Ransomware – still going strong and no end in sight
Preventing ransomware attacks is top of mind for everyone from IT admins, CISOs, CEOs to governments. And while it’s not a new problem, an unrelenting series of successful and devastating ransomware attacks has refocused the world’s attention on it. Simultaneously, threat actors only grow more sophisticated by the day, making it more critical than ever for enterprises to develop a comprehensive prevention and protection strategy—before irreparable damage is done.
In March 2021, a ransomware attack on the Buffalo Public School system in New York caused the district to shut down for a week. That month, a Taiwan-based PC manufacturer also came under attack and was demanded a $50 million ransom by attackers. CNA, one of the largest insurance carriers in the U.S., was hit with a ransomware attack, and according to Bloomberg, paid a $40 million ransom to its attackers. Ireland’s Public Health Services shut down its IT systems as a result of a ransomware attack causing a major disruption to its health services. This trend persisted, with the Colonial Pipeline attack that disrupted fuel supply to much of the U.S. East Coast for several days, and on JBS, a major U.S. beef manufacturer, that halted operations for a few days. The list goes on.
In response to this unprecedented surge in ransomware attacks, the US Government issued an Executive Order on Improving the Nation’s Cybersecurity, and an interagency task force is being assembled to develop a comprehensive response to the rampant ransomware attacks on US businesses and government. The response includes developing capabilities to identify, deter, protect against, detect, and respond to ransomware attacks. Countermeasures include tactics such as actively disrupting cyber criminal operations responsible for ransomware attacks, addressing the use of cryptocurrency to pay ransom, and mandating better security approaches to thwart attacks, including the adoption of Zero Trust Architecture.
How attackers gain initial access
To prevent a ransomware attack, and most other malware attacks for that matter, defenders must stave off attackers’ attempts to establish a foothold on the network. Thus, endpoint security prevention, detection, and remediation becomes a crucial strategy.
Broadly speaking, attackers typically use one of two tactics to gain initial access to a network:
1) Successfully exploiting a vulnerability in their victim’s network: Exploiting a vulnerability means finding a software defect or bug that can be manipulated to deploy malicious code, or uncovering a misconfiguration that will give an attacker an entry point to deploy code. Such vulnerabilities can occur through misconfiguration of cloud resources, for example, or via 3rd party dependencies, which can lead to compromise from a supply chain attack.
2) Gaining unauthorized access to a valid account: Unauthorized access to a valid account is achieved by stealing credentials to a user account via social engineering.
Defenders burdened with legacy security suites and yesterday’s strategies are struggling to keep their data safe in a world where ransomware attacks are proliferating through easier accessibility. Without changing their approach, resourceful attackers will continue to find vulnerabilities to exploit and users to fool.
Preventing compromise through a multi-layered approach
Next generation identity and AI-based endpoint protection offer a better solution against ransomware. Traditional, earlier generation solutions such as password-based authentication or endpoint protection built on AV signatures have serious deficiencies in stopping modern-day ransomware. Since the point of prevention is to stop initial infiltration, let us analyze specifically how these modern day security solutions can offer new weapons in the fight against ransomware.
Tactic #1: Deploy attack-resistant user authentication
Many successful ransomware attacks get their initial foothold on their victim’s network by deciphering or stealing credentials belonging to a valid account. To effectively prevent this, robust user authentication credentials are needed—credentials that are hard to guess, break or steal.
In the successful attack earlier this year on Colonial Pipeline, for example, access to a valid account provided attackers with initial access. Similarly, the attack entry point for MAZE and other human-operated ransomware is often a stolen password to an internet-facing system accessed via RDP or logging into a Citrix web portal account with a weak password.
Traditional multi-factor authentication (MFA) approaches help address the security vulnerabilities inherent to passwords, but they still fundamentally rely on something a human user must remember and know, and phone-based approaches are not 100% secure. More importantly, the added security of MFA comes with significant costs to own and operate the solution, causing significant user angst.
