Ransomware is one of the most insidious threats, especially when targeted against companies, since it risks to block access to essential information to run the business. There are many cases in which systems downtime cannot be afforded even for just a few hours, think for example of a health facility, such as a hospital, where being unable to access data has heavy repercussions on patients.

This also explains why cybercriminals favor this type of attack: they know that in many cases victims, especially high-profile targets, are willing to pay to be able to decrypt “locked” data as soon as possible. Giving in to the threat is not the best choice for various reasons: on the one hand, criminal activities are financed, on the other hand there is no certainty that the attackers will return the stolen goods. Worse still, attackers could keep a copy of the information and up the ante further, demanding additional money not to post it online.

Chris Goettl, Director of Product Management for Security Products at Ivanti , a company specialized in cybersecurity solutions, took stock of the situation, analyzing the 3 phases that characterize a ransomware attack and indicating the actions to be taken to each of them to ensure the security of company systems

The first phase of a ransomware attack: the contamination

To encrypt an organization’s data, an attacker must first find the way of evading the defenses put in place by companies and, as we all know phishing is the most traveled way , especially in the last year, during which employees work from home, outside the corporate security perimeter, and ra p present a weak point in the defense chain. However, this is not the only strategy adopted: sometimes criminals exploit vulnerabilities known and not yet patched by the administrators to enter the corporate network , or they obtain access through credential stuffing systems, using login and password combinations stolen from some database and disseminated online on the dark web.

“ In order to prevent contamination, the best thing that a organization can do is ensure compliance with basic cybersecurity policies. This is where continuous vulnerability management and timely patch updating come into play to prevent attackers from accessing the network through a known vulnerability “- explains Goettl . “ Ongoing cybersecurity training is the key to ensuring that employees deny access to the hacker, using a suspicious email or download link. On the IT and security front, teams need to closely monitor various applications, maintain access privilege management, and implement two-factor authentication to prevent intrusion of cybercriminals “.

Phase 2 Ransomware Attack: Data Extraction

If the attacker manages to evade external defenses, the next step is to go in search of sensitive information, for which the affected company would be willing to pay. Not an easy operation as it seems, because the risk of being discovered is high, and for this reason malicious actors exploit the devices or apps considered “safe” by the system, so as to continue their activity undisturbed.

This is where the EDR (Endpoint Detection and Response) and the zero trust approach. The former should be installed on all endpoints, so that suspicious actions can be quickly identified . However, EDRs alone risk not being effective and that is why Ivanti suggests adding a zero trust approach (literally no trust) to these countermeasures, where there are no devices or users considered reliable, not even those of administrators. This allows to find suspicious actions even when these are attributable to a user considered above any suspicion, such as that of an admin, but violated by the attacker. With zero trust “ no user or device is considered reliable and must be constantly authorized before being able to access a network, thus preventing Cybercriminals exploit privileged accounts. EDR is tasked with identifying threat actors, but can be thwarted by a cunning adversary who has previously compromised credentials and is able to act as a trusted user and with tools that one would expect “, continues Goettl . “ As hackers are constantly on the move, Zero Trust Access Control forces the hacker to take steps that allow defenders to locate better malicious activities. Together, HAZ and EDR are a safe combination, as the first approach increases the chance per second of detecting malicious activities “.

The last phase of a ransomware: encryption

If the attacker has reached this point, even overcoming the EDRs, there is little to do, other than blocking the systems, preventing to employees to work, of course, but also to intruders to do further damage. Companies with a good backup policy will be able to restore systems faster, reducing system downtime, thereby limiting damage. Acting early is essential, as it avoids having to restore everything, focusing only on the few encrypted data before countermeasures intervened.

“ New solutions are available that allow you to observe the attack patterns, as EDR does, compared to the analysis of the data itself. It is not necessary to identify a pattern if the files are monitored promptly and, in this case, a barrier for encription activities may be the only element that allows companies to understand if they are under attack “, Goettl continues. “ It’s still early days, but there are some solutions coming to market that focus on this” last line of defense “approach. , to isolate data much faster and reduce the amount of data recovery required to get back up and running “. Goettl finally concludes by underlining that “ adopting a specific defense approach, which includes the management complete with patching, employee training, access privilege management, and ongoing vulnerability management, an attack should not be able to break through a company’s external defenses “.