Other parts of this series:
While the methods of ransomware attacks have evolved over time, the goal has remained the same: to illicitly obtain capital gain by means of extortion. This begs the question, in a world filled with ever increasing ransomware attacks, what are some common types of attacks that firms should be aware of and recognize? Two of the most common trends seen thus far have been highly targeted phishing campaigns and insider threats, both of which have seen a rise as standard entry points for ransomware attackers (Phishing).
Phishing campaigns created by ransomware attackers are industry agnostic in terms of who they target, and can take on a variety of forms. In its base form, phishing is a type of ransomware that utilizes email, phones, or social media to lure a user into sharing personal information or to enable ransomware attackers to install viruses. Variations of phishing can include spear fishing (targeted phishing sent to a specific individual or group of individuals), domain spoofing (utilizing fake URLs to trick a user into thinking they are visiting a legitimate site) or even smishing (phishing campaigns utilizing text messages to entice users to download malware) to name a few. Phishing attacks have become the new normal, growing 65% in the last year with 60% of Americans saying they or a family member being a victim of an attack in the last year (Phishing).
Hypothetically all phishing campaigns are insider threats as employees are unwittingly assisting ransomware attacks. Conversely, however, there are other more cognizant types of insider attacks. Some of these can include employees who believe they are exempt from security policies and break protocol (i.e., storing unencrypted personally identifiable information on cloud accounts for easy access). This allows cybercrime cartels like Ragnar Locker, a group that specializes in terminating remote management software, to take over client’s system remotely and evade detection to ensure security admins do not interfere with their ransomware deployments (Gatlan). Other insider attacks can be more direct and malicious, such as collaborators who sell information to cybercriminals and nation states or even lone wolves, typically system admins or DB admins, who act without external forces to create ransomware to infect their organization (Goldstein).
Without a doubt, phishing and insider threats are up and coming forces to be reckoned with. They create a darker world producing virtual boogeyman for every organization and its employees. While awareness of this impending problem is beneficial its insufficient in stopping the cybercrime hurricane coming towards us. However, like any natural disaster there are protective and remedial measures that a responsible organization can and should implement to bear the brunt of the attack. Let’s see what kind of preventative measures can be taken in order to safeguard against ransomware attacks.
Preventing insider attacks is no simple feat, but the first step is detection and that starts with having an effective centralized monitoring solution. Typically, to detect insider threats organizations could aggregate and manage security data through a Security Information and Event Management (SIEM) platform. Having access to all security data is vital as it allows organizations to analyze and assess abnormal user behavior and enhance visibility into any gaps they might have (Goldstein).
Once security data has been aggregated, all relevant pieces to include access, authentication, account change, endpoint protection, and VPN logs should be targeted as they are standard entry points for ransomware. After relevant pieces of data have been gathered, individual user behavior can be forecasted and given risk scores tied to events such as geographic location changes and downloaded material, to name a few. Sifting through data efficiently helps an organization’s security team pinpoint risky users and successfully identify ransomware attacks (Goldstein).
To conclude, ransomware prevention starts with robust detection efforts. By having a centralized monitoring solution and effectively managing it your organization is on the right path to ransomware prevention. In a world that is becoming increasingly more remote and operating in hybrid cloud environments the risk of insider attacks will eventually become inevitable. The key differentiator will be between organizations who decide to protect themselves and those who don’t, what will you do?
“What Is Phishing”, Crowdstrike, , https://www.crowdstrike.com/cybersecurity-101/phishing/, 14 Oct. 2021
Gatlan, Sergiu. “FBI: Ransomware Gang Breached 52 US Critical Infrastructure Orgs.” Bleeping Computer. FBI: Ransomware gang breached 52 US critical infrastructure orgs (ampproject.org)
Goldstein, Jeremy. “What Are Insider Threats and How Can You Mitigate Them?” Security Intelligence, https://securityintelligence.com/posts/what-are-insider-threats-and-how-can-you-mitigate-them/, 16 July 2020