By Chip Witt, Vice President of Product Management at SpyCloud
Ransomware continues to be a rising and persistent threat to organizations, with research showing that 50% of organizations have been hit with ransomware attacks anywhere from two to five times in 2022, compared to 33.5% in 2021.
The rise of these attacks, and evolving tactics and targets, led some IT leaders to seek upgrades and tack on newer cybersecurity tools to current protections to thwart such intrusions.
According to SpyCloud’s 2022 Ransomware Defense Report, which surveyed 310 IT security practitioners across North America and the UK, 90 percent of respondents reported that their organization was affected by at least one ransomware attack last year — up from 72.5 percent a year prior — and with 77.7 percent claiming they have been hit multiple times.
As a result, confidence in existing ransomware mitigation tools has dipped over the past year, with more organizations seeking either capability upgrades or new technologies.
But while new tools can help combat ransomware attacks, organizations may be overlooking fundamental gaps that will allow attackers to bypass their expanding security stacks.
Ransomware remains top of mind for organizations
The fallout, and possible damage to an organization’s reputation, from a ransomware attack, remains a top concern for organizations when addressing their security operations.
This fear, combined with an expectation that ransomware will eventually successfully impact their networks, has led organizations to divide their focus between defending against intrusions and extenuating their effects.
That has included an increased focus on recovery efforts, such as companies purchasing cyber insurance to mitigate potential losses or opening cryptocurrency accounts as a preparedness measure to pay the ransoms that attackers may demand.
These efforts come alongside organizations’ desire to mount a more robust defense to reduce their risk of a ransomware attack, adding new tools to their technology stack. However, while pursuing new solutions may offer organizations new capabilities, they may not reduce risk if foundational cybersecurity practices remain overlooked.
Threat vectors such as unmonitored devices accessing the network and malware-stolen session cookies that can enable session hijacking can be as damaging as traditional ransomware entry points like unpatched software or phishing emails.
Implementing new solutions without first addressing the core issue can leave organizations with critical security gaps that make them more vulnerable to ransomware attacks and are ultimately a band-aid on a bullet wound when it comes to a true defense program.
The attacker is already inside the house
As attackers already have access to an organization’s data before deploying ransomware, IT security professionals must be able to prevent potential breaches through solutions like endpoint protection, credential monitoring, user and entity behavior analytics, software patching, and other best practices.
But even with those steps in place, organizations face vulnerabilities from third-party and partner applications that may sidestep cybersecurity tools. The risk of a third party-based cyberattack was ranked as the top concern for organizations when reflecting on their cybersecurity plans, coming ahead of the sophistication of ransomware attacks and the frequency and severity of malware.
However, one of the most impactful issues facing organizations fell to fourth in the report, despite its potential to fuel future ransomware attacks: the severity of data breaches.
After the significant disruption of an initial ransomware attack, it is easy for organizations to view subsequent intrusions as standalone events, each compartmentalized in its circumstances and highlighting yet another vulnerability that new tools need to solve.
It’s more likely that these ransomware attacks are recurring from data taken in the initial breach that has become a force multiplier of new intrusions. Without organizations having full visibility into what data has been compromised, they may be subject to a feedback loop of new ransomware attacks resulting from data taken in the initial breach.
At its foundation, the full mitigation of a ransomware attack is still a challenge for organizations. Even with a percentage of organizations able to retrieve their stolen data post-attack, that doesn’t mean that data wasn’t already shared more widely for other follow-on attacks, as the multiple attack data may indicate.
With current endpoint solutions only accounting for the initial infection on a device and not the additional applications or tools that may have been impacted, a big part of the post-infection remediation is missing for most organizations to truly be free of exposure.
The post-infection remediation approach
Remediating malware infection usually begins and ends with re-imaging the infected machine, but as we’ve seen from recaptured data, criminal activity usually lives well beyond the scope of an initial malware infection.
Post-infection remediation, rather than focusing just on the machine, requires exploring what information was exposed and then remediating that exposure to its furthest reaches.
A machine’s infection is not fully remediated until the exposure of the user and the user’s impacted applications are known and accounted for. This means taking the appropriate steps to re-image the infected machine and researching the impacts of that infection concurrently to prevent new attacks from materializing.
Factoring post-infection remediation into an enterprise’s cybersecurity plan helps prevent attackers from re-accessing a network through malware-harvested credentials, stolen session cookies, and other data exposed from an infostealer infection.
While wiping malware-infected devices is the first step, organizations also need full visibility into the devices, applications and users that may have been compromised by an infection. Without all that compromised data being remediated, the enterprise remains at risk for follow-on attacks including ransomware.
Prevention and remediation can help promote resilience
Tools to identify and prevent ransomware and other cyberattacks continue to evolve, but organizations are unlikely to outpace the ingenuity of their attackers. While layered defense built with cutting-edge technology can help identify potential attacks, organizations must also focus on identifying workforce and implementation challenges and obtaining full visibility of any compromised data.
By strengthening detection and prevention tools, organizations can make themselves a smaller target, and with thorough post-infection remediation, they can ensure a swift recovery from any potential breach or malware infection and be better prepared to limit the damage.
About the Author
Chip Witt has over twenty years of diverse technology experience, including product management and operations leadership roles at Hewlett Packard Enterprise, Webroot, VMware, Alcatel, and Appthority. He is currently the Vice President of Product Management at SpyCloud, where he drives the company’s product vision and roadmap. Chip works closely with field intelligence teams specializing in OSINT and HUMINT tradecraft, actor attribution and underground monitoring. Chip can be reached online at https://www.linkedin.com/in/chipwitt/ and at SpyCloud’s company website, https://spycloud.com/.