the perimeter.
In thinking about Zero Trust, you must work backward from the point of ransomware/extortion deployment and envision the myriad of ways an attack could play out. The adversary may exploit a vulnerability, log in with stolen credentials, or in some cases, use a classic phishing attack. Familiarity with how the attacker operates will allow cybersecurity decision-makers to preempt the adversary’s offensive strategies.
Zero Trust is intended to create resilience against attackers who are constantly finding new ways in. One of the core components of Zero Trust is Identity Protection, which enables businesses to monitor and validate that a user and device have the correct privileges and attributes necessary in order to execute a business function. As more criminals target valid identities to carry out ransomware campaigns, we continue to find that continuous identity activity monitoring is a core element of a broader Zero Trust strategy.
Too many organizations believe buying new technology will solve their problems. The key is in how you use the technology you buy—how you implement it as part of a broader strategy—in order to yield its protective benefits. The organizations that will be most resilient against ransomware and data extortion are those that will take this approach to strategic defense seriously.
One of the biggest mistakes organizations can make is believing they can make a defensive decision without understanding the adversary. Many businesses do not use threat intelligence in any form, an oversight that could drastically harm their security posture.
One of the best predictors of what may happen to your business tomorrow is what happened to your peers yesterday. If you are gathering threat intelligence about how adversaries target similar organizations, as well as the behaviors and techniques they apply, then you learn from them and incorporate those lessons into your defensive strategy. This helps create a more robust security posture, with a broader view and more actionable data, without needing to learn from experience—a much harder and more costly way to learn.
Today’s threat intelligence would suggest, for example, that identity is a top attack surface. Most modern breaches involve an identity-related threat , whether it’s credential stuffing, a phishing email to capture credentials, or an access broker selling users’ identities on the dark web. Identity is the new perimeter, especially with more employees working remotely. If you’re not taking appropriate steps to lower your risk, there’s a greater chance an adversary will exploit it.
The same logic applies to other potential attack vectors, such as vulnerability exploitation. All security decisions your organization makes should be based on your understanding of how today’s adversaries may target your organization.
Minimizing the attack surface is crucial in ransomware defense, and good security hygiene provides network transparency and a bird’s eye view of what’s happening in your environment. This visibility is valuable, as unpatched applications and operating systems pose a serious risk. By identifying outdated and unpatched resources, you can proactively address problems that might later have a hefty cost. Account monitoring, another component of good hygiene, lets you see who is working in the environment and ensure they’re not abusing their permissions.
The post-exploitation element of the attack lifecycle (how the adversary moves laterally, elevates privileges, etc.) is also a critical juncture where defenders have a last chance to stop the data breach. Throughout an attack that culminates in ransomware deployment, adversaries will often use multiple living-off-the-land techniques. These may include, but are not limited to, the use of PowerShell, Command Line, PSExec, RDP Brute Forcing, or even the abuse of legitimate network administration tools. All of these are malware-free techniques that adversaries have demonstrated competency in using: CrowdStrike’s Global Threat Report found 62% of cyberattacks were malware-free last year. It is for this reason that defensive capabilities such as threat hunting are critical to stopping attackers during the post-exploitation phase.
A multi-faceted approach to security is critical to stop today’s ransomware operators before they can do serious damage in your enterprise environment. Organizations must rethink and expand their security strategies to include Zero Trust, threat intelligence and proper security hygiene—all components that can help determine where attackers might strike and stop a breach from happening.