Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Connect Directly
E-Mail vvv

How to Avoid Getting Killed by Ransomware

Using a series of processes, infosec pros can then tap automated data hygiene to find and fix files that attackers key in on.

If you're an IT security professional, mastering mystifying terminology and arcane acronyms is a rite of passage — maybe even a badge of honor. But there's one unusually blunt cybersecurity term anyone can understand — the "kill chain." A successful attack (the "kill") doesn't just happen. It's the end result of a sequence of essential steps (the "chain") that must be completed in order. If you break the chain, you stop the attack.

Related Content:

Rising Ransomware Breaches Underscore Cybersecurity Failures

The Changing Face of Threat Intelligence

New on The Edge: 9 Cyber Disaster-Recovery Planning Tips for a Disaster-Prone Time

The chain metaphor clarifies the problem — but it doesn't necessarily simplify it. If you want to strengthen your defenses against ransomware, you'll need to consider the entire cybersecurity alphabet — from authentication to zero-day malware defenses. In this article, I'll look at an abbreviated kill chain for ransomware with a focus on the "discover and spread" step. Then I'll introduce a strategy of automated data hygiene that can find and fix the overshared files that attackers either take hostage or use to move closer to the kill.

Step 1: Payload Delivery 
Most ransomware attacks start by phishing end users, sometimes enlisting compromised Websites as temptation. Unsuspecting users take the bait, click the links, and unwittingly deposit attack payloads where they can start their work. Security professionals have tools at their disposal (email scanner, anti-phishing software, employee training) to reduce exposure to malware delivery methods, but the unfortunate truth is users are soft targets for skilled cybercriminals.

Step 2: Establish Command and Control 
After that fateful download or click, the ransomware payload soon attempts to contact its command and control network (also known as C2 communications). Establishing this channel is an essential step. If successful, attackers can remotely explore the target environment, download encryption keys, and find valuable data. Defensive strategies focus on spotting and stopping C2 traffic. This can be a real cat-and-mouse game as attackers shift between connection points and IP addresses. 

Step 3: Discover and Spread 
Once inside and connected, ransomware perpetrators work to reach deeper into the organization and find ransom-worthy assets. They'll need to find (and compromise) accounts and systems having access to the right data.

There are three proven ways to stop ransomware attacks at this step. First, adopting two-factor authentication (2FA) should be a part of every CISO's toolkit. 2FA makes it much harder for attackers to gain control of additional accounts. If 2FA is impractical for everyone, then at least implement it on any account with access to irreplaceable and valuable data.

Second, eliminating known vulnerabilities with a robust patch management program closes off still more avenues for compromise. As patch management improves, human-focused attacks (e.g. phishing and social engineering) are rising. It's easy to see why. Compromising a well-patched system requires technical expertise. Convincing end users to cough up credentials requires only human gullibility. That, unlike technical talent, is available in spades.

Lastly, tightening access to unstructured data (the files and documents created and managed by end users) is another effective way to break the chain. Overshared files unnecessarily expand the threat surface. If 10 people need access to a file — and 50 people have access — attackers have five times as many chances to acquire the data than they should.

These files are a goldmine for ransomware artists. The files themselves can have hostage value or  can help identify high-value accounts, provide technical data about vulnerable systems, or enhance social engineering attempts with insider information. An imposter posing as an IT staffer, for example, is far more convincing if she knows project code names or personal/organization details.

Security best practices recommend limiting unstructured data access to only those who need it. This "least privileges" model is, on paper, a fine philosophy. In reality, end users decide where to store and how to share files – and don't always think about security. In fact, recent research found that a typical corporate user, at any given time, owns 36 documents overshared with internal groups (unintended "share all" settings are shockingly common) and 43 documents overshared with individual internal users. Security professionals, unfortunately, have never had an easy way to find and fix these files.

Until now. With the advent of AI-based data access governance solutions, least-privilege access enforcement is now autonomous, scalable, and accurate. As organizations get a better handle on oversharing it'll be much harder for cybercriminals to move laterally within a network, hijack new accounts, and execute social engineering exploits.

Step 4: Encrypt and Extort 
If you are unlucky enough to reach this phase, it's probably too late. Once encrypted, the attacker is ready to extract ransom for data that's impossible to recover without their "help." An unaffected backup is often your only hope, but cybercriminals do their best to find and encrypt backups to seal off escape routes. If the attack completes this link of the kill chain you have joined the ranks of thousands of organizations victimized by ransomware.

Monetization is the name of the game for cybercrime and it will continue to be a lucrative "growth opportunity" in 2021. The "Mid-Year Threat Landscape Report 2020" from Bitdefender highlights a seven-fold, year-on-year increase in ransomware reports. According to Cybersecurity Ventures, global ransomware damage costs are predicted to reach $20 billion in 2021 (up from $325 million in 2015).

The takeaway? Ransomware isn't going away any time soon, but kill chain analysis can help organizations develop a defensive strategy and identify new ways to keep them out of harm's way.

Karthik Krishnan is Founder/ CEO, Concentric. Prior to Concentric, he was VP, Security Products at Aruba/HPE where he managed their security portfolio. He was VP, Products at Niara, a security analytics company focused on user and entity behavior analytics. Niara was acquired ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-06
An SSRF issue in Open Distro for Elasticsearch (ODFE) before allows an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Alerting plugin's intended scope.
PUBLISHED: 2021-05-06
Arbitrary File Deletion vulnerability in puppyCMS v5.1 allows remote malicious attackers to delete the file/folder via /admin/functions.php.
PUBLISHED: 2021-05-06
Rmote Code Execution (RCE) vulnerability in puppyCMS v5.1 due to insecure permissions, which could let a remote malicious user getshell via /admin/functions.php.
PUBLISHED: 2021-05-06
An issue exists on NightOwl WDB-20-V2 WDB-20-V2_20190314 devices that allows an unauthenticated user to gain access to snapshots and video streams from the doorbell. The binary app offers a web server on port 80 that allows an unauthenticated user to take a snapshot from the doorbell camera via the ...
PUBLISHED: 2021-05-06
An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a syst...