One of the most popular and rapidly growing categories of cybercrime is ransomware. More than 4000 ransomware attacks occur daily. This number of attacks and close relationship between company and third parties increases the risk compromising employee data. Sensitive data can be secured with a ransomware prevention strategy and a process for quickly detecting compromised data.
An effective attack prevention strategy involves deploying security controls at every stage in the evolution of a typical ransomware attack.
The main stages of a ransomware attack are:
- Phishing attack – email that contains malicious links that redirect the user to a scam site to steal internal credentials. This is the most popular way to launch an attack;
- Interaction with the user (victim) – following the link, downloading attachments, etc.;
- Account compromise – compromise of the victim’s corporate credentials by addressing them to a malicious site or using social engineering (for example, a hacker pretends to be an employee of the IT department and requests confirmation of a two-factor authentication message. At this stage, malware is most often injected, initiating the installation of ransomware;
- Designation of privileged data – privileged credentials detection and compromise to gain unauthorized access to sensitive network areas;
- Search for sensitive data (personal data, customer data, social security numbers, corporate credentials, corporate and personal email data, any digital trail that can be used for identity theft);
- Data exfiltration – malware deployment to establish backdoor connections to the cybercriminal’s servers. Data transfer is carried out through backdoor connections. For this data the cybercriminal will demand a ransom;
- Data encryption – a cybercriminal encrypts the operating and computer systems of the victim in order to cause maximum damage. The victim receives a ransom notice (usually in a TXT file) with a clear indication of the ransom price. Cybercriminals demand ransom payment in cryptocurrency (bitcoins), since it is more difficult for law enforcement agencies to track their movement. To speed up the process of paying the ransom, criminals threaten to place data on the dark web or delete it;
- Data dump is the final stage of the attack. At this stage cybercriminals publish all compromised data in the cybercriminal marketplace. Some cybercriminals delete data, saving themselves from publishing it on the black market and tracking purchase requests. If the victim refuses to pay the ransom, the cybercriminal can punish the victim and publish all the data on the forums. Free access to data posted on such forums does more harm to the company than selling it to 1 group of cybercriminals.
Company can protect and mitigate the ransomware impact by implementing security measures at each stage of the attack:
- Cybersecurity training. It is very difficult to defeat ransomware if it has already infiltrated the corporate network. By preventing intrusion, cybercriminals are unable to carry out a successful attack. Employees often don’t know how to recognize threats and how to respond to them, and thus contribute to the attack success. It is important to provide high-quality training for all employees, inform about potential risks and teach them to recognize threats;
- Tracking interactions with malicious links and attachments. To prevent an attack from progressing to the next stage, such activity must be detected as soon as possible. Employees should alert IT security professionals immediately;
- Prevent account compromise. Multi-factor authentication should be implemented. The most secure form is the biometric authentication method. Biometrics such as fingerprints, facial recognition are very difficult to steal or copy;
- Protection of privileged data. Implementation of a password manager, multi-factor authentication, zero-trust security model (all internal traffic is perceived as malicious, and therefore the user must constantly confirm his identity to get access to confidential resources);
- Prevent data loss. Closing or segmenting from the general users access to sensitive network areas. It is also necessary to ensure that all user accounts that have access to restricted areas are protected by multi-factor authentication;
- Prevent data theft. This process consists of 2 elements: detection and prevention. Detection methods include:
- using SIEM to monitor network traffic in real time;
- monitoring of connections with external IP addresses;
- monitoring of suspicious activity of outgoing traffic;
Prevention methods include:
- security protocols (DNS, HTTP, FTP);
- fixing software vulnerabilities.
- Protection against data encryption. Rapid switchover processes to backup systems can minimize business disruption in the event of a ransomware attack. Such environments must be accessible with a unique set of credentials, i.e. they must be different from those used in a normal IT environment.