The way cybercriminals use and manipulate ransomware in an effort to extract money and data from businesses has changed. In the past, attacks were delivered through malware and could usually be recovered through a backup restoration.
Now though, attackers use compromised user credentials to gain access to systems, snoop around, find sensitive data, and figure out the best way of stealing and encrypting data.
Attackers can be in systems for a long period before launching the data encryption stage of a ransomware attack. This is known as dwell time.
ThycoticCentrify's 2021 State of Ransomware Survey - Report says that once attackers can get access to domain administrator privileges, it is often only hours before they deploy the ransomware.
System and data backups are essential to swift recovery from an attack, but sometimes organisations feel that paying a ransom demand is the only realistic option. According to the report, 64% of IT decision-makers in the United States had experienced a ransomware attack in the last 12 months. Disturbingly though, 83% paid the ransom when they were affected by an attack.
Experiences with ransomware have stirred these decision-makers into action - 72% noted an increase in their security budgets, and 93% have allocated a budget specifically for fighting ransomware threats.
The budget increases are allocated to areas such as network and cloud security, as well as other focus areas such as privileged access management (PAM).
The acknowledgement of ransomware threats and budget increases to suit are promising developments, but they are of little use if organisations don't know where to start.
The Australian Cyber Security Centre (ACSC) assembled the Essential Eight Strategies to Mitigate Cyber Security Incidents, which provides a blueprint to dealing with all kinds of cyber attacks.
The Essential Eight is designed to steer mitigation strategies to focus on specific areas, such as targeted cyber intrusions, malicious insiders, and ransomware. It is recommended reading for all organisations that need to build or modify their defence strategies.
ThycoticCentrify Australia and New Zealand vice president Andrew McAllister notes, “The ACSC recommends that all Australian organisations implement the Essential Eight which, it says, can be more cost-effective in terms of time, money and effort than responding to a large-scale cybersecurity incident. With ransomware attacks reported weekly or more frequently, even non-regulated organisations are starting to heed the ACSC's advice.
Within the Essential Eight, two principles include the restriction of administrative privileges, as well as multi-factor authentication. Here is the official advice from the ACSC:
- Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don't use privileged accounts for reading email and web browsing.
- Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository.
The Essential Eight and ThycoticCentrify's report both call attention to the importance of backups, patching, multi-factor authentication, and PAM deployment, to restrict administrative privileges.
McAllister notes, “Restricting administrative privileges applies both to admin accounts – referred to as the ‘keys to the kingdom' which adversaries target in order to gain full access to information and systems - as well as endpoint devices targeted by malware."
ThycoticCentrify explains further, “PAM policies that make least privileged access a priority reduce the risk of attacks and limit their potential damage. They also enable security teams to identify the attack entry point, understand what happened, help remediate, and ultimately protect restored data.
Find out more in ThycoticCentrify's 2021 State of Ransomware Survey - Report here.