Why Do You Need Ransomware Protection
Ransomware attacks continue to make the headlines and strike fear into organizations in 2022 with the Colonial Pipeline, Kaseya, and JBS Foods ransomware attacks still fresh in the memory. A number of devastating attacks have been levelled against high profile victims in 2022, including the Conti ransomware attack that crippled the Costa Rican Government, car giant Toyota, US chipmaker Nvidia plus thousands of attacks on smaller organizations that don’t get reported. Indeed, according to Statista, 236.1 million ransomware attacks occurred worldwide in the first half of 2022 in what is on course to become one of the most devastating years on record.
Are You at Risk of a Ransomware Attack? Worrying Ransomware Developments
Here are four developments in ransomware tactics, techniques, and procedures (TTP) that have had a hand in the sharp rise in ransomware attacks in recent years. These developments promise to further exacerbate and already severe ransomware threat landscape. Organizations large and small, private and public need to be aware of these developments to acknowledge the risk and take measures to protect against ransomware.
1. Ransomware as a Service
Ransomware as a Service (RaaS) is business model in which a threat actor pays a ransomware developer to use their ready-made ransomware to execute their own attacks. RaaS has grown into a thriving industry in the past few years, as highlighted in our Global Ransomware Trends Report. Essentially, RaaS has allowed amateur hackers to enter the ransomware scene. This development has widened the scope of ransomware attacks to include more SMEs in addition to the “big game” attacks on high-value organizations by more advanced attackers.
2. Double Extortion Ransomware
Double extortion is a ransomware attack where the attacker steals the victim’s data in addition to encrypting it. By threatening to expose or sell the stolen data, the attacker puts added pressure on the victim to pay the ransom. Improvements in backup technology meant that victims could restore their data without kneeling to the attacker’s demands. However, double extortion has proved to be an effective countermeasure against backups, with 26% of organizations that were able to restore their encrypted data from backups still paying the ransom in 2021 (The State of Ransomware 2022).
3. Intermittent Encryption Ransomware
Intermittent encryption is a novel technique that has been found in several ransomware attacks and promoted by RaaS operators in 2022. As the name suggests, intermittent encryption is the partial encryption of files but still renders them unusable. Although still in its early days, intermittent encryption could significantly increase the effectiveness of ransomware attacks. By only encrypting part of a file, encryption is faster, giving security tools and operators less time to detect and respond to attacks. Partially encrypted files have also been found to evade detection because they appear the same to certain security tools.
4. Cross-Platform Ransomware
Another technique gaining traction is cross-platform ransomware. Up until recently, ransomware has been designed to work on only one platform, be it Windows, macOS, Linux, Android, etc. However, ransomware developers have started creating ransomware that work on multiple systems to widen the scope of encryption and squeeze more profit. Worryingly, some ransomware can infect both Windows and ESXi systems, VMware’s enterprise grade hypervisor for running virtual machines (VM). A ransomware attack on an ESXi cluster could potentially encrypt the data of hundreds and thousands of virtual machines.
How to Protect Against Ransomware
So now that you have a good idea of the threat posed by recent ransomware developments, the next question is: How to protect against ransomware attacks? Well, to effectively protect against something, it’s essential to first know how it works. The same logic applies to ransomware attacks. A ransomware attack can be broken down into several steps known collectively as a kill chain.
How Ransomware Attacks Work
- Step 1 Initial Access: In the first step, the attacker infiltrates the target network in what is known as initial access. The three most exploited attack vectors (path of entry) in ransomware attacks are spear-phishing emails, software vulnerabilities, and insecure remote desktop protocol (RDP) connections.
- Step 2 Execution: Once inside the network, the attacker will begin operating on the compromised endpoint. In the case of spear-phishing attacks, the downloaded malware can be programmed to automatically perform various actions, such as killing and creating processes, creating auto-start entries, downloading the ransomware or additional exploit tools, and establishing command and control (C&C). These activities help the attacker set up the ransomware attack.
- Step 3 Lateral Movement: It is highly unlikely that the initially compromised endpoint, known as patient zero, contains the valuable data that satisfies the attacker’s objectives. In such a scenario, the attacker would most likely attempt to move laterally in the network in search for higher value data. This is commonly achieved through gaining access to native remote access services and file sharing services.
- Step 4 Exploitation: Once enough devices are compromised and high value data is located, the attacker executes the ransomware to begin the file encryption process.
Considering that a ransomware attack goes through several steps, defenders are presented with various opportunities to break the kill chain before the final encryption process. As a result, ransomware protection can be divided into two categories:
- Ransomware Prevention: Measures that prevent ransomware attacks from infiltrating the network in the first place.
- Ransomware Detection: Measures that detect ransomware attacks that managed to infiltrate the network.
How to Prevent Ransomware
1. Be Vigilant against Suspicious Emails
Spear-phishing emails are the most used attack vector for ransomware attacks. These specially crafted fraudulent emails attempt to manipulate recipients into clicking on a link or downloading an attachment, after which malware is loaded onto the machine. Therefore, one effective way to prevent ransomware infection is to be vigilant against suspicious emails. For example, check the sender’s email address and hover over links to see the URL to check whether they are consistent with the email’s context. Educate staff on how to spot and deal with suspicious emails to make sure everyone is on board.
Check out this article for an deep dive on phishing attacks, including how they work, the different types, example attacks, and phishing protection.
2. Keep Software and Operating System Up to Date
Another commonly exploited attack vector is software and operating system vulnerabilities. Vulnerabilities, colloquially known as bugs, are weaknesses that can be leveraged by threat actors to gain unauthorized access. Software and OS vendors regularly release updates to patch known vulnerabilities, so ensure that all your software and operating system are always up to date. Turn on automatic updates, manually check for updates from time to time, and don’t ignore update notifications. Additionally, stay tuned to vulnerability alerts and advisories published by your software and OS providers as well as security vendors such as Sangfor.
