The fourth version – which is something we ’ re starting to see more and more recently and is twinned with either crypto or locker – is extortion . This is when data is stolen , exfiltrated and then held to ransom . Attackers will say ‘ if you don ’ t pay us , we ’ re going to release this data on the Darknet ’, as an example , and so you end up paying for the right to go and delete your own data from the attacker servers .
Can you give us some insight into how the frequency of ransomware attacks has changed and why ?
This is something more targeted that we can focus on because a lot of ransomware discussions are isolated to the endpoint but while a ransomware attack will hit one endpoint to start with , its objective is to spread . So , there ’ s this kind of propagation that happens within ransomware that often isn ’ t necessarily focused .
Which tools and solutions should organisations consider investing in to protect themselves and what ’ s the best practice approach for protecting against ransomware attacks ?
There are many different attributes as to why this has happened . One of them is to do with political relationships between countries – we have to be aware that some variants out there have been linked back to nation states . But I wouldn ’ t say that ’ s the predominant driver .
There are the basic elements and basic hygiene which organisations should certainly be considering . For example , keeping machines patched and up to date , making sure you ’ ve got some form of next-gen antivirus and EDR solution is going to help filter out some of those initial intrusions .
Key issues are those such as the impact of pandemic and people working more remotely , in less secure environments . There ’ s a lot more fear , uncertainty and doubt that attackers are exploiting around things like COVID-19 and getting users to click on links and open attachments .
Most ransomware is delivered through some form of social engineering or a phishing attack , but it has become so easy for attackers to execute and get a return from that attack . There is also the increased rise of cryptocurrencies which make it easier for them to receive payment , but still remain anonymous and more difficult to track .
But taking a step back , we ’ ve got to be cognisant that it ’ s becoming very profitable to execute these types of attacks and we ’ re seeing reports of affiliation to nation states because of the impact and the damage that ’ s caused . It all comes back to the fact that ransomware wants to spread . It might get onto one workstation , but it wants to spread far and wide and if it ’ s extortion , it ’ s going to want to pivot off your workstations and go after your data .
Taking a different look at this , it ’ s going to be things such as making sure that everyone ’ s running without administrative rights on their workstation ,
Why are existing tools and strategies not working against these types of threats ?
Perhaps what we focus on too much is stopping the ransomware from getting in and detecting it once it ’ s there because that becomes an evolving process . It is a continual movement of the goalposts .
We try and detect based on signatures , so attackers then change the code and manipulate those signatures . We try and chuck it on behavioural patterns so if a process methodically goes through and encrypts files alphabetically we can see that process is something we want to block and so again the attackers will then evolve their code to do encryption on a more sporadic basis .
A lot of the focus has been on that initial intrusion point and stopping and detecting it from executing , whereas perhaps we should be taking a step back and looking at the commonality in all these different variations that we ’ ve discussed .
www . intelligentcio . com INTELLIGENTCIO MIDDLE EAST 83