A recent survey of enterprise CISOs found that ransomware is the most concerning issue they face today. And for good reason: 66% of organizations were hit by ransomware in 2021, compared to 37% in 2020.However, typical incident response plans often focus on the later stages of ransomware attacks because that’s when it’s evident that criminals have gotten in. It’s typically only then that you may realize that your current detection measures just weren’t enough.To truly understand ransomware attacks, you must understand how criminals can get in the first place, particularly the ways that fall through the cracks of traditional ransomware prevention strategies.
The Ransomware & Stolen Credentials Connection
Ransomware only works when bad actors gain access to your systems. The easiest way to get unauthorized access is to use stolen login credentials. In a typical scenario, the ransomware operator obtains credentials through an initial access broker, who has purchased or stolen them and provides them to the operator for a fee.
One of the most straightforward approaches to ransomware prevention is to treat it as a follow-on attack from another, more ubiquitous credential problem: account takeover (ATO). The goal of ATO is for criminals to perpetrate all manner of malicious activities, not limited to ransomware, without being detected. ATO often serves as a precursor to ransomware attacks.
Even with layered defenses, accounts and devices that put enterprises at risk are still getting compromised. Each compromised asset represents a critical attack vector:
Illuminating the Risk of Malware Data as a Precursor to Ransomware Attacks
Enterprises often lack visibility into malware compromises, especially when the infected devices are unmanaged. And even when malware is removed from a device, the damage has typically already been done – information siphoned from the machine including passwords, device and web session cookies, browser fingerprint, and many forms of personally identifiable information (PII) could already be on its way to the criminal underground. Stolen passwords, cookies and fingerprints in particular open the door for ransomware attacks.
Even if your Security Operations Center (SOC) team identifies the malware, wipes the infected device, and considers the issue resolved, the damage could actually just be starting if corporate credentials get into the hands of bad actors.
A machine-centric SOC process misses the full scope of what a malware-infected device compromises. Without the knowledge of all affected users on all devices – including personal/unmonitored devices – and workforce applications and third-party services like SSO, it’s impossible to confidently close the ticket.
The enterprise remains at risk until the full scope of compromised applications are identified and remediated.
Stages of a Ransomware Attack
Sometimes, attacks are purely opportunistic. An attacker may choose to infect a vulnerable organization because they encounter convenient credentials or have other potential access into their network. In other circumstances, the bad actors may go through various stages that follow a more complex attack pattern.
How to Prevent Ransomware Attacks
In today’s threat landscape, backups alone are not effective to recover from a ransomware attack. Neither is endpoint protection in a remote work world where employees are accessing corporate applications from personal devices outside of your control. A layered defense focused on credential management is required – one in which proactive monitoring and remediation of compromised credentials and malware-infected devices is considered essential.
Continuously monitor and remediate compromised credentials and stolen cookies
Implement multi-factor authentication (MFA)
Educate workforce on cybersecurity best practices
Detect active and recent malware infections
The Missing Link: Post-Infection Remediation
Once stolen data gets siphoned by malware, it doesn’t just go away. Data from malware infections gets traded on the criminal underground. And it remains valuable to criminals as long as the credentials and cookies remain active and in-use.
Without access to the actual data that was siphoned by the malware, you are likely missing 70-80% of your compromised assets. A lot of guesswork would be needed to map the employee’s activity during the infection window to identify any compromised applications and remediate the exposed data. The applications themselves might be shadow IT, outside of corporate control, but still might have corporate information saved in them. But since they are unmanaged, you can’t fix what you can’t see.
Post-infection remediation is critical for incident response. For this, you need:
Greater visibility of compromised third-party applications
Ability to intervene on both corporate and unmanaged devices
Significantly shorter enterprise exposure window
Enterprises need a solution that facilitates the post-infection remediation of malware infections on both managed and unmanaged devices, mapping the connections between applications, machines, and users to help SOC teams visualize the scope of a threat at-a-glance and respond quickly.
Truly stopping ransomware requires identifying stolen data tied to an enterprise exposed in the dark web so organizations can protect themselves from compromised credentials and hard-to-detect malware infections that serve as common precursors to ransomware attacks. The only way to do that is to have access to a comprehensive, constantly updated, real-time database of recaptured data.
SpyCloud offers the largest collection of recaptured darknet data in the world, combined with the earliest possible recovery. Our proprietary engine quickly ingests data from breaches, malware-infected devices, and other underground sources, then cleanses and enriches the data – adding context to the records so you understand the severity of the exposures (the source, breach description, and the actual password in plaintext). Our customers get notifications of compromised accounts and passwords far sooner than any other provider.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.