Ransomware is not a new attack vector. In fact, the first malware of its kind appeared more than 30 years ago and was distributed via 5. 25-inch floppy disks. To pay the ransom, the victim had to mail money to a P.O. Panama.
Fast forward to today, affordable ransomware-as-a-service (RaaS) kits are available on the dark web for anyone to purchase and deploy and attackers have an infinite number of channels available to them to infiltrate organizations as a result of reliance on cloud and mobile technologies.
Hasting a ransomware infection is about gaining discreet access. You have no control over how employees access your data. You need to be able to monitor your employees, their endpoints, and what data and applications they are accessing in order for you not only to protect yourself from these types of attacks but also how they interact with the information.
Lookout, a leader in endpoint-to-cloud security, has published an interactive infographic to help you visualize how a ransomware attack happens and understand how to protect your data. Lookout will use this blog to set up 1) the climate that resulted in $20-billion dollars in ransom payments in 2021, and 2) how you can protect your organization from these ongoing threats.
Work from anywhere improves both productivity and attacker infiltration
While the malware that holds your data hostage in the first place is known as “ransomware,” this is not what you need to focus on. Before anything is deployed, attackers need access to your infrastructure.
Today, users are accessing data using networks you don’t control and devices you don’t manage, rendering whatever on-premises security measures you had obsolete.
Threat actors have the ability to launch phishing attacks that compromise user credentials and exploit vulnerable apps without much consequence. Once they have gained access to your infrastructure they can quickly install malware and create backdoors which allow them to go where they want. If they escalate privileges, it becomes nearly impossible to stop them from moving around laterally and holding your data hostage.
Step-by-step: how to protect against ransomware
There are a number of steps that happen between an attacker accessing your infrastructure and asking for a ransom. These steps are outlined in the anatomy of a ransomware attack infographic and here is a high-level rundown of what happens and how you can protect your organization.
1 — Block phishing attacks and cloak web-enabled apps
One of the easiest ways attackers gain access is by taking over a user account by compromising credentials with phishing attacks. It’s critical to be able to inspect web traffic on any device to block these attacks from affecting both PC and mobile users. This will ensure that ransomware operators can’t kick off their attacks by compromising accounts.
Threat actors will also crawl the web to find vulnerable or exposed internet-facing infrastructure to exploit. Many organizations have apps or servers exposed to the web to enable remote access, but this means attackers can find them and look for vulnerabilities. Cloaking these apps from discovery is a key defense tactic. You can eliminate the unrestricted access offered by VPNs, and ensure that only authorized users have access to the information they require.
2 — Detect and respond to anomalous behaviors
If attackers manage to enter your infrastructure, they will begin moving laterally to conduct reconnaissance. This is to find additional vulnerabilities with the ultimate goal of uncovering sensitive data. Some of the steps they could take include changing your settings to lower security permissions, exfiltrating data and uploading malware.
Some of these steps may not be outright malicious behavior but can be considered anomalous behavior. This is where an understanding of user and device behavior and segmenting access at the application level becomes essential. You must ensure that no user has free access to your infrastructure or is acting maliciously in order to stop any lateral movement. It’s also crucial to be able to detect excessive or misconfigured privileges so that you can prevent changes to your app and cloud posture.
3 — Render data useless for ransom with proactive encryption
The final step of a ransomware attack is to hold your data hostage. The attacker can encrypt your data, lock your admins out and then take your data hostage.
Exfiltration is usually the moment when an attacker finally comes out. The changes they make to data, regardless of if it’s at rest or in motion, will set off alarm bells and they will demand payments. You can stop them from making any changes to your data, even if they are in motion or at rest. Encryption is a critical part of any data loss prevention (DLP) strategy, and triggering it off of contextual data protection policies can help you protect your most sensitive data from compromise.
Securing against ransomware: point products versus a unified platform
A ransomware attack isn’t just a single event; it’s a persistent threat. To secure your organization, you need a full picture of what is happening with your endpoints, users, apps and data. This ensures that you can block phishing attacks, cloak web apps, detect and respond to lateral movement, and protect your data even if it is exfiltrated and held for ransom.
In the past, companies have bought new tools in order to solve new problems. But this type of approach will not work with threats like ransomware. Although you might have some information about your users’ access activities, their health on corporate-owned devices, and the way your data is being handled, your security team must manage multiple consoles.
Lookout understand the need for a platform approach and have built a Security Service Edge (SSE) platform that includes DLP, User and Entity Behavior Analytics (UEBA) and Enterprise Digital Rights Management (EDRM).
With a platform that provides integrated insights into everything that’s happening inside your organization, we enable you to secure sensitive data without hindering productivity. Lookout’s SSE platform was recently named a Visionary by the 2022 Gartner Magic Quadrant for SSE. Lookout also scored in the top three for all SSE use cases in the 2022 Gartner Critical Capabilities for SSE.
To learn more about key lessons you can learn from large ransomware attacks in 2021, and how to protect your sensitive data, download Lookout’s latest guide on ransomware.