Fight Against Ransomware: Know The Enemy, Know Yourself

The fight against ransomware is always a race between two parties: those responsible for IT and the hackers. Both are constantly trying to be one step ahead of the other side, anticipating the other side’s strategies and adapting their actions accordingly to outsmart the opponent. The better you can assess your opponent and predict his actions, the more successfully you adjust your strategy.

The fight against ransomware is always a race between two parties: those responsible for IT and the hackers. Both are constantly trying to be one step ahead of the other side, anticipating the other side’s strategies and adapting their actions accordingly to outsmart the opponent. The better you can assess your opponent and predict his actions, the more successfully you adjust your strategy.

Ransomware is both a buzzword and every security professional’s worst nightmare in the cybersecurity world. Ransomware is a form of malware that aims to encrypt files on a device or target system, rendering all files and all systems that rely on them unusable. As the name suggests, once malicious actors install the ransomware, they demand ransom money to decrypt and refund the files. Businesses infected by ransomware often think that the easiest way to continue business operations is to pay the ransom. With this one-time payment, the incident is over. Despite the rosy prospects, however, this is rarely the case. While ransomware has been around for many years,

The perpetrators of the WannaCry attack exploited a vulnerability in the Windows operating system and were able to infect a large number of designs and devices worldwide. Reports vary, but a general estimate is that more than 200,000 computers were affected. After infecting the computers, the attackers demanded $300 in bitcoin, which was later increased to $600, to decrypt the files. Otherwise, the files the attackers had access to would be lost forever.

An important side note to keep in mind is this. In TV shows and movies, we often hear protagonists proclaiming, “we do not negotiate or respond to terrorist demands,” but people and companies face real consequences in the real world. It can be a hospital that relies on systems to schedule surgeries or maintain life support or an energy company that relies on connected systems to get people essentials. You sometimes don’t have the luxury of playing the role of Denzel Washington, who negotiates the hostage rescue, in these authentic scenarios.

As shocking as it is that the most malicious attackers take advantage of even organizations that literally keep people alive, it is also an unfortunate fact that ransomware continues to increase every year. The annual Global Security Attitude Survey and Global Threat Report found that ransomware-related data breaches increased by 82% in 2021 versus 2020. The average attacker request is $6 million, and the average payment is up 63% year over year to nearly $1.8 million. Importantly, even among the companies that paid the initial ransom, 96% also paid additional extortion fees.

It’s a well-known fact that attackers will always take the path of least resistance. Despite the emergence of new technologies, the same proven attack vectors will always be attractive to financially or otherwise motivated attackers. Ransomware can be spread easily and quickly, and one person’s mistake can be enough to have serious consequences. One of the most common ways is through phishing emails, in which the recipient is tricked into downloading something or clicking on a link that downloads ransomware onto their computer. The attacker can gain access to credentials or other systems, and it just keeps going.

Ransomware attacks are often associated with high risks. They underline several things that any organization must consider to create a base that keeps attackers at bay:

• Create a cybersecurity response plan: By documenting a response plan and running simulations, security and business leaders can act safely in the event of a ransomware situation. Established decision points on when and when not to pay the ransom, who to contact, and how to communicate the attack to internal and external stakeholders are always helpful in times of crisis, and timely decisions are crucial.
• Install security patches: It has been shown repeatedly that attackers look for unpatched infrastructure and systems to get started. Although patching may seem like a never-ending task, it is often a common denominator when detecting ransomware attacks.
• Back up files and data: A backup plan for data and files, preferably offline, is an essential defense against attackers. When data is kept offline, attackers’ attempts to find and delete “hot backups” are obsolete. Also, there is no need to pay ransom for data that is already accessible in such a scenario.
• Prioritize digital identities: First, ongoing training for employees, outside contractors, MSPs, and anyone else who needs internal access is helpful to ensure everyone stays alert and alert. Second, enacting the principle of least privilege, which provides employees only the access they need to do their job, can drastically limit vulnerability to ransomware.

While ransomware is scary and lurks around every corner, with vigilance, preparation, and the right tools, the risk can be mitigated. A recent study by ESG shows that 90% of companies believe that implementing Identity Governance & Administration (IGA) is an essential aspect of the fight against ransomware. read report

Identity Governance As A Basis

Experts estimate that 76% of ransomware attacks occur after hours, i.e., before 8 am or after 6 pm on weekends or weekdays. It’s clear that doing the minimum and hoping for the best no longer makes sense for businesses today. Building a solid foundation to combat ransomware threats is a top priority.

Identity governance is a proven tool that can help in the fight against ransomware attacks. However, to be defensive in cyberspace, it is not enough to merely strengthen one front – only holistic protection and a comprehensive strategy provide the necessary foundation for security. Robust cybersecurity technologies, while necessary, must be combined with people and processes that know how to get the most out of them.

It is important to reiterate that one of the most frequently cited metrics in ransomware attacks is the number of infected devices. Because the more devices the attackers can infect, the more expensive, time-consuming, and tedious it is to repair the damage. A modern identity governance solution can help organizations defend against attackers, and if they break in with their malware, the damage can be contained and remedied quickly. With 90% of companies agreeing that IGA is an essential aspect of fighting ransomware, here are some checks to show you why:

• You are managing Dormant Accounts: A critical checkpoint in preventing ransomware attacks is identifying unowned or orphaned accounts and accesses. IGA can help identify orphan accounts or accounts with excessive privileges and either report them to admins or automatically remediate the risks by assigning an owner to assess. These accounts are often targeted as vulnerabilities and used by attackers as a launchpad to gain trust internally and move laterally and vertically until they achieve the desired effect. If you keep looking for these accounts yourself and think like an attacker, you can be one step ahead of them.
• Enforce proper access rights: Modern Identity Governance & Administration (IGA) solutions are built on the core tenet of ensuring people can only access the data, applications, and other resources they need to do their jobs. IGA solutions should also be able to put controls in place to help prevent social engineering and phishing attacks, which are often prey to attackers. Leveraging self-service workflows like password management reduces helpdesk calls and implements password reset policies in a way that is difficult to intercept. These core principles of the IGA in enforcing appropriate access rights also help prevent lateral movement,
• Continuous Recertification: Like enforcing proper access rights, recertification campaigns and surveys are core functions of a modern IGA solution. This can be crucial in the fight against ransomware and mitigation. With the help of recertification, it can be continuously ensured that access is guaranteed and that the processes run as desired. In the context of ransomware, certifications can help detect things like improper access and arm security teams with the insights they need to take definitive action and disconnect affected systems from the network when infected with malware.
• Evaluate and test processes: While these three controls can help mitigate risk, ransomware is an ongoing threat that needs constant assessment. The security and IAM teams must ensure that these processes and any automation work as intended. Maintaining a full audit, including who made access granting decisions and determining who has access to what and why, is an ongoing process, but with a modern IGA approach, it is feasible and time-consuming to detect an attack and take rapid action will be drastically reduced.

With these four IGA principles, organizations can create a foundation that will enable them to better deal with ransomware attacks. While there is always work to do and threats lurking around every corner, attackers often retarget themselves when they encounter natural resistance attempting to penetrate their target. That’s why it’s essential to have a foundation to thwart attackers and enable the organization to improve its security practices continually. Those who follow these guiding principles can always stay one step ahead of the hackers.