How to Prevent Evolving Ransomware Attacks

Ransomware attack trends continue to evolve, and the current iterations are no exception. During the last year, malicious actors have attacked healthcare organizations, medical trials, schools, and shipping agencies.

Considering the impact these modern attacks can have on organizations everywhere, no matter the industry, security professionals must always be ready to secure their systems, networks, and software in new ways. And according to a recent FortiGuard Labs Global Threat Landscape Report, ransomware remains a prolific threat that increased in 2020 and became even more disruptive. Having endpoint security software and device protection solutions in place will allow your organization to secure every user and device on and off the network with advanced response.

What is Ransomware?

Ransomware is a type of malware, often distributed through phishing attacks, drive-by downloads, trojans, and social engineering attacks. It secretly infects devices on your network, allowing an operator to access sensitive data and/or lock down devices on the network. 

Once the attacker has rounded up as much important data as possible, they will encrypt the data and render it inaccessible until a ransom is paid. They may threaten to corrupt, delete, or leak sensitive data if the ransom is not paid, resulting in significant business losses. For this reason, ransomware has become one of the most pressing modern security threats.

What Security Vulnerabilities Do Ransomware Attacks Exploit?

Ransomware as an attack methodology has the potential to cause severe damage. Advanced attacks take seconds to compromise endpoints and ransomware attacks take seconds to cause damage to your systems and infrastructure making it critical to ensure your organization is prepared. Malicious actors may exploit the following vulnerabilities to attack your organization:

• Legacy software or hardware
• Modern devices and software with unpatched vulnerabilities
• Improperly configured firewalls
• Unfettered network access
• Poor contingency plans, especially those with unadvanced backup practices

As attacks grow in sophistication, the impact goes beyond just financial losses and the lack of productivity often associated with systems going down. Instead, threat researchers are increasingly seeing encrypted versions of data being posted online – not just held for ransom – along with the threat that if the ransom is not paid, all of the data will be released to the public or sold to a buyer. As a result, organizations have begun to appear on the Darknet with a business model centered on negotiating ransoms. And while systems like this may sound like an easy fix, they can actually have long-term negative effects, including the normalization of criminal behavior. 

Further, as IT and operating technology (OT) systems converge, ransomware attack trends have begun to target new data and technology types. Field devices and sensors have become new targets, resulting in malicious actors shifting their focus from corporate networks to the OT edge. In turn, power grids, transportation management infrastructures, medical systems, and other critical resources are being threatened more than ever before. And this shift impacts more than sensitive information. At the OT edge, these Industrial Internet of Things (IIoT) devices are also responsible for people’s physical safety, demonstrating the severity of attacks on these networks. 

How to Prevent Ransomware Attacks and Protect Your Data

Attackers know that end-users are high-target, high-value assets. Ransomware leverages social engineering attacks, preying on fears as a way to execute malicious code on devices. With this in mind, cyber hygiene must start as a board-level conversation. 

A top-down approach to creating a strong ransomware mitigation strategy includes: 

• Continuously providing employees updates on new social engineering attack methodologies so they know what to look out for.
• Establishing a zero-trust access (ZTA) strategy that includes segmentation and micro-segmentation.
• Regularly backing up data, storing it offline and off-network to ensure rapid recovery.
• Encrypting all data inside the network to prevent exposure.
• Regularly practicing ensures all responsible parties know what to do in case of an attack, thereby reducing downtime. 
• Implementing a strong security posture that includes behavior-based endpoint security to automatically detect and defuse potential threats in real-time, even on already infected hosts.
• Patch, Patch, Patch. Out-of-Band, emergency, patches will happen. Organizations need to have a plan in place through change control processes to ensure they can respond to emergency patches.
• Getting serious about cybersecurity training and awareness for employees as well as family and students. The home is the new branch today and a vector into the core network.

Additionally, by developing and sharing defense playbooks, which offer a detailed view of cybercriminals’ “fingerprints,” organizations can enhance their response activities. Detailing how known cybercriminal groups work only enables defenders to become stronger and more strategic. Blue Team (defensive) playbooks provide defenders with winning strategies against present and future cyberattacks. And when paired with Artificial Intelligence (AI), security teams can leverage the playbooks to build an advanced, proactive protection framework, enabling them to respond to new threats in real-time. AI also gives them the tools necessary to evolve their methodologies at the same rate as cybercriminals so that they can create more refined and granular responses earlier in the attack cycle. 

Prioritizing Collaboration to Stay Ahead of Ransomware Attack Trends

Another key factor to developing a strong security posture is working with all internal and external stakeholders, including law enforcement. More data ensures more effective responses. Because of this, cybersecurity professionals must openly partner with global or regional law enforcement, like US-CERT. Sharing intelligence with law enforcement and other global security organizations is the only way to effectively take down cybercrime groups. Simply defeating a single ransomware incident at one organization does not reduce the overall impact within an industry or peer group.

Cybercriminals have been known to target multiple companies, verticals, systems, networks, and software. In order to make attacks more difficult and resource-intensive for cybercriminals, public and private entities must collaborate by sharing threat information and attack data. Private-public partnerships also help victims recover their encrypted data, ultimately reducing the risks and costs associated with the attack. 

When private and public entities work together, they also expand visibility. For example, a bank may suffer a ransomware attack but fail to share information responsibly with law enforcement. Then, law enforcement may end up working with a credit card company also impacted by the same cybercrime group and lack key information to understand the criminal organization’s full scope. 

Cybercrime lacks borders. Actionable threat intelligence with global visibility helps both the private and public sectors shift from taking a reactive approach to being proactive. 

Responding to Ransomware: To Pay or Not to Pay

When impacted by a ransomware attack, some organizations may find it easier to pay than have their IT team spend days trying to recover data, all while business operations remain at a standstill. But this is not always the case. To remind organizations of this fact, the U.S. Treasury warned that facilitating the payment of ransoms on behalf of victims could result in legal consequences, as it sets a bad precedent for other cybercriminals.

It should also be noted that paying a ransom does not guarantee that the threat will go away instantly. In some cases, the information that organizations worked so hard to protect had already been exposed and can cause additional long-term problems.  

Knowledge Equals Power and Protection Against Ransomware Attack Trends

Modern ransomware attacks place data and lives at risk, meaning organizations must take a more proactive approach with real-time endpoint protection, detection, and automated response solutions to secure their environments. From a technical standpoint, cyber hygiene, zero-trust policies, network segmentation, and encryption offer protections. Further, these strategies work best when organizations leverage asset visibility tools to identify their critical assets – once they know where the data resides, they can create a proactive protection strategy. 

Finally, the human element remains as important as technology. Building relationships with law enforcement to share information and threat intelligence is the final piece of the ransomware puzzle. The only way to defeat cybercriminals is to work together against them. 

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.