If the growth of ransomware attacks in 2022 indicates what the future holds, security teams everywhere should expect to see this attack vector become even more popular in 2023.
By Aamir Lakhani, global security strategist and researcher at Fortinet
In just the first half of 2022, the number of new ransomware variants we identified increased by nearly 100% compared to the previous six-month period, with our FortiGuard Labs team documenting 10 666 new ransomware variants in 1H 2022 compared to just 5 400 in 2H 2021.
This explosive growth in new ransomware variants is primarily thanks to more attackers taking advantage of ransomware-as-a-service (RaaS) subscriptions on the dark web.
However, even with the increase in ransomware variants, the techniques we see bad actors using to deliver ransomware remain largely the same. This predictability is good news because security teams have a reliable blueprint for protecting against these attacks. Here’s a closer look at ransomware mitigation strategies and how you can implement these in your organisation.
What is ransomware?
Ransomware is malware that holds data hostage in exchange for a ransom. It threatens to publish, block, or corrupt data–or prevent a user from working on or accessing their computer unless they meet the attacker’s demands.
Today, ransomware is often sent through phishing emails. These malicious attachments infect a user’s computer once opened. Ransomware can also be spread through drive-by downloading, which happens when a user visits a website that happens to be infected. The malware on that site is downloaded and installed without the user realizing it.
Social engineering often plays a role in a ransomware attack as well. This is when an attacker tries to manipulate someone into divulging confidential information. One common social engineering tactic is to send emails or text messages to scare the target into sharing sensitive information, opening a malicious file, or clicking on a malicious link.
What is ransomware mitigation?
Attempted attacks and data breaches are inevitable, and no organisation wants to be forced to decide between paying a ransom and losing important data. Fortunately, those aren’t the only two options.
The best path forward is to take appropriate steps to safeguard your networks, which will lessen the chances your enterprise will be hit with ransomware. This approach requires a layered security model that combines network, endpoint, edge, application, and data-centre controls, as well as updated threat intelligence.
In addition to implementing the right security tools and processes, don’t forget the role cybersecurity education plays in your mitigation strategy. Teaching employees how to spot a ransomware attack–and educating them about strong cyber hygiene practices in general–is a great defence against clever attackers.
Understanding the risks that make ransomware mitigation necessary
Look around any organization, and you’ll likely find security “gaps” that increase the chances of a business falling victim to a ransomware attack. Here are several common challenges security teams and their organisations face, which can make them more vulnerable to cyber incidents.
* Lack of cyber hygiene knowledge among employees: Human behaviour continues to be a significant factor in most security incidents. Beyond understanding the signs of ransomware, a lack of general cybersecurity education among employees can put your organization at risk. According to the Verizon 2022 Data Breach Investigations Report, 82% of breaches that occurred in the past year involved the human element.
* Weak password policies: Insufficient policies relating to employee credentials–or having no policy–increase the likelihood that an organization will experience a security breach. Compromised credentials are involved in nearly 50% of attacks.
* Insufficient security monitoring and processes: No single tool offers everything your security team needs to monitor for and protect against potential cyber incidents such as ransomware. A layered security approach can help you adequately manage your enterprise’s risk.
* Staffing shortages among security and IT teams: It’s no secret that you must have individuals with the right skill sets on your team to support monitoring and risk mitigation efforts to combat cybercrime effectively. Yet data shows that the cybersecurity skills gap presents an ongoing challenge for CISOs: how to attract and retain new talent while ensuring current team members get the necessary training and upskilling opportunities.
Latest ransomware attacks to learn from
Ransomware continues to get nastier and more expensive, impacting companies in every industry and geography. While most of us recall recent high-profile ransomware attacks involving companies such as Colonial Pipeline and JBS, countless other ransomware incidents occur that don’t make the national news.
However, many ransomware attacks can be prevented by applying strong cyber hygiene practices–including offering ongoing cyber awareness training for employees–and focusing on implementing Zero Trust Network Access (ZTNA) measures and endpoint security.
Ransomware protection best practices
Effective ransomware detection requires a combination of education and technology. Here are some of the best ways to detect and prevent the evolution of current ransomware attacks:
* Educate your employees about the hallmarks of ransomware: Security awareness training for today’s workforce is a must and will help organizations guard against an ever-evolving array of threats. Teach employees how to spot signs of ransomware, such as emails designed to look like they are from authentic businesses, suspicious external links, and questionable file attachments.
* Use deception to lure (and halt) attackers: A honeypot is a decoy consisting of fake repositories of files designed to look like attractive targets for attackers. You can detect and stop the attack when a ransomware hacker goes after your honeypot. Not only does cyber deception technology like this use ransomware’s own techniques and tactics against itself to trigger detection, but it uncovers the attacker’s tactics, tools, and procedures (TTP) that led to its successful foothold in the network so your team can identify and close those security gaps.
* Monitor your network and endpoints: By conducting ongoing network monitoring, you can log incoming and outgoing traffic, scan files for evidence of attack (such as failed modifications), establish a baseline for acceptable user activity, and then investigate anything that seems out of the ordinary. Deploying antivirus and anti-ransomware tools is also helpful, as you can use these technologies to whitelist acceptable sites. Lastly, adding behavioural-based detections to your security toolbox is essential, particularly as organizations’ attack surfaces expand and attackers continue to up the ante with new, more complex attacks.
* Look outside your organisation: Consider taking an outside-the-network view to the risks posed to an organisation. As an extension to a security architecture, a DRP service can help an organization see and mitigate three additional areas of risk: digital asset risks, brand-related risks, and underground and imminent threats.
* Augment your team with SOC-as-a-service if needed: The current intensity we see across the threat landscape, both in velocity and sophistication, means we all need to work harder to stay on top of our game. But that only gets us so far. Working smarter means outsourcing specific tasks, like incident response and threat hunting. This is why relying on a Managed Detection and Response (MDR) provider or a SOC-as-a-service offering is helpful. Augmenting your team in this way can help to eliminate noise and free up your analysts to focus on their most important tasks.
While the volume of ransomware isn’t slowing, numerous technologies and processes are available to help your team mitigate the risks associated with this attack. From ongoing cyber education programs to strengthening ZTNA efforts, we can keep crafty attackers at bay.