read
March 3, 2022

Ransomware Attacks: What You Need to Know

Ransomware attacks are one of the biggest cyber threats of 2022 and all
organizations need to ensure they are adequately protected against them. This is how
companies can protect themselves from attacks while staying within their budget.

Ransomware attacks remain one of the biggest cybersecurity threats for all
organizations in 2022. A ransomware attack typically involves adversaries using malware to break into a network to steal copies and then encrypt private data. Once the data is encrypted, the attacker will threaten to destroy the original copy and publish the stolen information unless a ransom is paid. Successful ransomware attacks are capable of destroying an organization that falls victim to them. Businesses are often forced to pay massive ransom payments, or face disruption of their ability to conduct business. Without proper security measures and procedures, organizations are left completely vulnerable and exposed to these catastrophic attacks.

Ransomware attacks typically occur in five stages: initial access, reconnaissance and
lateral movement, exfiltration, deployment, and finally extortion. The initial access phase occurs when the adversary first infiltrates their prospective target’s network, but it is far from the end game. Initial access, which takes only minutes, is typically attained through phishing attacks, compromised credential reuse, exploitation of vulnerabilities, or infiltrating through a trusted third party, such as a supplier, by using corrupted application code updates. Once initial access is attained, the next phase can take anywhere from days to even months. When the attacker enters the network, they will attempt to remain undetected and move laterally throughout the system so that they can gain access to important files that they will exfiltrate and later encrypt. Attackers often use polymorphic malware, which changes its signature with each use to laterally throughout a network without requiring external control to compromise as many devices as possible. Once compromised, attackers can be notified of the existence of compromised device by the malware, which also provides a means to access each device.
ransomware attacks

The number of ransomware attacks has continued to increase over the past few
years, and it is expected that in 2022 the number of attacks will be in the tens of thousands. Not only have the attacks increased in quantity, but also in severity. In 2021, CNA Financial paid $40 million to a ransomware group, the largest payment ever, after their network was breached by attackers. Independent businesses are not the only organizations at risk of becoming victims of a ransomware attack. There has been a growing concern that nation states such as China and Russia are backing attackers to use ransomware attacks against other countries to gain a political or military advantage. 

Law enforcement is well aware of the threat ransomware attacks pose, and they
have taken several measures against ransomware groups to help prevent these attacks from occurring. In 2021, 21 new law enforcement actions were taken against ransomware groups, the most ever. Unfortunately, this represents actions against less than 1/10th of a percent of known ransomware groups. Also, ransomware groups change their strategies faster than the law can keep up with them. For example, ransomware as a service has created kits that can be used by average hackers to build sophisticated attack programs so that even when law enforcement successfully takes down a ransomware group, they are quickly replaced by another.

However, just because government intervention is not necessarily an effective way of
stopping ransomware does not mean businesses have no means of protecting themselves from attacks. There are several systems and procedures companies can use and follow to help mitigate the risk of an attack being successfully executed. Companies can take advantage of technological tools like Endpoint Detection and Remediation (EDR) software to protect their networks from Ransomware that has a known pattern of attack or signature. In recent years, AI technology has been used increasingly more as another means of scanning for attack patterns and behaviors that ransomware groups typically use when executing an attack. Properly monitoring all attack surfaces is another key way for organizations to protect themselves against attacks. MFA can be used to help avoid compromised credential use to access critical systems. Adequately monitoring all applications, OS, and network infrastructure for vulnerabilities along with immediate patching can reduce the risk of an intrusion if done daily.

ransomware attack surfaces

Employees play an equally important role in the deployment and monitoring of such
a stack of tools and processes. Employing a highly trained SOC team in addition to
deploying high-end security tools gives organizations the best chance of recognizing and responding to a potential breach before irreversible damage is done.

If you have the security staff and you can afford it, one of the best ways to
completely assess an organization’s preparedness at every level is through completing
tabletop exercises. Tabletop exercises are full day activities that involve gathering all
departments in an organization and running through a faux ransomware attack to see how each level would respond. By using a real-world example of an attack, the company can find where potential security weaknesses and flaws lie, and what might slip through their security defenses. It is often beneficial to employ a third part security team to help facilitate the exercises so that each department’s security readiness can be objectively assessed, and a set of action items can be provided for the organization to use to improve their security.

