What Is Ransomware?
You may have heard a lot about ransomware lately. Ransomware is a type of malware used by hackers to compromise a system, encrypt business critical data, and force owners to pay ransom in order to unlock it.
How Does Ransomware Work?
Like most malware, ransomware often relies heavily on social engineering. A hacker needs an entry point in order to get into a computer, and the most common entry point is a human being operating a machine. As you can imagine, the larger the company, the larger the number of entry points a hacker can exploit in order to get into a company’s system.
The most common way for ransomware to get into a computer is through email phishing. This type of email typically includes attachments or links to malicious websites. Once the user opens the attachment or clicks the link, the ransomware can infect the computer and spread to the entire network. This is why social engineering is relevant. Ransomware groups are able to trick people into opening attachments or clicking links by not only appearing legitimate, but also triggering a sense of urgency that compels users to click without first asking questions.
Another common ransomware entry point is vulnerable applications and networks, used by attackers to gain access to a specific server or desktop by exploring either an unpatched system with known vulnerabilities or via a zero-day exploit. (Zero-day exploits take advantage of vulnerabilities that are not yet known to threat researchers. In this stage, bad actors target such vulnerabilities because software patches do not yet exist, and signature-based security solutions are not yet aware of the new attack pattern.)
But regardless of method and proper security safeguards in place, all it takes is one compromise to give attackers entry to a system, where they can potentially propagate devastating malware across other machines.
Why Should You Care about Ransomware?
If it feels like you’ve been hearing more and more about ransomware recently, you’re right. The total amount paid by ransomware victims quadrupled last year, and this is just from reported attacks—most companies don’t report attacks. What’s worse, the economic impacts go well beyond the costs of ransoms, since ransomware payments do not cover the costs associated with service downtime and recovery.
In a 2020 survey by Sophos, 51% of IT managers reported being hit by ransomware attacks, and 73% of these attacks succeeded in encrypting data.
Ransomware attacks are not exactly new. The first such reported attack happened in 1989, albeit with very different technology, but with similar social engineering techniques. So why is it on the rise now? There are three main reasons for this.
- Ransomware-as-a-service (RaaS): Ransomware attacks used to require a hacker knowledgeable enough to develop malware and distribute it. However, a new business model has emerged where hackers will develop ransomware software and sell it to any criminal who wants to launch an attack in exchange for a fee, often structured as a profit-sharing arrangement. That means that anyone can now launch an attack independent of skill. As IST puts it, “the barriers to entry into this lucrative criminal enterprise have become shockingly low.”
- Cryptocurrency: The rise of ransomware has been closely tied to the rise of cryptocurrencies, which make it significantly harder to trace transactions. Very often, ransomware money flows through multi-step transactions involving a variety of financial institutions, many of which are not part of regulated financial markets. On top of that, most cryptocurrencies are borderless, which not only makes tracing funds hard, but clawing them back even harder.
- Dual Threat: If early ransomware attacks threatened to lock your data, today’s attacks pose a dual threat of locking your data and/or leaking your data to the public. Given how easy it is today to leak data to the general public, and the reputational risks associated with that, the dual threat makes ransomware more powerful as it adds a sense of urgency: you either pay now or you risk seeing your customer data leaked, independently of whether or not you may be able to recover your data through your own means.
How Can You Prevent Ransomware?
First and foremost, ransomware requires user education. The more people you have in your organization, the more entry points hackers have to attack you. Nothing replaces proactive incident planning, employee education, and basic security hygiene. Companies should also make sure to keep their operating systems and other components, including endpoint protection software, up to date. Using a modern risk-based approach to cybersecurity can help prioritize efforts in this area. Additionally, complying with regulations specific to your industry such as PCI, SOC2, ISO, etc. (even those that are not mandated) will help guide companies to improve their security programs.
In parallel with that, there are fundamental techniques that you should implement to further minimize ransomware risk.
