Why Cybersecurity Tools Continue to Fail Against Ransomware
Ransomware attacks remain a top concern for cybersecurity leaders. Businesses of all sizes continue to get held to ransom with malware that encrypts their files and threat actors that exfiltrate their data. As cybersecurity becomes more prominent in the overall mission of businesses, it’s a source of frustration that ransomware defenses keep falling short. This article explores common reasons for failing to defend against ransomware and provides actionable ways to mitigate ransomware risks.
Reasons for Failing to Defend Against Ransomware
A 2021 survey found that 37 percent of organizations globally experienced a ransomware attack over the previous 12 months. Here are some key reasons why so many companies continue to fall victim to these attacks.
Over reliance on MFA
Almost every organization embraces an identity and access management (IAM) framework to grant their authorized users access to business applications, systems, and sensitive data. Recognized as one of the most critical security measures, IAM capabilities like Multi-Factor Authentication (MFA) are the gold standard for preventing unauthorized access to data. By requiring users to prove their identity with multiple pieces of information, a second or even third factor stands between attackers and your data. And yet, despite MFA’s growing adoption, ransomware incidents continue to persist.
Viewed as one of the most devastating cyberattacks in recent years, threat actors in the SolarWinds hack exposed new attack vectors that can overcome MFA. While strong authentication remains a cornerstone of security, a closer look at these attacks reveals MFA’s limitations as cybercriminals have found ways to bypass the protections of MFA. By leveraging the identity of legitimate users, access to information based on user authentication does little to protect data once IAM controls have been successfully circumvented. Methods like social engineering, credential stuffing, and cookie hijacking schemes allow attacks to be carried out and persist while damage remains undetected.
While IAM is a critical part of cybersecurity strategies, it is not a silver bullet for the modern security landscape. An adversary who successfully compromises credentials can quickly take an organization from 100% secure to 0% secure.
User errors remain a glaring weak link in cybersecurity defenses. In the case of ransomware attacks, threat actors often seek to establish an initial network foothold by targeting users directly. Phishing emails are the most common way in which cyber criminals take advantage of user errors. Even the most knowledgeable cybersecurity professionals with the most resilient cybersecurity program are susceptible to a sophisticated phishing scheme.
By crafting convincing emails with malicious attachments and links, all it takes is one unsuspecting employee to open a malicious attachment or click the link. And human error is not confined to falling for phishing scams—other types of user errors that may result in successful ransomware attacks include:
- Using easy to guess passwords
- Reusing the same passwords across multiple applications and services
- Not applying important security updates for software on workstations or any personal devices used for work.
Penetrable Perimeters and Outdated Antivirus
More than in the past, network perimeters today are less well-defined and more penetrable. Cloud computing adoption, BYOD initiatives, and remote workers result in a vastly wider attack surface for threat actors to target. Compare today’s IT landscape with one in which everyone worked at the office from designated workstations and it’s easy to see why the current norm is harder to secure with perimeter-focused approaches and tools.
Furthermore, legacy antivirus solutions that use signature-based technology to detect malware on endpoint systems don’t offer adequate ransomware protection. The problem is that sophisticated threat actors obfuscate their ransomware code and use other evasive techniques to escape detection. The reliance of antivirus solutions on unique malware identifiers doesn’t help prevent many of today’s ransomware attacks.
The prevailing business model among modern cybercrime gangs is one of collaboration. In 2015, security researchers discovered one of the earliest primitive ransomware-as-a-service (RaaS) operations. RaaS gangs develop their own ransomware variants and make them available to subscribers or affiliates in return for a subscription fee or a percentage take of the profits.
Today, RaaS is the status quo among major ransomware players. The RaaS gang often carries out all phases of the attack from initial access to ransomware installation. In some cases, RaaS customers only get the malicious file, and they need to hack into targets’ networks on their own and install the ransomware.
An investigation found evidence of collaboration in cyber attacks between high-profile cybercrime gangs FIN7 and Ryuk. Researchers noted the use of FIN7’s suite of tools to gain initial network access and establish lateral movement before threat actors installed Ryuk ransomware. When hackers work together, it becomes more difficult for businesses to defend against ransomware threats.
Easily Accessible Tools
Easily available tools for conducting ransomware attacks further weaken protection strategies. Threat actors legally purchase penetration testing tools, such as Cobalt Strike, and use them for nefarious purposes. Cobalt Strike provides command and control capabilities, allowing ransomware gangs to move laterally throughout a network and encrypt files or devices with their malicious payloads.
Public Policy Failure and Geopolitical Problems
The business world caught on quickly to the threat of ransomware, but public policy responses have been left wanting. It took the US government years to issue directives addressing ransomware threats and provide guidance on appropriate response strategies. Even still, while these executive orders are a step in the right direction, they remain limited primarily to the public sector and provide too little too late.
Limiting ransomware depends heavily on clearer public policy from the federal level and better collaboration with the private sector. Without clear guidelines, businesses are left with few options other than to pay the ransom, indicating the failure of public policy to inform and assist victims.
Long-standing geopolitical tensions make it tougher to clamp down on the criminals involved in organized ransomware crime. Scant domestic law enforcement gives ransomware gangs free rein to conduct sophisticated operations without fear of punishment. Indications of progress on this front came with the arrest and dismantling of the REvil ransomware gang by Russian authorities in January 2022.
Actionable Mechanisms to Further Mitigate Ransomware Risk
There is no simple answer to the modern ransomware problem but threat risks can be reduced with a multilayer approach.
Turn to A Data-Centric Security Approach
A perimeter-based security approach no longer suffices in defending against ransomware. Data-centric security is a better approach that focuses on protecting files containing sensitive information.
Ransomware gangs adopted their tactics in recent years to use double extortion techniques in which they exfiltrate sensitive data from networks before locking down files. Gang members then contact victims and threaten to release their data to the world if they fail to pay the ransom. The data-centric approach of classifying and protecting your most sensitive data with encryption renders double extortion techniques useless.
Implement Upgraded Technologies
Some cybersecurity innovators also improve existing technologies. Adopters of these upgraded solutions can bolster their security arsenals without the lengthy or costly implementation required for approaches like SASE.
A solution that rapidly provides a much needed defense against today’s exfiltration-focused ransomware attacks is Atakama’s multi-factor encryption. Encryption’s protective abilities against ransomware come from protecting the “crown jewel” data that gangs target and is a crucial layer of defense.
When your business has secure file-level encryption in place for your most sensitive assets, cybercrime gangs can’t use the data in any meaningful way, even when they manage to get inside your network. The inability to obtain usable data thwarts any attempts to exfiltrate data.
The majority of encryption solutions aren’t granular enough to encrypt at the file level, though. Furthermore, key management and user experience concerns deter many businesses from encrypting their sensitive assets.
Atakama changes the game with file-level AES-256 standard encryption and an effortless user interface that lends itself to seamless employee adoption. From a user’s perspective, opening an encrypted file is as easy as tapping an “Approve” button on their smartphone - no passwords or authentication codes required. Not only does this lessen the demand on helpdesk and support teams, it drastically diminishes organizational risk. Threat actors can’t access Atakama-protected files without physical and digital access to multiple user devices.
The end result for your business is a vital line of defense that secures your files from ransomware threats even when other controls and tools fail.
Schedule a 15-minute demo to learn how Atakama can protect your business.