How Advances in Cloud Security Can Help with Ransomware

The ransomware scourge continues, with incidents hitting a U.S. record in the second quarter of 2021, as attackers expand into vertical industries and target critical infrastructure. Ransom demands have also been growing. According to IT Governance, the average decryption key rate from attackers is $140,000 yet many organizations end up paying much more than that.

The ransomware threat is evolving faster than people’s ability to keep track. A common misconception is that payloads are usually delivered by phishing emails. While that may be true for many cases,  the new breed of ransomware is much more likely to be launched by an intruder who has already breached the network. In fact, the battle is now focused on monitoring activity within your environment rather than preventing users from clicking unknown links.

Another out-of-date belief is that frequent backups are the best recovery strategy. While that may be true for less capable attacks, an attacker that is already inside a network not only has the opportunity to compromise backups, but also exfiltrate (and ultimately leak) critical data.

Close back doors

The most common entry point is remote desktop protocol (RDP), a feature of Microsoft Windows that permits one computer to connect to others to display a graphical user interface for applications like shared whiteboards. RDP vulnerabilities continue to proliferate, with many being the result of poor configuration or failure to apply patches.

“Thanks to so many recent, high-profile attacks at the hands of an emerging hacker group, Lapsus$, we’ve seen first-hand how effective RDP access can be to providing that all-important initial entry,” said Rodman Ramezanian, Enterprise Cloud Security Advisor at Skyhigh Security. “Once they’re in, the ransomware payload itself may come hours or days later.”

Performing advanced reconnaissance enables intruders to target assaults for maximum pain. The increasing precision of attacks is one reason ransom demands are climbing, despite businesses taking more proactive steps to protect themselves.

Focusing prevention efforts on detecting attacks before they happen is closing the barn door after the horse is already halfway across the field. In fact, the attack is often the last stage in a breach.

Segment, detect, and govern

Data has no jurisdiction. As more data continues to move to the cloud, ransomware follows. When you consider that attackers can get their hands on even more data there, it’s easy to see why the cloud has become so alluring to them.

For this reason, unified data protection across user devices, web traffic, and cloud environments is imperative. With a Security Service Edge (SSE) strategy that includes data loss prevention (DLP) capabilities, security teams will be able to block data exfiltration automatically, thereby preventing the common double-extortion threats from ransomware nowadays.

The principle tenets of a zero-trust architecture tie back to the fundamentals of least privilege, where a user is given the minimum levels of access or permissions needed to perform their job. A true zero-trust approach connects a user directly to the application they need, without ever exposing the network. Security teams can continuously authenticate users and connect them directly to applications, rather than inherently trusting traffic from an internal network or corporate device.

Micro-segmentation is another core zero-trust concept. It involves restricting access to applications and resources so that attackers who breach one can’t inflict damage to others. It also combats the “land and expand” techniques intruders use to move from an entry point to other targets on the network.

The use of legitimate RDP services and valid credentials continues to challenge security teams in distinguishing between trusted activities and malicious ones. User and Entity Behavior Analytics (UEBA) and anomaly-based controls can help spot and mitigate abnormal and potentially dangerous behaviors.

“By examining common behaviors, security practitioners can build a baseline of ‘normal activity’ for that specific context, to ultimately highlight any anomalies, deviations, or generally suspicious actions for swift action to be taken,” Ramezanian said. “Evaluating user activities beyond an initial login to include user movements, access to organizational assets and the context with which that access occurs, is fundamental to catching out ransomware threats spawning covertly”.

It has been 10 years since ransomware first gained widespread attention and the scourge shows no signs of abating. Although there is no foolproof protection against ransomware, keeping current with trends and preventions can minimize the risk of damage.

Companies must go above and beyond basic cybersecurity to protect against ransomware. Get more info on a complete SSE Strategy here.

---