Use a Web Application Firewall (WAF)
WAFs can prevent cross-site scripting (XSS), where attackers attempt to upload scripts on legitimate websites that might be visited by employees of a targeted company. Typical XSS attacks include session stealing, account takeover (ATO), MFA bypass, DOM node replacement or defacement (such as trojan login panels), attacks against the user’s browser such as malicious software downloads, key logging, and other client-side attacks.
Additionally, to defeat phishing attacks that attempt to leverage your own content (e.g. static images) on imposter landing pages, WAFs allow you to whitelist the domains that can be referrers to your assets and block all others, making life harder for would-be attackers. By protecting sites and applications used by employees, security teams can prevent attackers from compromising individual user accounts, which are often used by hackers as the entry point into an organization.
WAFs can also block a range of injection attacks, including OS command injection, where attackers attempt to run operating system commands on servers hosting inadequately protected web applications. When successful, command injections can lead to the full takeover of a server, from which attackers may move laterally across the network to other machines, or install malware that encrypts data, locking up critical business systems and even exfiltrating sensitive data.
It is important however to note, when choosing a WAF, to choose a solution that does not rely on signatures of known threats. Signature-based solutions rely on known attack patterns and provide little to no protection against zero-day threats. Instead, look for solutions that use advanced detection techniques, including those that leverage scoring algorithms in order to lower risk and mitigate zero-day threats.
Implement a Zero-Trust Framework
Organizations concerned with ransomware should implement a zero-trust security framework. As mentioned earlier, once attackers compromise a given machine on a network, they will attempt to move laterally across the network, taking over and encrypting additional machines. In older network security models, access, and sometimes administration privileges, were assumed by anyone on the network. It’s hard to imagine this model ever being secure, but it was the norm before technology shifts dissolved traditional corporate boundaries. Today employees, contractors and customers access critical applications from anywhere in the world and on a wide range of devices.
By setting up secure microperimeters using edge firewalls with programmable custom rules, enterprises can segment and protect a wide range of both internal or external-facing applications and networks from unauthorized access and other malicious actions. Choosing solutions that log rich data in real-time can also improve observability practices and incident response—both essential pillars of zero-trust security.
Leverage Serverless Applications
Organizations should also leverage the inherent security advantages of serverless applications. Applications built with serverless technology remove vulnerable infrastructure layers that DevSecOps teams would otherwise have to maintain. With serverless computing, organizations no longer need to worry about keeping operating systems up-to-date, scanning containers, or patching servers. Instead, they can focus on building innovative, high-performance applications without worrying about securing or even scaling infrastructure.
In addition, leading analysts agree that edge computing is the next logical frontier following the move to the cloud. And when it comes to serverless applications, the opportunities and use cases are nearly unlimited. Many organizations are already using serverless applications to modernize legacy workloads by adding additional security layers or implementing business rules at the edge. One common security use case we see today includes adding more robust authentication and authorization protocols to existing applications. In other cases, we see customers using edge computing platforms with integrated security features to hide origin servers and infrastructures from would-be attackers, or completely replacing their origin servers across a serverless edge network. With no centralized servers to attack and take over, edge computing makes the life of a ransomware scammer that much harder.
Ransomware has huge consequences, including business interruption, data leaks, reputation damage, recovery fees and other costs. Without sufficient protections, organizations hit by ransomware may be tempted to pay criminals to retrieve their data or unlock critical systems, incentivizing future attacks. And as other factors affecting the frequency of ransomware attacks, such as ransomware-as-a-service and the high values of cryptocurrencies hold, the need for every organization to defend itself against this increasingly common threat only becomes more important. With Azion’s Serverless Edge Computing Platform, organizations can decrease vulnerability to ransomware attacks by using an edge-native WAF, implementing zero-trust security, and taking advantages of inherent security advantages of serverless applications, including greatly reduced infrastructure vulnerability risk.
To learn more about Azion’s solutions for protecting against ransomware, talk to an expert today!