How to proactively detect and prevent ransomware attacks

Two out of three organizations surveyed by ThycoticCentrify were hit by a ransomware attack over the past 12 months, and more than 80% reportedly opted to pay the ransom.

Young Asian male frustrated by ransomware cyber attack

Image: Getty Images/iStockphoto

The key to combating any type of cyberattack is to prevent it before it happens, or at least before it's able to cause significant damage. That's especially true with ransomware. Once an attacker gets their hands on your sensitive data, they can prevent you from accessing it and can even leak it publicly. That's why many organizations hit by ransomware choose to pay the ransom. For that reason, detecting and preventing an attack in the first place should still be your ultimate goal.

SEE: Security Awareness and Training policy (TechRepublic Premium)

A report released Tuesday by security provider ThycoticCentrify looks at the threat of ransomware and offers advice on how to stop these types of attacks before they impact your organization. The new report, titled "2021 State of Ransomware Survey & Report: Preventing and Mitigating the Skyrocketing Costs and Impacts of Ransomware Attacks," is based on a survey of 300 IT business decision makers in the U.S.

Among the respondents, almost two-thirds said they were victimized by a ransomware attack over the past 12 months. Of these, 83% said they ended up paying the ransom. In response to the incident, more than 70% increased their security budgets. But the damage had already been done.

Some 50% of the victimized organizations said they lost revenue as a result of the attack. Another 50% took a hit to their reputation. More than 40% lost customers. And more than 30% were forced to lay off employees.

Asked to identify the areas most vulnerable to ransomware attacks, 53% pointed to email, an indication that cybercriminals often use phishing messages to try to obtain account credentials or install malware. Some 41% cited applications as an avenue to a ransomware attack, while 38% listed the cloud.

Asked to identify the top attack vectors, 26% cited privileged access, meaning accounts and services that have elevated rights to retrieve the most critical data and assets. Attackers love to compromise such accounts as doing so gives them full network or domain access where they can do major damage. Another top attack vector was vulnerable endpoints, cited by 25% of those surveyed. With the shift to the cloud and remote working, the number of endpoints has skyrocketed, challenging organizations to secure them all.

SEE: How to become a cybersecurity pro: A cheat sheet (TechRepublic)

Cybercriminals don't launch a ransomware attack on the spur of the moment. Rather, they use the initial access to a computer or network to perform surveillance. Known as dwell time, this period enables the attacker to fully understand the network, scope out vital and vulnerable resources, and ultimately locate and exfiltrate critical data (Figure A).

Figure A

ransomware-attack-dwell-time.jpg

Image: UltimateITsecurity.com

Recommendations for how to detect and prevent ransomware

  • Use Privileged Access Management for early detection. Since attackers often dwell on a network before compromising your data, you need to detect a breach as early as possible. From there, you need to block the attackers from exploiting privileged access accounts and obtaining a path to your network. One technology that can help with these tasks is Privileged Access Management (PAM). Such tools not only manage and restrict privileged access on a granular level but help you understand a ransomware attack as it occurs so that you can stop it from happening again.
  • Use multi-factor authentication (MFA) wherever possible. As attackers can gain access to your network through stolen account credentials, make sure you implement MFA on all internet-facing systems.
  • Keep assets up to date. Security vulnerabilities are another avenue ripe for exploitation. Make sure you practice proper patch management to keep your software, devices and other assets up to date.
  • Turn to zero trust. Develop a zero trust strategy that helps you enforce least privilege access across all your applications, cloud platforms, systems and databases. Zero trust is one of the best ways to stop an attacker from escalating privileges and roaming your network undetected.
  • Minimize user disruption. Make sure your security tools and policies don't disrupt your fellow employees. End users are more likely to bypass security policies when they're difficult or frustrating to follow.
  • Isolate sensitive data. Protect and isolate sensitive data, including your backup and restore capabilities. Attackers often try to disable your backup systems before they steal your primary data.

Also see

By Lance Whitney

Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.