By Max Sobell, ivision Director of Cybersecurity Engineering & Research
Most CIOs and CISOs we talk to cite the threat of ransomware as their single biggest security concern. This article breaks down how ransomware happens, why the rise of ransomware is so concerning to organizations, and details practical steps to reduce ransomware risk.
Ransomware gives attackers a clear and practical path to monetize their attacks. Before the ransomware model and cryptocurrency became prevalent, attackers monetized attacks by selling stolen data on the dark web, carrying out attacks for hire, or using individual stolen credit cards/identities to turn stolen data into currency. Now, ransomware kits and cryptocurrency payments give attackers a clear path to receiving funds for their attacks. Criminal entities offering ransomware-as-a-service (RaaS) (notably LockBit ) significantly lower the difficulty of executing a successful ransomware attack and greatly increase their prevalence.
Industry estimates paint an increasingly bleak picture of ransomware attack growth. A successful ransomware attack leaves organizations in a (sometimes existential) bind: an attacker encrypts organizational data in place, exfiltrates that same data to hold hostage, and demands a cryptocurrency ransom to (a) decrypt local data and (b) delete a copy of the data that they hold. Of course, (b) can never be guaranteed and attackers may later release, sell, or use the stolen data.
Ransomware doesn’t happen in isolation, though. It’s the last step in a successful attack chain, starting with reconnaissance and initial access, privilege escalation, defense evasion, lateral movement, exfiltration, and finally impact. The MITRE ATT&CK matrix details each of these steps (and several in-between) and common techniques used by attackers at each step. This model gives organizations several opportunities to harden their defenses at different attack stages.
Using the ATT&CK framework, we believe that focusing energy on preventing initial access, making privilege escalation, defense evasion, and lateral movement difficult, and planning for recovery and incident response provide an effective anti-ransomware playbook to reduce the odds of a ransomware attack and improve recovery speed in the event of a breach. We provide defensive activities and statistics for critical MITRE ATT&CK stages below. Note that rigorous statistics around cyberattacks and breaches are extremely difficult to collect. We’ve reviewed available industry studies and literature for the following statistics:
Reconnaissance
Regular security testing and attack surface management (ASM): The presence of ASM tools & offensive security testing reduced the mean cost of a data breach by ~$350k in 2023.
Initial Access
• Password hygiene: Credentials for web applications, desktop sharing software, and VPNs were the top “way in” in 2023, more than twice as prevalent as phishing and vulnerability exploitation. Avoiding password re-use (using a password manager) and separating personal and corporate passwords greatly reduces this risk, combined with MFA and a move to password-less authentication.
• Vulnerability Management & Patching: ~60% of data breaches involve vulnerabilities for which a patch was available but not applied. The Cybersecurity & Infrastructure Security Agency (CISA) keeps a running list of known exploited vulnerabilities, some of which are from 2020 and earlier.
• Employee training & awareness: Employee training was the second largest key factor in decreasing the mean cost of a data breach in 2023. 68% of breaches involved a human element in 2023.
• Multifactor Authentication (MFA): Properly deployed and configured MFA can block 99%+ of account compromise attacks when combined with effective employee training and awareness and attack surface management. However, MFA Fatigue Attacks, such as “MFA Bombing” can reduce the effectiveness of MFA controls. Use an MFA prompt that requires the user to prove they are the one requesting the access. New Microsoft Authenticator installs use “number matching” as the default, but older installs (prior to May 8, 2023) require a manual upgrade. Number matching can dramatically reduce the effectiveness of MFA Bombing attacks.
• Email filtering and protection: 98% of social engineering breaches use email as their main action vector (as opposed to smishing, vishing, etc.).
Privilege Escalation
Vulnerability Management (VM) & Patching: VM & Patching should be done externally and internally to increase the difficulty of horizontal movement and privilege escalation for an attacker.
Defense Evasion
Endpoint Detection and Response (EDR) tools: The presence of EDR tools decreased the mean cost of a data breach by ~$174k in 2023. While EDR bypass attacks exist, bypassing significantly increases the difficulty of the attack, and EDR tools provide logs and triggers which, when properly managed and ingested, significantly increase the probability that an attack will be detected in earlier attack stages.
Lateral Movement
Network segmentation: This helps contain ransomware and limits lateral movement. Segmenting critical assets (and especially backups) reduces the odds that ransomware can encrypt and exfiltrate that data.
Impact
• Backups: Although ~96% of modern ransomware attacks target backup repositories, on average only 37% are affected. Backups combined with restrictive network segmentation can help recover faster. While the goal of earlier-stage defenses is to avoid ransomware altogether, an organization that can resume operations through backups has more negotiating power than an organization whose data is locked away without recourse.
• Incident Response Planning: High levels of IR planning and testing saved organizations $1.49M on average post breach compared to organizations with low levels. Incident response contains several different workstreams, including (among others) technical mitigations, customer communication, and legal notifications. These highly complex and scrutinized workstreams require advanced planning and orchestration across the organization and its partners as part of a larger Incident Response Playbook. As an example of complexity, beginning in 2002, US states began enacting breach notification laws at the state level – meaning up to 50 different sets of laws – significantly increasing the complexity and cost of breach notifications.