Zscaler, a leader in cloud security, has announced its new Ransomware Report featuring analysis of key ransomware trends and details about the most prolific ransomware actors, their attack tactics and the most vulnerable industries being targeted.
The Zscaler ThreatLabz embedded research team analyzed over 150 billion platform transactions and 36.5 billion blocked attacks between November 2019 and January 2021 to identify emerging ransomware variants, their origins and how to stop them. The report also outlines a growing risk from ‘double-extortion’ attacks, which are being increasingly used by cybercriminals to disrupt businesses and hold data hostage for ransom.
“Over the last few years, the ransomware threat has become increasingly dangerous, with new methods like double extortion and DDoS attacks making it easy for cybercriminals to sabotage organizations and do long-term damage to their reputation,” said Deepen Desai, CISO and VP of Security Research at Zscaler.
“Our team expects ransomware attacks to become increasingly targeted in nature where the cybercriminals hit organizations with a higher likelihood of ransom payout. We analyzed recent ransomware attacks where cybercriminals had the knowledge of things like the victim’s cyber insurance coverage as well as critical supply-chain vendors bringing them in the crosshairs of these attacks.
“As such, it is critical for businesses to better understand the risk ransomware represents and take proper precautions to avoid an attack. Always patch vulnerabilities, educate employees on spotting suspicious emails, back up data regularly, implement data loss prevention strategy and use zero trust architecture to minimize the attack surface and prevent lateral movement.”
According to the World Economic Forum 2020 Global Risk Report, ransomware was the third most common and second most damaging type of malware attack recorded in 2020. With payouts averaging US$1.45M per incident, it’s not difficult to see why cybercriminals are increasingly flocking to this new style of high-tech extortion. As the rewards that result from this type of crime increase, risks to government entities, company bottom lines, reputation, data integrity, customer confidence and Business Continuity also grow. Zscaler’s research supports the narrative recently established by the US federal government, which classifies ransomware as a national security threat; underscoring the need to prioritize mitigation and contingency measures when protecting against these on-going threats.
We heard from a number of industry experts who offer their opinions on the subject.
When it comes to ransomware there are two main things that need to be done to prepare for a ransomware attack. First, you need to have solutions in place to prevent the attack. Secondly, you need to have the ability to quickly recover in the event that prevention fails.
Although many experts agree that it is impossible to prevent all ransomware attacks, there are many things that can be done to vastly reduce the attack footprint of your organization. To get started, you should have a security assessment focus on the network connected devices and software.
The publication SP 800-30 Guide for Conducting Risk Assessments from NIST provides an excellent and organized guideline on how to audit and secure your company’s digital assets. Since most general-purpose security solutions focus on blocking malware and not a determined hacker, it is important to have multiple layers of defense. For smaller corporations or companies with limited security expertise, outsourcing this to a Managed Security Service Provider (MSSP) is recommended to improve the security posture of the company.
Of course, the ideal prevention solution would block all attacks. But there are many reasons why an attack could bypass even the best protection, so it is important to be able to get up and running quickly after a breach. For this you need a way to restore the operating system to a working condition after an attack.
Recovery of the operating system is needed because if the attack bypasses prevention, then it likely cannot be removed in the ordinary way. The best way to recover is to have a solution that can roll the whole operating system back to a previous known good state. For data recovery, backup and restore is traditionally used. However, in the case of ransomware, backup and restore can be time consuming and resource intensive. Therefore, it is recommended that you have a solution that can quickly and easily revert all data to its pre-encrypted state without relying on a remote backup server.
Our advice to customers that are building their ransomware survival kit is that it is critically important to have the strategy, policies and tools in place to both avoid ransomware attacks, as well as to recover – quickly, efficiently, affordably and completely.
One needs only to read today’s news to know that no matter the size, location or industry of your organization the likelihood of getting targeted by bad actors is more likely than not.
This is due to the fact that for those that are not thoroughly armed with both protection and recovery capabilities, ‘the business model works spectacularly for the criminals’ as Joseph Blount, the Colonial Pipeline CEO, explained recently when discussing the cyberattack that would ultimately cost his company tens of millions of dollars.
Indeed, ransomware continues to evolve and become increasingly intelligent and ruthless, employing such capabilities as watching for cloud account credentials, deleting backups and cloud storage, and then encrypting everything and demanding a ransom. The right backup however, can be an organization’s ransomware recovery panacea.
Today, many of the major cloud providers support object locking, also referred to as Write-Once-Read-Many (WORM) storage or immutable storage. Users can mark objects as locked for a designated period of time, preventing them from being deleted or altered by any user.
Our advice is to find a backup solution that has been engineered to integrate seamlessly with this new object lock feature to create immutable backups. Users can set a retention period for immutable backups stored on supporting cloud platforms.
Within this immutable retention period, backups cannot be deleted by any user, even if ransomware or a malicious actor acquires the root credentials.
In addition, the backup should provide powerful policy-based scheduling that allows it to predict when those backups will leave the retention policy and protect any files that will no longer be retained, ensuring businesses always have point-in-time backups to restore within the immutable retention policy window.
From the largest enterprises to the local convenience store, everyone has to worry about ransomware these days. Even if you can’t prevent a ransomware attack, you can definitely take steps to help prevent one or at least minimize the impact on your business.
The first step is to get an honest assessment about your IT systems and overall environment. Discover any weaknesses by conducting a vulnerability scan or penetration test. If possible, bring in a neutral third party to probe your environment so you know what to fix. The more you know, the better-even if that learning process feels brutally painful.
