Prevent Ransomware Attacks By Protecting Your Attack Surface
Discover how CyCognito can improve your ransomware protection.
How prepared are you to recover from a serious ransomware attack or pay ransom? It’s a difficult question, and the reality is that it’s better to be proactive, to avoid an unfortunate incident. The best way to avoid falling victim to ransomware is proactive prevention, by thwarting attackers during their reconnaissance. CyCognito’s platform delivers attack surface protection to help you proactively and efficiently provide ransomware protection on entry points in your Internet-exposed assets.
What is a ransomware attack?
Ransomware is a form of malware that leverages encryption to hold the operations of an organization hostage in exchange for a ransom payment, often demanded in cryptocurrency.
In ransomware attacks, an attacker gains access to a victim’s device(s) by exploiting a gap in the organization’s attack surface or through other channels such as phishing. Then they either encrypt individual files or lock an entire operating system, depending on the type of ransomware.
At this point, the attacker is holding an asset as “digital hostage” and will demand ransom for release by displaying instructions on how the victim can pay. If the ransom is paid, the threat actor might provide a cryptographic key that can be used to unlock files and make them accessible again.
How does ransomware work?
There are two primary methods attackers use to execute ransomware:
1. Installation through unauthorized access
The attacker installs it themselves, after gaining network or system access through Internet-exposed assets. Systems running remote access services such as remote desktop protocol (RDP) and server message block (SMB) protocol have been particularly attractive targets, serving as the most common ransomware attack vector. This method is preferred for attackers because they can execute silently by targeting gaps that are unknown or assets that are undermanaged. The ransomware will then attempt to self-replicate itself into other parts of the network.
2. Clicking or downloading a malicious link
Getting a user to click or download a malicious link that plants ransomware on their device. This occurs in various ways, such as through insecure and fraudulent websites, software downloads, and spam mail.
The malicious file executes and often waits for a command and control (C2) server to send a command. This encrypts the data and decryption to be held for ransom. It may also attempt to work its way into other connected resources, such as file shares or network storage, to encrypt more files.
Examples of ransomware attacks
Malware provided as ransomware-as-a-service (RaaS) plays a major role in serious advanced attacks and has been reported as major news in the past year. Once attackers gain access they dig deeper using lateral movement to exfiltrate data and files. A few of the most serious recent attacks include CNA Financial, Colonial Pipeline, and Kaseya.
CNA Financial breach, March 2021
A leading US-based insurance company was breached following a ransomware attack. Phoenix CryptoLocker operators encrypted over 15,000 devices in CNA Financial systems over a couple weeks and copied information before deploying the ransomware. Over 75,000 individuals were affected by the data breach, which included personally identifiable information (PII) of customers as well as information regarding health benefits.
The attackers managed to both get into the system to steal data and install ransomware. While investigations by CNA Financial found no evidence of the stolen information being retained or shared, the data breach was disclosed publicly. The systems impacted in the attack have since been fully restored.
Colonial Pipeline cyber attack, May 2021
A major fuel pipeline was victim in the largest cyber attack on oil infrastructure in the US. A regional emergency was declared for 17 states to keep fuel supply open. With help from the FBI, the company paid the requested ransom of 75 bitcoin within several hours of the attack, and recovered 63.7 bitcoins a month later. The hackers sent a software application to restore their network, however it was operating slowly. A day before the ransomware attack, 100 gigabytes of data was stolen from company servers.
The criminal hacking group DarkSide was responsible for the Colonial Pipeline cyberattack. Attackers using DarkSide’s ransomware variant gained initial access by exploiting remote services like Citrix, Remote Desktop Web (RDWeb), or remote desktop protocol (RDP) from an external attack surface.
CyCognito research found that 1 in 65,000 assets in a typical Fortune 500 company will contain an unprotected remote desktop (RDP) service. At-scale this means most major corporations are hosting between two to twenty or more easily exploited systems.
Kaseya supply-chain attack, July 2021
Kaseya, an IT solutions developer for MSPs and enterprise clients, fell victim to threat actors who carried out a supply chain ransomware attack by leveraging a vulnerability in their VSA software. The VSA itself has a high level of trust on customer devices thanks to the deployment of software and automation of IT tasks.