Passwordless MFA prevents credential theft and makes guessing passwords an impossibility for attackers. Passwordless MFA uses multiple factors of authentication, but it excludes traditional passwords. The most commonly used authentication factors for passwordless MFA are the user’s registered mobile device, together with a user PIN or fingerprint via the device’s built-in fingerprint sensor. By removing the need for traditional passwords, security is immediately and inherently improved, user experience is streamlined, and costs are contained.
Tactic #2. Immediate detection, quarantining, and removal of ransomware
Realistically, having preventative measures in place doesn’t guarantee that attackers won’t ever penetrate the perimeter and gain access to a user’s device. Your next best line of defense is an autonomous, machine-speed protection, detection, and response mechanism that can detect and contain suspicious activity at the endpoint level—before any downstream data loss, financial loss, or time investment is incurred.
Modern Extended Detection & Response (XDR) solutions monitor local processes in real time and analyze their behaviors in detail, making it possible to identify malicious code with very high specificity and take immediate mitigation steps. This way, the attack is stopped the moment it starts —before threat actors can access their desired targets—whether executed from local memory or remotely.
From a technical standpoint, options for mitigation vary – the system can delete the code’s source, kill all relevant processes, quarantine suspicious files, or disconnect the afflicted endpoint from the network altogether, depending on circumstance and organizational policies.
Stopping an in-progress attack is the most important job of any XDR solution, but its role doesn’t stop there. After taking critical steps to stop an ongoing attack, IT and security teams must get a detailed forensic view that includes a timeline of the malware’s activity, its entry point and attack vector, and a list of all affected files and networks. Administrators can then analyze the attack to better prepare for future threats and provide their superiors, law enforcement, and insurers with all relevant data.
Tactic #3. Rolling back changes from ransomware
The third element in this multi-layered approach, and perhaps the most crucial for those affected by ransomware, is the ability to turn back the clock and restore all assets and configurations to their original state before the attack. This critical step enables a speedy recovery and assures complete business continuity, regardless of how wide and deep an attack hits.
Previously unknown malware or new attack tactics might not get caught and blocked automatically by the detection component, so undoing its actions is the only safeguard left. Moreover, the danger is not limited to files being encrypted or deleted. Malware can also change access permissions and security configurations that may be taken advantage of in subsequent attacks.
Such multi-step attacks are commonly employed by hackers targeting corporate networks and public infrastructure, and pose a particularly dangerous threat. In these long-term campaigns, the first stage is often intended only to plant the seeds, so to speak, for easier execution of attacks on specific dates like holidays or around important business events. This way, attackers surprise their victims and capitalize on their lack of preparedness, leaving them no choice but to pay the full ransom amount.
Automatic reversion of all changes executed by malicious or suspicious codes, no matter how small, gives administrators a safety net, protecting them and the entire domain from the dire consequences of successful cyberattacks.
An extensive security stack for ransomware prevention
In summary, the key goal for cybersecurity architects and defenders of enterprise networks is prevention, and when it comes to ransomware, prevention is all about denying attackers initial access to any part of the enterprise. A comprehensive strategy includes making user authentication attack resistant, immediately detecting and removing threats, and lastly, rolling back all actions taken by attackers and their malware on undetectable attacks. Read about The 7 Common Ways Ransomware Can Infect Your Organization in SentinelOne’s eBook.
It all starts with the endpoint – and the intrinsic security capabilities of that endpoint. Lenovo’s ThinkShield incorporates supply chain security and below-OS security capabilities. SentinelOne and Secret Double Octopus have teamed with Lenovo to bring a multi-layered approach to ransomware security and better protect enterprises. SentinelOne’s leading XDR platform, Singularity™, makes verdicts and acts in real time to stop the delivery of ransomware on end user and cloud workload endpoints. Double Octopus’ Passwordless Enterprise platform makes it impossible for attackers to use brute forced or stolen credentials to gain a foothold on the network by removing the reliance of passwords, and a user’s weak memory of them, for authentication. The combination provides a highly compelling joint solution that can re-fortify the attack surface defense strategy in your organization.