Ransomware is now a booming business sector containing over 1,000 ransomware groups, over 100 of which are large enough and dangerous enough to be actively tracked by the FBI, writes Mieng Lim, Vice President of Product Management at cyber firm HelpSystems, now rebranded as Fortra.
Highly organised and well-funded, these ransomware syndicates operate enterprise-style business models featuring profit sharing, subscriptions and technical support. Sharing know-how and expertise, they’ve developed fully featured and highly scalable attack platforms that make it easier to propagate ransomware to a greater number and variety of targets at a much faster pace. It’s a development that effectively puts all businesses in the crosshairs. Fortunately, organisations can gain the upper hand by understanding the new face of ransomware and its attack vector to beat ransomware gangs at their own game.
Fuelling the storm
Ransomware gangs are industrialising the development of new ransomware strains, using automated mutation technologies to create over 168 million new strains in 2021 alone. The emergence of mass-produced malware means many strains fail to appear on signature-based antivirus (AV) detection methods, despite many variations on known or existing versions. This means organisations need to deploy behavioural-based detection to catch this dangerous activity and block it.
The propagation of these new attack vectors is being fuelled by ransomware as a service (RaaS), a subscription-based model that enables less technical cyber criminals to leverage turnkey services and platforms to perpetrate attacks. It’s been estimated that two-thirds of ransomware attacks are now perpetrated by RaaS groups.
That’s not the only evolution in operating methods. Hackers are now going beyond using ransomware to simply lock endpoints and are using malware to open backdoors that will allow valuable data to be exfiltrated off-site. This enables them to initiate double and triple extortion attacks that include reaching out to customers of a targeted company and threatening to share or sell their personal information on the open market if a ransom payment isn’t received.
The changing face of ransomware means organisations need to adopt a more holistic, proactive security strategy. Since resources aren’t infinite, taking a defence-in-depth approach to security that closes the gaps and allows rapid detection will be critical to optimising ransomware prevention efforts.
A good starting point is mitigating any software vulnerabilities that can be exploited by bad actors looking to infiltrate and take control of endpoints. By combining vulnerability scanning and assessment technologies, organisations can create a complete vulnerability management programme to investigate infrastructure endpoints for exposures such as misconfigurations or software with exploits. Featuring built-in agents or credentials, these assessments will deliver highly targeted data about what vulnerabilities may exist so that potential gaps can be closed before attackers can discover and exploit them.
Assessing application security vulnerabilities is another crucial component of managing organisational vulnerabilities. These flaws may originate with the in-house programming team or imported libraries and must be identified and evaluated using Static Application Security Testing (SAST) or Dynamic Application Security Testing (DAST) tools.
Earlier detection
Effective ransomware protection requires exceptional visibility of all assets, using data generated from network traffic, endpoints and software messages on-premises and in the cloud to generate functional analytics and alerts.
The centralised management of this data via a cyber security dashboard will give security teams the consolidated visibility that’s key for generating more in-depth insights from the data collected. When combined with artificial intelligence and machine learning tools, security teams can use analytics to create baselines of behaviour for all aspects of the IT ecosystem. Using these baselines, threat detection software can then deliver actionable alerts on anomalies that may indicate malware infections. This early detection will enable threat management teams to rapidly respond and determine if these anomalies are caused by ransomware, an attacker, or something else.
Multi-layered approach
With the right defensive layers in place, organisations can prevent, detect and proactively stop attackers. Alongside using vulnerability management to scan, assess and manage threats to the network and prioritise remediation efforts, organisations will need to ensure they have the appropriate application security tools in place to secure apps at the time of development. Finally, conducting regular penetration testing will ensure the enterprise infrastructure doesn’t contain any exploitable vulnerabilities. In combination, all these tools create a defence-in-depth approach that will secure the organisation against ransomware and other malicious attacks.
Mieng Lim is Vice President of Product Management at HelpSystems
