Today’s modern companies are built on data, which now resides across countless cloud apps. Therefore preventing data loss is essential to your success. This is especially critical for mitigating against rising ransomware attacks — a threat that 57% of security leaders expect to be compromised by within the next year.
As organizations continue to evolve, in turn so does ransomware. To help you stay ahead, Lookout Chief Strategy Officer, Aaron Cockerill met with Microsoft Chief Security Advisor, Sarah Armstrong-Smith to discuss how remote work and the cloud have made it more difficult to spot a ransomware attack, as well as how deploying behavioral-anomaly-based detection can help mitigate ransomware risk. Access the full interview.
Aaron Cockerill: I feel like the way modern enterprises operate, which includes a combination of technologies, has allowed the ransomware to thrive. Having experienced this type of attack in my past roles, I know how many CISOs are feeling out there. The human instinct is to pay the ransom. What trends are you seeing?
Sarah Armstrong-Smith: It’s quite interesting to think about how ransomware has evolved. We think about these attacks as being really sophisticated. The reality is that attackers favor the tried and tested: they favor credential theft, password spray, they’re scanning the network, buying credentials off the dark web, using ransomware kits.
So in many ways, things haven’t changed. They are looking for any way into your network. So although we talk about cyber attacks becoming sophisticated, that initial point of entry really isn’t what sets the ransomware operators apart, it’s what happens next.
It’s down to that persistence and patience. The growing trend is that attackers understand IT infrastructure really well. For example, lots of companies are running Windows or Linux machines or have entities on-premises. They might also be utilizing cloud services or cloud platforms or different endpoints. Attackers understand all that. So they can develop malware that follows those IT infrastructure patterns. And in essence, that’s where they’re evolving, they’re getting wise to our defenses.
Aaron: One evolution we’ve witnessed is the theft of data and then threatening to make it public. Are you seeing the same thing?
Sarah: Yeah, absolutely. We call that double extortion. So part of the initial extortion could be about the encryption of your network and trying to get a decryption key back. The second part of the extortion is really about you having to pay another amount of money to try and get your data back or for it not to be released. You should assume that your data is gone. It’s very likely that it’s already been sold and is already on the dark web.
Aaron: What do you think are some of the common myths associated with ransomware?
Sarah: There’s a misconception that if you pay the ransom, you’re going to get your services back quicker. The reality is quite different.
We have to assume that ransomware operators see this as an enterprise. And, of course, the expectation is that if you pay the ransom, you’re going to receive a decryption key. The reality is that only 65% of organizations actually get their data back. And it’s not a magic wand.
Even if you were to receive a decryption key, they’re quite buggy. And it’s certainly not going to open everything up. Often, you still have to go through file by file and it’s incredibly laborious. A lot of those files are potentially going to get corrupted. It’s also more likely that those large, critical files that you rely on are the ones you won’t be able to decrypt.
Aaron: Why is ransomware still affecting companies so badly? It seems like we’ve been talking about methods attackers use to deliver these attacks, such as phishing and business email compromise, as well as preventing data exfiltration and patching servers forever? Why is ransomware still such a big problem? And what can we do to prevent it?
Sarah: Ransomware is run as an enterprise. The more people pay, the more threat actors are going to do ransoms. I think that’s the challenge. As long as someone somewhere is going to pay, there is a return on investment for the attacker.
Now the difference is, how much time and patience does the attacker have. Particularly some of the larger ones, they will have persistence, and they have the willingness and desire to carry on moving through the network. They’re more likely to use scripting, different malware, and they’re looking for that elevation of privilege so they can exfiltrate data. They’re going to stay in your network longer.
But the common flaw, if you like, is that the attacker is counting on no one watching. We know that sometimes attackers stay in the network for months. So at the point where the network’s been encrypted, or data exfiltrated, it’s too late for you. The actual incident started weeks, months or however long ago.
That’s because they’re learning our defenses: “will anyone notice if I elevate privilege, if I start to exfiltrate some data? And assuming I do get noticed, can anyone even respond in time?” These attackers have done their homework, and at the point where they are asking for some kind of extortion or demand, they’ve done a huge amount of activity. For bigger ransomware operators, there is a return on investment. So they’re willing to put the time and effort in because they think they’re going to get that back.
Aaron: There’s an interesting article written by Gartner on how to detect and prevent ransomware. It says the best point to detect attacks is in the lateral movement stage, where an attacker is looking for exploits to pivot from or more valuable assets to steal.
I think that that’s one of the most fundamental challenges that we have. We know what to do to mitigate the risk of phishing — although that’s always going to be an issue because there’s a human element to it. But once they get that initial access, get an RDP (Remote Desktop Protocol), or credentials for the server or whatever it is, and then they can start that lateral movement. What do we do to detect that? Sounds like that’s the biggest opportunity for detection.
Listen to the full interview to hear Sarah’s thoughts on the best way to detect a ransomware attack.
The first step to securing data is knowing what’s going on. It’s hard to see the risks you’re up against when your users are everywhere and using networks and devices you don’t control to access sensitive data in the cloud.