In addition to taking proper preventative measures against ransomware attacks,
organizations also must prepare for the event that they succumb to one. Ransomware
attacks impact businesses at every level, and can lead to legal, customer, and PR issues. Keeping an incident response firm on retainer is the best way to deal with the fallout after an attack. Entrusting the negotiation responsibilities to the IR firm allows an objective third party to make the best possible business decision, without letting their judgment be clouded by emotional attachment to the business. Businesses must also reach out to legal teams and PR firms to address the customer impact and public perception. Customers that fear their private information has been leaked will often take legal action against the company, and the PR fallout afterwards can permanently damage a company’s reputation.
ephemeral environments

While reliable and secure options like those mentioned above are available for
protecting against ransomware attacks, they are often inaccessible to all but the F500.
Utilizing top software security programs, employing well-trained round-the-clock SOC
team members, and having third-party security, legal, IR, and PR firms on retainer is
extremely expensive. Only the largest organizations with massive budgets can afford all these security and response services. Every other organization is typically forced to choose which tools or services they think will provide the most value. This leaves the vast majority of companies being much more vulnerable to attacks, while lacking the proper ability to respond to them.

ransomware fragmented views

What about cyber Insurance?
Up until 2022, cyber insurance was the solution to ransomware attacks for most
companies. Most companies thought even though they could not afford all the best tools to protect against attacks, they could still rely on cyber insurance. However, this was more pipedream than reality. Cyber insurance occasionally does pay out claims after attacks, but they are often only partially covered, or outright denied. Worse yet as published reports in 2021 made clear - the damage done as a consequence of an attack, such as disrupting business operations for weeks, can often do significantly more damage than any insurance payout could cover. Many businesses are forced to resort to drastic measures such as laying off employees, selling off businesses or assets, and/or serving fewer customers. As of 2022, many policies’ benefits are being paired back, while premiums rise. The largest coverage for those that qualify is $5M, but the financial impact of an attack is often much greater. In order to qualify for any policy, insurance agencies typically require that adequate security tools and processes are already in place. Cyber insurance is not replacing the need for those tools anymore.

So what’s the answer?
Companies outside the fortune 500 need to take a different approach to addressing
their cybersecurity needs if they want to feel reasonably protected. They often put in tolls like firewalls and EDRs and then go hire a service to monitor them because they can’t afford even a single dedicated well training SOC member in this difficult skilled employee hiring and retaining environment. Unfortunately, the services capable of monitoring their network 24x7x365 typically do so by having a single resource watching 10s of customers, limiting their ability to react and dig into potential issues quickly and thoroughly. While they may be able to help deal with the effects of an attack clearly detected by the available security software, they will be unable to do much else. Skillful intruders responsible for the most devastating ransomware attacks often remain undetected until the damage is done. Knowing that if a company can barely afford to employ a single SOC staff member, it is highly unlikely they will be able to hire IR firms, legal teams, or PR firms to help them deal with the impact of the attack. It simply is not financially feasible for the vast majority of businesses to use these same approaches as fortune 500 companies with millions of dollars at their disposal.

While employing a large security staff and fully manned SOC is not an option for
most companies, there are still other ways to ensure their private data is being protected. Aria’s Advanced Detection and Response is an AI driven solution can do all the work that a security staff and SOC do at the fraction of the price. Aria’s ADR can monitor all devices on any network, and instantly recognize when an attack surfaces. ADR automatically detects attacks by using over 70 threat behavioral models based on the MITRE ATT&CK Framework and takes action to stop the attackers instantaneously. It does not rely on signatures, nor static rule detection methods so it can cover today’s dynamic evolving types of threats and attacks. It also eliminates the need for an expensive SOC by utilizing an AI-SOC that can monitor attacks across the network. Once attacks take root, ADR monitors any attempts at lateral spreading using machine learning that allows it to distinguish any abnormal activity. Once an attack is detected, it can be stopped in 2 ways: fully automated, or with human intervention. If an organization chooses to, they can eliminate the user interface entirely by opting to use the fully automated features of AI and machine learning technology to shut down attacks the moment they are detected. Alternatively, if the organization still wants some level of human involvement, they can set up their ADR solution so it provides specific alerts and recommended actions that can be taken at the push of a button. Leveraging AI and machine learning to completely automate cybersecurity responses and solutions and eliminates the need for costly and inefficient
security staffs and SOCs. Aria’s ADR solution provides companies with practically the
same level of protection as fortune 500 companies at a fraction of the price.

Tags: cyber attack, cybersecurity, ransomware