-1200x894.jpg)
Ransomware attacks are one of the most disruptive and costly cybercrimes that businesses and people face today. Although ransomware has been around for a long time, the game changed drastically last year. Because of the Covid-19 pandemic, most people worked from home, increasing the danger of a successful ransomware assault.
This rise is due to a combination of faulty home IT protection and a more significant likelihood of people falling victim to social engineering-based attacks. Criminal gangs exploit the weaknesses and security gaps of remote workforces, allowing them to access corporate networks.
According to Bitdefender’s 2020 Consumer Threat Landscape Report, ransomware attacks surged by 485 percent globally in 2020 compared to 2019. Ransomware-as-a-service is also becoming more popular, making it easier for unskilled individuals to become criminals. Furthermore, these attackers have used increasingly inventive methods to receive payouts, such as extorting additional payments from a company’s customers.
Recent ransomware hits on Colonial Pipeline, Fujifilm, hijacking of the technology management software from KaseyaKaseya and the cyber-attack on JBS USA Holdings, among others, highlight the brazen nature of organised, deliberate attacks on increasingly large targets, as well as the persistent failure to protect organisations against them. In the UAE alone, 78% of companies experienced ransomware attacks in 2020, each paying more than $1.4 million to restore their data, while only 44% of those could recover it. Reports indicated that 42% of the victims had to close down operations after the ransomware attack.
The recent spike in ransomware attacks has demonstrated how persistent threat actors are as they exploit one weak link in a network to access confidential and private data, causing irrevocable financial and reputational damage to unsuspecting victims.
Strategic ransomware
Cybercriminals utilise ransomware to prevent victims from accessing their data. The digital extortionists encrypt their files and add extensions to the data they’ve stolen, holding it “hostage” until the organisation pays the ransom. The ransomware may attempt to propagate throughout the network to shared disks, servers, associated PCs, and other accessible devices after the initial attack. Suppose the ransom demands are not satisfied within the cyber criminals’ given period. In that case, the system or encrypted data will remain unavailable, or the software will wipe the data and obliterate the decryption key.
As possibilities arise, ransomware criminals will actively exploit flaws. Organisations are under increased pressure to find a solution as ransomware payouts increase. Companies frequently focus on cyber hygiene and information-sharing protocols to avoid a future breach, although this has proven ineffective. The recent large-scale Kaseya cyber-attack sends a strong message to businesses that they cannot rely on their software suppliers to safeguard them from risks resulting in downstream damage.
Companies must approach their cybersecurity strategy with an “assumed breach” mindset, anticipate the worst, and employ adequate security procedures to detect intruders within their networks. Even when detection mechanisms are in place, attackers have proved that they can get past firewalls and perimeter technologies, necessitating the addition of identity-based detection and response to their controls.
Organisations can also stay on top of detected gaps and comprehend prospective attack vectors by remaining aware of vulnerabilities from the start, allowing them to add hurdles like cyber deception to throw their opponents off course. They accomplish this feat by continuously monitoring the enterprise for lateral movement, preventing privilege escalation, and safeguarding Active Directory. If not, the opponent will have the upper hand in the organization by living off the land (using current tools and user accounts) and will most likely achieve their objectives.
Protecting AD = Protecting against Ransomware
While it is hard to prevent every prospective attack, careful planning, and lateral movement avoidance technologies such as deception, camouflage, and concealment could help the organisation avoid a more severe attack.
Traditional AD security has focused primarily on patching vulnerabilities, following the principle of least privilege, and implementing tiered administrative procedures. While these are required steps, they are no longer sufficient. Only after the organisation discovers a vulnerability can they patch it, and even log analysis combined with SIEM correlation tends to focus on detection rather than vulnerability evaluation. Organisations nowadays can no longer afford to rely solely on reactive measures; they must become proactive.
It’s vital to frequently evaluate AD accounts and objects and have an up-to-date list of rights and privileges for tackling Active Directory vulnerabilities, such as credential exposures or overlooked permissions. Remediating or mitigating these vulnerabilities can limit the attack surface by regularly analysing and modifying settings and configurations to adhere to a policy of least privileges. Attackers frequently target delegated admin or shadow admin accounts, but these audits can help prevent attack pathways in AD by limiting superfluous credentials or access capabilities.
Security teams must also have visibility to potential account-related issues by continuously reviewing accounts, particularly those with administrator capabilities, and adhering to a policy of least privileges. Users must have only the access they require to accomplish their essential job functions, which can help mitigate potential breaches. Organisations may trust their employees, but overly permissive policies, often for convenience, are disastrous if attackers compromise just one account, leaving a company vulnerable to ransomware attacks. Security teams must also keep track of AD credentials saved on endpoints and regularly remove them.
Prevention and detection
It is critical to have better attack detection. The attacker’s capacity to travel laterally around the network and find valuable assets is crucial to ransomware. Detecting such movement gives defenders a considerable edge, as they can use technology solutions like concealment and misdirection to aid in early detection and threat intelligence collecting.
These solutions can detect unauthorised attack queries to AD, raise an alert, and even return fake data to the attacker to disrupt their attempts. When attackers try to act on the data, it can lead them to a decoy that safely diverts the attack from production assets and alerts on the activity while collecting information on them.
The threat actors are entirely ignorant that they are wasting their time and resources, while the defenders have successfully thwarted their attempt and are gaining vital intelligence for future attacks. In the struggle against ransomware, taking precautionary measures is crucial.
