Ransomware continues to be a broad, persistent, and complicated problem that is top of mind for the C-suite – a survey of more than 400 CISOs found that ransomware is the top cyber threat most concerning to respondents. One way to prevent ransomware is to identify and remediate common entry points. Here we outline three of them, and discuss the steps you need to take to proactively close gaps in your ransomware prevention strategy.
1) Compromised Credentials
Criminals don’t break in, they log in – and they are not at a loss for credentials to use against us. Last year alone SpyCloud recovered 1.7 billion exposed credentials and 13.8 billion personally identifiable information (PII) assets, all of which were available for criminals to leverage in attacks. The Verizon 2022 Data Breach Investigations Report also indicated a 30% increase in stolen credentials since 2017, and stated,
“We’ve long held that credentials are the favorite data type of criminal actors because they are so useful for masquerading as legitimate users on the system. There is also a large market for their resale, which means they are truly the ‘gift’ that keeps on giving.”
As ransomware surged in 2021, it was reported that the attack on Colonial Pipeline – the largest fuel pipeline in the U.S. – was “the result of a single compromised password.” Attackers gained access into the company’s networks through an employee’s virtual private network account. The employee’s password was discovered in a batch of leaked passwords available on the dark web, which means that the employee “may have used the same password on another account that was previously hacked.”
One of the most straightforward approaches to ransomware prevention is to treat it as a follow-on attack from account takeover (ATO). The goal of ATO is for criminals to perpetrate all manner of malicious activities, not limited to ransomware, without being detected. In a typical scenario, a ransomware operator obtains credentials through an initial access broker, who has purchased, guessed, or stolen them and provides them to the operator for a fee.
Another concern with regards to compromised credentials is password reuse. SpyCloud found a 64% password reuse rate last year, which puts enterprises at risk when employees reuse passwords across multiple online accounts. Credentials that have been exposed in third-party data breaches or siphoned via malware can be exploited to access their corporate accounts. An automated ATO prevention solution can protect your organization from compromises due to password reuse, reduce the risk of data loss and downtime from ransomware, and protect your brand and reputation.
2) Unmanaged Devices or Bring Your Own Device (BYOD)
Employees who use personal devices to access corporate assets and applications also pose a threat to organizations. IT security teams already struggle to stay on top of security challenges they are aware of, so increasing the attack surface with devices they can’t see or control puts even more burden on already overwhelmed teams.
Malware becomes a significant threat when employees use unmanaged devices; if someone uses their corporate credentials to access corporate applications on a personal device that is unknowingly infected with malware, that information could be siphoned directly into the hands of cybercriminals to be sold on the criminal underground.
Consider the threat of just one infected device. With access to 50, 60, 100, 200 work applications, this poses a massive enterprise risk – every application compromised by malware, whether it’s an SSO instance, a CRM database, or corporate chat. They’re all entry points into an organization.
And it’s not just about the one device or some compromised credentials or session cookies. Infostealers siphon so much information from even one device that the risk profile created from that one infection is significant. And, the risk is often underestimated since getting visibility into unmonitored, personal devices and exposures of third-party workforce applications is difficult to impossible for most security teams.
These malware infections can have serious long-term repercussions. Malware-siphoned data shows up on botnet logs that are then sold on the criminal underground, which can be used to launch ransomware attacks. Ransomware operators frequently use malware logs to identify high-value credentials and other data can help ransomware gangs gain access to corporations.
Unfortunately, existing endpoint detection response (EDR) and application security management (ASM) solutions don’t offer adequate protection from malware attacks. Enterprises need insights into the full picture of malware risks, including the compromised assets most likely to lead to future ransomware attacks.
3) Managed Devices with Vulnerabilities
Cybercriminals are on the hunt for low-hanging fruit, and even managed devices can present vulnerabilities for organizations. An employee machine that isn’t up-to-date on security patches or isn’t following security policies could serve as an open door for ransomware.
For example, a criminal may discover a vulnerability in a backend server. Usually, what they’re trying to find is the user database that has everyone’s emails or usernames, passwords and other PII. Remote Desktop Protocol (RDP) is another way bad actors can gain access to corporate assets by logging into the system using weak or compromised credentials that could be easily guessed or purchased on the criminal underground. For some criminals, this is all they do – they look for holes in web servers or other internet facing services and try and gain access from there.
Once in the network, criminals can then move laterally throughout the organization, bypassing multi-factor authentication (MFA) and escalating privileges to gain even more access to business critical applications and data to be able to start encrypting and destroying files.
To prevent these kinds of vulnerabilities, IT security teams must monitor and track security policy compliance across the workforce to ensure all corporate resources and assets meet the organization’s cybersecurity policies. SpyCloud also offers password recommendations to further bolster your ransomware defenses.
Protecting Against Ransomware
To proactively prevent ransomware attacks, we suggest one key recommendation for each of the above mentioned entry points.
Implement an ATO solution that monitors the criminal underground for stolen passwords and remediates compromised credentials for your employees.
Identify threats outside of corporate oversight and take swift action to prevent unauthorized access, such as when cookies from critical workforce services are stolen from employees’ infected personal or corporate devices.
Ensure all corporate resources and assets are current on security updates and take immediate action when an employee or device falls out of compliance with your organization’s security policies, especially when it comes to password policies.
While ransomware gangs continue to experience widespread success in their malicious attacks, there is still hope when it comes to ransomware prevention. Being aware of risky entry points and taking proactive steps to close those gaps in your security posture will help protect your organization against ransomware attacks.