3. Protect Remote Desktop Protocol Connections
Insecure remote desktop protocol (RDP) connections round off the top three ransomware attack vectors. RDP enables users to remotely access other PCs and servers through a graphical interface. Using port scanning tools, hackers can discover open RDP ports exposed on the internet and gain access to the connection through a brute force attack, stolen credentials, or RDP vulnerabilities. The pandemic-induced work from home phenomenon resulted in a spike in RDP attacks. Between Q1 and Q4 in 2020, RDP attacks grew a whopping 768%.
Clearly, securing an RDP connection is essential to preventing ransomware attacks. Here are several ways to secure an RDP connection:
- Strong Authentication: Use complex passwords and implement two-factor authentication.
- Timely Patching: Keep RDP clients up to date to remediate RDP vulnerabilities.
- Change Default Port: Change the default RDP port from 3389 to something else.
- Configure Firewall: Configure the firewall to restrict RDP sessions by IP address.
- Limit RDP Access: Limit RDP access to a specific user group.
- Use a VPN: Tunnel RDP connections using a VPN.
- Enable NLA: Enable Network Level Authentication (NLA), which is non-default on older Windows versions.
A honeypot is a decoy computer system that is used to lure in attackers and thereby deflect their attention away from the real systems. For a honeypot to be effective, it should appear to contain valuable data such as customer information and intellectual property as bate files. The honeypot should also contain vulnerabilities like an outdated operating system or open ports to make it look like an easy target. When the system detects that files are being encrypted, security operators are alerted to the attack. Depending on how it’s set up, a honeypot can completely shield real systems from attack or act as a buffer to give security teams more time to respond.
To learn more about honeypots and how they work, check out this well-written glossary article about honeypots.
2. Endpoint Detection
The majority of ransomware attack vectors target PCs for initial access so installing endpoint security solutions is a must for detecting ransomware attacks. However, you might want to avoid signature-based anti-malware and antivirus software. These legacy solutions simply don’t cut it against advanced ransomware attacks. For example, skilled attackers can simply obfuscate their malicious code or exploit legitimate system tools to stage the attack. Consider deploying more advanced Endpoint Detection and Response (EDR) solutions that use artificial intelligence and real-time threat intelligence to detect unknown and sophisticated malware as well as suspicious behavior on endpoints.
3. Network Detection
Sometimes, a ransomware attack can be so advanced that it even manages to evade or disable endpoint security detection. However, knowing that the attackers will attempt lateral movement means that there’s an opportunity to detect the attack at the network level.
Network Detection and Response (NDR) is a powerful technology that provides security administrators complete visibility of all network devices, users, applications, and the traffic flowing between them. Using artificial intelligence and behavioral analytics, NDR continuously analyzes and correlates traffic from across the network to detect activity that deviates from baselines of normal network behavior. NDR can be configured to respond automatically to certain behaviors or alert security operators for further investigation. NDR provides a robust last line of defense against the most sophisticated ransomware attacks that are missed by other security solutions.
Read this article or watch the whiteboard video below to learn everything you need to know about network detection and response.
Whiteboard Story: What is NDR? | Sangfor Cyber Command
Ransomware Protection from Sangfor
Sangfor Endpoint Secure (EDR)
Sangfor Endpoint Secure is a powerful Endpoint Detection and Response (EDR) solution that goes beyond traditional antivirus and anti-malware. Sangfor Endpoint Secure leverages Sangfor’s proprietary Engine Zero AI-powered malware detection engine and Neural-X threat intelligence platform to deliver unrivaled malware protection for endpoints.
- Purpose-Built Anti-Ransomware Tools.
- Sangfor Endpoint Secure is built with innovative anti-ransomware tools, including the world’s first and only endpoint ransomware honeypot, which quickly detects and kills the ransomware encryption process, minimizing any damage to the system. The encryption controlling application is also identified and then located on other infected systems allowing “One-Click Kill” to eradicate the detected ransomware throughout the organization with just a single mouse click.
- Certified Ransomware Protection.
- Sangfor Endpoint Secure recently achieved 100% ransomware protection in the Advanced Threat Detection Test by AV-Test, one of the world’s leading test institutes for IT security products. Sangfor Endpoint Secure successfully detected 10/10 live ransomware attacks to receive the AV-Test “Advanced Approved Endpoint Protection” certificate. For ransomware protection you can trust, read this article to learn more about Endpoint Secure’s excellent performance.
Visit the Endpoint Secure webpage to learn more about its advantages, features and capabilities, success stories, and videos.
Demo video of Sangfor Endpoint Secure in action against ransomware attacks
Sangfor Anti-Ransomware Solution
Sangfor NGAF (next generation firewall), Sangfor Endpoint Secure, Sangfor IAG (Secure web gateway), and Sangfor Cyber Command (NDR) integrate as part of Sangfor’s Anti-Ransomware solution. With security deployed at the perimeter, endpoint, and network, Sangfor’s Anti-Ransomware is a holistic solution that breaks every step of the ransomware kill chain.
For example, to detect and respond to command and control (C&C), Sangfor NGAF coordinates with Endpoint Secure to validate malicious C&C communications and queries endpoints to conduct a self-scan to search for infections. If an infection is found, NGAF will terminate all communications outbound to C&C servers.
Sangfor Anti-Ransomware is a modular solution that can be tailored to meet the ransomware protection requirements of any organization.
Visit the Sangfor Anti-Ransomware webpage to find out how Sangfor keeps customers safe from ransomware infection.