Since Kaseya provides technology to MSPs, which serve other companies, it’s part of a much wider software supply chain. It’s estimated that 800 to 1,500 small to medium-sized companies may have experienced this ransomware compromise through their MSP.
How to prevent an enterprise ransomware attack
Ransomware prevention begins with understanding the most common and efficient ways this malware is introduced – remote access and phishing. Phishing is often perceived as the method of choice for ransomware actors. However, research indicates that exposed assets are the more common attack vector in general. Research by both HPE and Coveware shows that exposed, at-risk remote access systems overtake phishing as the leading attack vector for ransomware attacks.
Any internet-exposed asset with a security gap, especially assets that are unknown or unmanaged, are an excellent entry point for covert attacker entry. It’s these exposed pathways in IT ecosystems that leave many organizations unintentionally open to attacks on their sensitive data.
The following methods help you mitigate the threat of a ransomware attack:
- Automatic and continuous protection
- Regular software patching
- Extended detection and response (XDR)
- Cyber security awareness training
- Data backups
Enable automatic and continuous ransomware protection
Often, businesses don’t know where third-party vendors, partners or subsidiaries leave systems, applications, and infrastructure exposed. These underprotected assets enable attackers to plant ransomware and execute attacks without being noticed. To prevent these attacks, monitor and protect your organization’s entire externally-exposed attack surface.
Understand your entire attack surface
To find all entry points leading into your system, map out your entire attack surface and locate exposed servers, applications and other IT assets. This process identifies and eliminates paths of least resistance into your external attack surface that could be used to gain a foothold for ransomware. Testing shows if your assets are vulnerable to SQL injection or allow for code execution.
To prevent ransomware you need to harden the attack surface against the initial access attackers will use to launch a ransomware attack. CyCognito’s platform helps your organization prevent ransomware by automatically and continuously identifying, classifying, and testing externally-exposed IT assets, then prioritizing the risks on those assets and facilitating remediation.
Maintain patched software and strong passwords
Regularly look for the latest security patches and update the software and operating systems to the latest available versions. Prioritize timely and continuous patching of internet-facing servers and software processing internet data, such as web browsers, browser plugins, and document readers. Avoid default and reused passwords for multiple accounts, follow this CISA guide on further best practice for passwords.
CyCognito’s platform streamlines the process of keeping your software up-to-date from the latest known vulnerabilities and eliminates an easy path for attackers to exploit. It also provides guidance to change passwords when an internet-exposed login using default or insecure passwords to access applications or underlying devices is discovered.
License extended detection and response (XDR)
A common preventative measure, XDR, is a SaaS-based security threat detection and incident response tool. It’s natively integrated into multiple security products and delivers real-time information consolidated from data across multiple security layers, including email, endpoint, server, cloud workload, and network.
While an important element in a broader security solution, XDR still won’t protect your organization from blind spots, this is where CyCognito’s technology comes in. With the ability to identify business and IT relationships at scale, it scales beyond XDR and other tools to reveal your entire attack surface.
Implement cyber security awareness training
Introducing a cyber security user awareness program for employees helps guide users on how to identify and report suspicious or risky activities, such as phishing incidents. A step further is to test organization-wide with social engineering and phishing tests to gauge awareness.
However, training employees can only go so far if your organization is operating with numerous blind spots and exposed assets. This strategy needs to go hand in hand with a clear understanding of your organization’s attack surface vulnerabilities.
Encrypt the data
Prevent the threat of a data breach by proactively encrypting your organization’s data. This won’t prevent an attacker from encrypting your already encrypted files, which could make it unavailable to your organization. However, it will prevent the attacker from releasing your data.
After encrypting your data, regularly back it up to prevent a ransomware attack from shutting down your business by holding your data hostage.
Prepare regular data backups
The preventive measures as listed above are the optimal solution, however when an attack happens you want to be sure your organization can recover the data under ransom to avoid business interruption.
In addition, paying the ransom will not guarantee recovery, so for both of these reasons it is important to make sure your organization is prepared with regular backups. Maintain a separate storage system for optimal security architecture.
