With ransomware payments hitting a record $1.1 billion last year, it’s no wonder why it’s top of mind for most business leaders. Instead of wondering whether or not they’ll be hit with a ransomware attack, leaders need to be building a strategy for what to do when an attack is attempted on their business. The question isn’t “Will I get hit with ransomware?” it is “What will I do when it happens?” For years, the prevailing narrative has been that it is impossible to stop an attacker from getting in, and so the top cybersecurity priority must be detecting attackers inside and responding to kick them out. But there’s a deeper question security leaders can ask: “Once an attacker gets in, how can I stop them before they actually do anything?”
Many security strategies are built around detecting ransomware and responding faster than the adversary can act. This strategy has been tried for years, and if headlines are any indicator, it is time to try something else. Instead, enterprises should focus on first putting the proper prevention controls in place, not only at the perimeter, but at every key attack stage along the way to increase the effort an attacker must expend and reduce the likelihood of their success. This strategy can be a cost-effective way to avoid business and operational disruption and keep money in your company’s pocket.
Detecting and responding to ransomware simply does not go far enough. Even if your company pays the ransom (strongly discouraged by the United States government), data loss and downtime are still likely, and you can experience a negative reputational ripple effect for years. However, there are attack techniques that threat actors continuously leverage that every company should be aware of — and readily available solutions and tactics that can keep any company safe in 2024 and beyond.
Combatting initial access and stolen credentials with around-the-clock security
Among the various attack techniques employed for ransomware attacks, stolen valid accounts (MITRE T1078) are the most popular for gaining initial access and are used in nearly half of attacks, according to the Verizon 2023 Data Breach Investigations Report. Stolen credentials are typically obtained through social engineering, spear-phishing or procurement from the dark web following prior compromises. Attackers leverage these credentials to log in, frequently exploiting remote access channels like virtual private networks (VPN) or remote desktop protocol (RDP) sessions. Upon establishing initial access, attackers move to escalate privileges associated with compromised credentials or create new accounts with elevated privileges to deepen their control within the network.
A critical step in stopping ransomware is to prevent what they can do with the credentials that they steal. Basic credential hygiene goes a long way. At a minimum, companies should be rotating and updating credentials and passwords frequently and automatically so that any previously breached usernames and passwords will no longer work in the hands of an attacker. Going further, organizations should also enforce multi-factor authentication (MFA) at multiple layers to ensure that even an attacker with the correct credentials will be blocked from logging in. A combination of credential rotation, MFA, and enforcement of least privilege access policies goes a long way toward stopping ransomware before it gains momentum in your network.
At a foundational level, companies should implement identity and access management systems and zero trust access controls to ensure continuous, around-the-clock security. These solutions adhere to the principle of least privilege. This restricts credentials to only the essential privileges necessary and curtails the potential for damage, upholding the company’s security, financial and reputational interests.
Mitigating target discovery and enumeration through machine-to-machine access control
Identifying assets and enumerating targets is a pivotal phase of a ransomware attack. This is when attackers identify and gather information about potential targets within a network. It could involve scanning for open ports, identifying active hosts or mapping out network architecture.
To demand the highest ransoms, the ransomware must, of course, encrypt data of utmost value to the victim. However, they first need to locate it within the targeted network. This information could be anything from intellectual property and customer records to password vaults and critical operational data integral to internal systems and applications.
Unfortunately, many company networks are not protected against this step in a ransomware attack, and many have yet to establish the degree of segmentation necessary to prevent compromised devices from uncovering additional targets. Companies must recognize that the traditional practice of segregating assets into separate network zones using methods like virtual local area networks (VLANs) or internal firewalls poses management challenges and creates opportunities for attackers to uncover new assets, users and data ripe for exploitation.
That is why implementing preventative identity-centric access controls for user-to-machine, user-to-application, and machine-to-machine interactions is the key to thwarting discovery and target enumeration. It is extremely common for networked devices to communicate with other devices in the same network segment for reasons that have nothing to do with the purpose of each device. This is analogous to every smartphone app asking for access to your location. They don’t need it, but they might use it. In an enterprise network, this creates noise on the network that an adversary can use to evade detection. They may even be able to use the default behaviors of networked assets for Remote System Discovery (MITRE T1018), to discover other assets on the network — a living-off-the-land approach. Minimizing unnecessary communication between devices has enormous security benefits. Within a secured environment, each machine should exclusively recognize and interact with other entities imperative to its operational purpose. By limiting visibility to only essential connections, attackers are deprived of targets beyond their sight, and companies better secure their network defenses.
Microsegmentation and secure data transfer to combat lateral movement
Lateral movement is another key phase of the ransomware process. This refers to when an attacker expands their access beyond the initially compromised device or user, spreading malware from device to device and ultimately gaining access to high volumes of critical files or assets that can be encrypted and held for ransom. This stage hinges on organizations permitting unrestricted communication among machines within their environment.
Companies need to be aware that many lateral movement techniques leverage built-in networking tools and remote access utilities like PowerShell to identify additional machines accessible to a local user. While some techniques require direct keyboard attacks, others are “wormable,” capable of self-propagation through established network pathways.
Adopting zero trust architecture for identity-based segmentation and applying the principle of least privilege to all systems and services is the best way to successfully block lateral movement, thus significantly limiting the potential blast radius of any attack. Companies must heighten security granularity by implementing stringent access control and segmentation at the device and asset levels. This ensures that even if an attacker compromises a single device or credential, their ability to extend laterally is stopped in its tracks. Regulating the lateral flow of data, particularly executable files, is one of the most important strategies to limit the proliferation of ransomware.
Prioritizing protection, not just detection for ransomware attacks
By the time ransomware has been detected, it has often passed the tipping point, and the targeted organization still experiences substantial damage as they respond to the incident. That is why preventing ransomware at every stage is better than simply detecting and responding. Using a multi-layered defense approach and keeping zero trust at the forefront is the best way to stop the most crucial early stages of a ransomware attack. With an increase of ransomware attacks at a rate of nearly 73%, from 2022 to 2023, change must be made now if we want to live in a more secure world and keep people safe.