Once you have a realistic view of your vulnerabilities, you need to determine what risks are acceptable. This requires a discussion at the highest level of the company because you need a willingness to prioritize cybersecurity from the top down. The good news is that the Colonial Pipeline attack opened-up a lot of business leaders’ eyes and they’re now ready to talk about cybersecurity.
After you have buy-in, it’s time to define your security strategy and what tools you’ll need. There are three critical steps to avoiding significant damage from a ransomware attack: training, threat detection and response.
Security awareness training for all employees is essential. Most ransomware attacks rely on finding a back door into your IT systems through a phishing email. You’re only as safe as the employee who knows well enough not to click on the wrong link in an email.
In terms of detection, you must be able to sort out potential cyberthreats from false flags and anomalies. However, with the sheer amount of IT systems and log data to monitor, you can’t expect to catch everything manually. You’ll need automated tools that leverage Machine Learning and AI to identify valid threats. In other words, your tools should be as sophisticated as the cybercriminals’ tools.
If you do identify a valid threat, response time is often the difference between isolating the threat, minimizing the blast radius or getting infected. You must be able to respond in real time-typically in less than an hour-or the damage will already be done.
That’s a heavy burden for smaller organizations, especially if they have limited cybersecurity expertise or budgets. In that case, the DIY approach simply won’t work. Finding a reliable vendor to outsource cybersecurity management is often the safest and most cost-effective option to avoiding a ransomware attack.
We find ourselves now slowly recovering from a pandemic during which we saw organizations digitizing at warp speed – jumping ahead to year two or three of their five-year plans.
This digitization trend shows no signs of slowing. In fact, most of the executives I speak with advise quite the contrary – they are continuing to accelerate their digitization, many times taking on IT and business strategies they hadn’t even imagined before.
They recognize that if they hope to survive and compete in this post pandemic economy, digitization and all that it enables is their ideal strategy. Unfortunately, as we saw countless times over this past year, this haste can at times open the door to ransomware and other types of malicious software programs (also known as malware), if the appropriate precautions are not taken.
Although there’s a high financial cost for the actual ransom payment, the biggest consequences of ransomware are data loss and downtime. Both of these ransomware outcomes are very costly for businesses, with significant downtime resulting in potentially millions of dollars in lost revenue, in addition to a long term and potentially permanent loss in customer trust and loyalty.
As malware is now also targeting backups, the top precaution we advise our customers to take is to employ an immutable Unbreakable Backup solution so that they never have to worry about their ability to recover from a ransomware attack. Protecting against a cyberattack is absolutely critical. But, today it is not a question of if, but rather when will we be attacked. It is therefore critical that the recovery piece is in place.
We would advise that the ideal immutable Unbreakable Backup solution should be designed around the knowledge that attempts at corruption or deletion can come from anyone, anywhere and at any time.
The solutions should include auditing, integrity checks, unique file fingerprints, serial numbers and self-healing features that protect files from being corrupted in any way including ransomware.
Not only is this great ransomware protection, but it also addresses organizations’ increasingly stringent regulatory compliance requirements for HIPAA, SEC17a-4, Dodd-Frank, FDA 22, Sarbanes Oxley, PCI and more.
To protect against ransomware, it is important to be aware of the leading causes of the attacks. The leading cause last year was spam/phishing emails, user practices that weren’t the best caused by lack of training and weak access management practices.
However, before we get into that part, it is important to point out that protection against ransomware should be the top priority for decision-makers – both for the technical and the business leadership team. There lies huge accountability among business leaders to review the protection strategy and tactics and revisit the vulnerabilities with information security leaders to gauge the standing of the organization.
When it comes to precautions against phishing attacks – the leading cause of ransomware attacks- investing in robust tools and staying on top of the latest phishing attacks strategies is a good preventive measure. There is no better way to prevent attacks than understanding how it is happening. It is like having a thorough understanding of your attacker’s motives and strategies. The more you know the better you are protecting by using the right tools.
The other measures that significantly reduce the probability of a ransomware attack are continuous education and training of users – considering poor user practices and lack of training were the next leading cause. Instead of waiting for an attack and then think of training, it is vital that periodic training on possible threats, vulnerabilities and ways to safeguard become part of the process. Setting up training goals for the year and ensuring there is a follow-through to achieve it could be extremely beneficial in preventing attacks.
Weak access and privilege management tools and practices are the third leading reason for ransomware attacks. Investing in identity and access management solutions that are integrated, and provides complete visibility enables a robust control on access and privileges. Access and identity management tools that are known to fill the gaps that led to attacks in the past are an investment that not only ensures the right access to the right people but also ensures the identity of the users is constantly validated. Additionally, multiple levels of authentication and defense mechanisms solidify the security practices further.
Another very crucial preventive measure that we often see being overlooked is auditing security management vendors. Besides routine vulnerability, patch management, backup, versioning, virus protection steps, assessing vendors and their ability to keep up with the requirements should become a top priority. Setting up periodic audits to assess vendors to understand their processes and steps to counter the latest forms of attacks, comparing their measures against compliance requirements is highly beneficial. It provides a holistic picture of the ability of an organization to safeguard itself against attacks.
The bottom-line is any proactive measure is a good precaution to avoid a ransomware attack. A reactive approach will take care of the current problem, but a proactive step will future-proof your organization and could potentially save you millions of dollars.
Click below to share this article