How do I respond to a ransomware attack?
If your organization has been hit with a ransomware attack, follow a process of such as the one outlined in the CISA ransomware guide, which provides a 19-point plan across 3 major phases:
- Detection and Analysis
- Containment and Eradication
- Recovery and Post-Incident Activity
At the same time, follow up with law enforcement and forensic experts in order to determine whether your organization will pay the ransom or not. This will also depend on the nature of your backup system.
Should I pay the ransom?
Paying ransom doesn’t guarantee getting your stolen data decrypted or having your systems and data no longer compromised. Different circumstances will dictate the business needs in the moment of choice, and it will determine how you respond to the threat actor’s demands.
Here are some important factors organizations should consider:
- The legality of paying ransom: some countries have made it illegal to pay ransom to a prohibited company, others impose sanctions or other implications. Ensure your actions are in line with the law governing your country or state.
- Insurance policies: some insurance plans will cover a ransomware attack, but be sure to have clarity on the clauses and instances in which your organization will be supported.
- Law enforcement: consult federal law enforcement on possible decryptors available, since security professionals and researchers are always breaking file encryption algorithms for ransomware variants.
Refer to CISA’s ransomware resource center for more help on how to evaluate your options in a ransomware attack.
Recover and take proactive measures to future-proof your attack surface
Avoid falling victim again and take steps to recover after the incident has occurred. Once systems are reconnected and data is restored, ensure all backups are encrypted. Prioritize critical services during this process. Document the systems affected and ID any similar attack vectors to address vulnerabilities across other systems.
As your organization notes the lessons learned from this incident, it’s crucial to continuously monitor your entire attack surface. As ransomware techniques continue to evolve, use the CyCognito platform to stay vigilant and bolster defenses to avoid another attack. Attack surface protection goes beyond any current security strategy by proactively and efficiently helping you eliminate ransomware entry points in your external attack surface.
Learn how the CyCognito platform works, and lay the right foundation to prevent future and unanticipated ransomware attacks.
The CyCognito platform discovers all of your external attack surface, finding assets and entry points that other security software solutions miss.
The CyCognito platform reveals your organization’s entire external attack surface, including previously unknown and abandoned, third-party, and subsidiary assets that can be used by attackers to gain entry into your network and then plant ransomware.
The CyCognito platform tests your attack surface continuously.
Testing is done on the foundation of complete external attack surface visibility, including the unknown and unmanaged entry points that ransomware hackers prefer to exploit without raising notice until their attack is ready to launch.
The platform's continuous testing reveals security gaps that attackers seek for their ransomware infection footholds, including open remote desktop protocol (RDP) and server message block (SMB) ports, unsafe authentication, and a number of security hygiene issues that can provide attackers “paths of least resistance” into your network.
The CyCognito platform prioritizes attack vectors based on business context and attacker priorities.
To prevent ransomware attacks effectively, it’s all about priorities: your organization’s and the attackers’. To help you eliminate the most attractive paths for ransomware attackers, the CyCognito platform automatically assigns business context and organizational attribution to your assets and prioritizes your risks. It ranks the security risk associated with each asset by considering factors such as how attractive the asset is to attackers and how easy the vulnerability is to exploit.
The platform also gives you quick visibility to all the security issues associated with a particular asset, so you can see them in context with one another to understand how an attacker might combine exposures to execute the malicious payload.
The CyCognito platform helps you prevent ransomware attacks.
The platform decreases the time it takes you to eliminate ransomware risks and validate fixes, while streamlining your overall process.
For every issue that’s identified, the CyCognito platform provides detailed and actionable remediation guidance so your security and operations teams don’t have to research that information. It streamlines remediation workflows by communicating that information between teams via integrations with ticketing systems such as ServiceNow and communication apps like Slack.
Once issues have been addressed, the platform’s continuous testing process enables you to efficiently validate that your efforts to block the entry points were successful.
Future-proof Your Attack Surface
Ransomware techniques will continue to evolve. The CyCognito platform enables your organization to proactively and efficiently eliminate ransomware entry points in your attack surface and provides you with the right foundation to prevent future and as yet unanticipated approaches.