Ransomware Chokepoints: Disrupting attacks, before they cause damage

Puma, Microsoft, NVIDIA, Samsung and T-Mobile are some of the best-known brands in the world and they all have something in common

In the past few months alone, each of these organizations has fallen victim to the devastating impacts of ransomware.

Through targeted attacks or indirect supply chain hits, these organisations have suffered data losses after ransomware criminals got access to their networks, encrypted their data and then demanded enormous sums for it to be returned.

And they are not alone.

Today ransomware is the attacker’s weapon of choice and businesses of all industries, shapes and sizes are getting hit.

In fact, according to data from IDC’s “2021 Ransomware Study, approximately 37 percent of global organisations were the victim of some form of ransomware attack in 2021, which could be linked to cybercriminals earning an estimated $600 million cryptocurrency payments last year alone. It is also suggested that recovering from a ransomware attack cost businesses $1.85 million on average in 2021.

However, when it comes to ransomware, it’s not just money that companies stand to lose. Attacks attract mass publicity because the cybercriminals behind them actively promote their intrusions to build their own publicity. This media coverage causes irreparable brand damage, destroys customer trust, and makes it very difficult for businesses to fully recover after attacks.

Traditionally, ransomware was about attackers encrypting information found on a system and then demanding a payment in exchange for a decryption key, but today criminals have added further potency to their attacks through double extortion. Before a ransom demand is given, attackers exfiltrate the data to a separate location so it can be used for further purposes, but more often than not publish it on the Dark Web even when payments have been made.

Attackers don’t stop there. In fact, there are more ways they can make money, it’s not just double extortion. The data may also be sold by the attackers to other ransomware groups as ransomware as a service (RaaS).

This means there is no happy ending when it comes to ransomware. If companies pay the ransom, they lose their data and if they don’t, they still lose their data.


Ransomware attack paths

One of the most famous quotes that has been circulating the cybersecurity industry recently is that ‘attackers only need to get it right once, while defenders need to be right all the time’. This well-publicised statement gives the impression that the odds always play in favour of the cybercriminals, but in reality, this is not the case.

To carry out ransomware attacks, criminals go through a series of actions before they carry out the final exfiltration of data and serve their extortion demand.

These steps range from carrying out reconnaissance on a business to gaining initial access to the organisation, which is generally through phishing to steal credentials or exploiting vulnerabilities. They then need to execute malware to collect passwords and then travel laterally across the network turning off security settings and gaining intelligence on the corporation’s crown jewels. These steps take many months before the attacker moves on to exfiltrating data and then serving their ransomware notice.

This demonstrates that a lot of work goes into ransomware attacks, and they are a far stretch from attackers just getting things right once. Attackers need to remain on networks undetected for many months and a series of steps need to be successful for them to reach their final goal.

This also means there are several opportunities to detect ransomware in its path, before damage occurs.

Ransomware chokepoints

Across the various actions, attackers take to infect organisations with ransomware there are several points where defenders can stop them. When it comes to initial access, attackers often use phishing, so the best defence is through employee awareness and utilising cloud-based security tools that can assess the safety of documents and links before employees get a chance. These tools will collect data from millions of sources across the world and they will know instantly if a link of document is safe to click on, they should also defend against unknown threats and zero-day attacks, and polymorphic malware designed to evade signature-based inspection engines.

To prevent lateral movement and stop attackers from spreading ransomware through the network, the best defence is through a zero-trust approach to ensure users and hosts can only access applications and resources they are authorised for. This reduces the attack surface, limiting ransomware’s ability to spread, encrypt and exfiltrate data. Another key defence is blocking access to certain sites, such as ‘Mega’, which is a platform notoriously used by attackers to host their stolen data.

By taking these defensive actions, organisations have multiple points in the ransomware attack journey to identify intruders and stop them before any data exfiltration takes place. A cloud native solution with a single pass security engine can help create these multiple choke points on both north/south traffic (internet in/out bound) and east/west traffic (WAN), providing multiple opportunities to detect, mitigate or prevent the attack.

About the Author

Etay Maor is Senior Director of Security Strategy at Cato Networks. Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a complete cloud-native security service edge, Cato SSE 360, including Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), and Firewall as a Service (FWaaS) into a global cloud service. Cato optimizes and secures application access for all users, locations, and applications and empowers IT with a simple and easy to manage networking and security architecture. CatoNetworks.com