The High Stakes of Big Game Hunting in Cybersecurity

Cybercriminals are now attacking larger organizations for bigger payouts. With ransom demands doubling between the first and fourth quarters of 2022, as demonstrated in Fig 1, they currently exceed $1 million, making it crucial for enterprises to bolster their defenses. Notably, this trend where larger organizations are getting targeted for higher ransoms by attackers comes when these firms have increased their reliance on remote work, digitalized control, and cloud-based operations, adopting lessons learned during the COVID-19 pandemic. However, there are various steps you can take to safeguard your organization from this growing cybersecurity threat. They include employee training and awareness, data backups, regular software and application updates, antimalware software, network segmentation, optimized email protections, application allowlisting, access protection, and regular penetration testing.

How to Safeguard Your Organization Against Ransomware Attacks

Employee Training and Awareness

The first step in safeguarding your organization against ransomware attacks is employee training. All workers must understand ransomware attacks as part of their cybersecurity awareness campaigns. Make sure to enlist the assistance of renowned organizational cybersecurity companies to engage in both online and physical training. Employees must know and understand the risk points, ransomware response frameworks, developments in ransomware attacks, and how to react to suspicious online and offline activity. Proper training and awareness ensure your organization and its employees are ready for attacks.

Backup All Critical Data

Backing up all critical data using the 3-2-1 methodology protects an organization's data against attackers, making recovery from attacks easier and faster. The 3-2-1 methodology entails saving all critical organizational data as three separate copies in two different types of data storage and ensuring one copy is always offline and air-gaped. Consider using high-tech, solid-state, large-capacity portable hard disks with encryption capabilities for offline storage. Also, cloud-based storage complements hard disks, and I am considering working with reputable companies like Amazon Web Services (AWS), Egnyte Business Storage, and Tresorit Business Cloud Storage. Always prescribe for business packages when dealing with cloud storage options because they have higher security functionalities and offer high-capacity, immutable storage.

Keep all Software, User Passwords, and Systems Updated

Various malware like viruses and ransomware evolve to evade aging cybersecurity systems and software. Therefore, you should continuously update your systems to the latest version to benefit from in-built cybersecurity features. Also, an organization elevates its ransomware protection by updating its software regularly to keep abreast of ransomware mutations. The 2017 WannaCry ransomware attack, which crippled the UK's healthcare infrastructure, Spanish telecoms giant Telefonica, and Taiwanese tech giant TSMC was caused by laxity in updating cybersecurity software and the Microsoft operating systems. User Passwords are common access points through which ransomware makes its way into organizational networks that rely on remote access. According to socradar.io, up to 21% of all ransomware attacks in 2020 were attributable to weak passwords in the access management systems of organizations, as demonstrated in the infographic in Fig 2. Therefore, one must consider teaching password management practices like creating long, multi-symbolic alphanumeric passwords that can only be used for a limited period. If the user fails to update their password, they are locked out of the system. After creating a new, similarly strong password, they must utilize multiple-factor authentication to access the network. Phishing attacks rely on weak passwords and other reckless practices in weak access management systems. Also, combining biometric information with card-based passwords makes cards useless when their verifiable owners are absent.

Install and Use Renowned Firewalls and Antivirus Software

Firewalls are the first defense against attacks targeting online software and hardware. It would help if you sourced the latest firewalls from reputable companies like Sophos, pfSense, and FortiGate. Always seek firewalls designed for business applications because they have advanced ransomware defense capabilities. Also, VPN-specific ransomware detection functionalities should be included to protect businesses that rely on remote access operations and cloud-based storage. Combine high-level firewalls with reputable antivirus software for enterprises like Norton, ESET, and Bitdefender. The IT technicians serving your company or organization must set these two levels of ransomware defenses to scan the entire system daily. Weekly full system scans are advisable as they take longer and may interrupt operations.

Segment Your Network

Network segmentation entails dividing the organization’s operational environment and infrastructure into smaller tiers or sub-networks that are wholly isolated but work in coordination. This ransomware mitigation strategy aims to reduce the access and damage attacks can render to the organization. Ransomware attacks rely on network integration to spread from their entry point into other hardware and software components. Network segmentation isolates the malware to certain levels of the organization’s systems and infrastructure, reducing damage and improving recovery from the attack. One of the best implementations of network segmentation is physical architecture, where individual hardware items are maintained in separate subnets. However, physical architecture may limit operational efficiency due to the difficulty of remotely managing the isolated physical components. Physical segmentation may incorporate static IP addresses and advanced features at the levels of switches and routers to isolate external access attempts. An emerging trend in organizational protection is intent-based segmentation, where network semantics dictate why the network has segmented itself from the central system. This form of network segregation benefits small and more significant business organizations with additional security features like zero-trust network principles. This segmentation approach is also essential in organizations with discrete operations that rely on need-to-know data requiring higher security levels, even from internal operators. Micro-segmentation is also taking off as an advanced form of network segmentation that incorporates virtual local area networks (VLANs) and access control lists to dictate segment access in conjunction with intent-based protocols.

Update Email Protections

Emails are integral to how ransomware accesses business organizations through downloadable suspicious email attachments, links to infected software, and social engineering. According to the Federal Bureau of Investigations (FBI), emails are the leading entry methods for ransomware into business organizations, accounting for more than 54% of all ransomware attacks in 2020. Therefore, consider updating the organization's email protections to protect yourself from email risk points. First, employees should never open emails from unknown senders. This includes clicking on the email’s bodies, and they should report such emails immediately to the IT department personnel and management. Secondly, constantly update client email applications to benefit from high-level cybersecurity features. Thirdly, establish Sender Policy Frameworks (SPFs), which entail designating specific servers from which client emails can only come for additional security. Fourth, establish DomainKeys Identified Mail (DKIM), which involves digital signatures and an encryption key for emails from verified and known senders. Finally, email protection must include Domain Message Authentication, Reporting, and Conformance (DMARC), which combines SPF and DKIM functionalities in a dynamic package, as demonstrated below in Fig 3.

Application Whitelisting

Application whitelisting is a network security feature that designates which applications a network can download, open, and use in its functionalities and infrastructure. Malware ordinarily piggybacks on legitimate applications, imitating appearance, authentication, and functionalities. Other malware used in ransomware attacks utilize macros to trick unsuspecting or reckless organizational personnel into downloading trojans and viruses by hiding in MS Word documents. Whitelisting prevents such malware from executing through advanced detection processes. Ransomware morphs at a very rapid rate to avoid detection and imitate various legitimate applications. However, regardless of how fast such malware morphs to avoid detection, if it is not on the application whitelist serving the network’s cybersecurity purposes, it cannot gain access to data or systems. Applications whitelisting best practices dictate that whitelisted applications gain access to the network using zero-trust architecture. Also, only authorized network administrators who require access to such applications and network sections or functionalities are allowed to use such applications on the network. One of the most common whitelisting apps is Windows AppLocker, which could enable the user to benefit from additional Microsoft ransomware detection and management functionalities.

End-User Device and Access Privilege Protections

End-user protection during ransomware mitigation entails detection and authenticating end-user access to protected networks. Herein, your organization must be able to detect all forms of access, whether through laptops, smartphones, tablets, flash disks, or hard drives, physically or remotely. Consider employing advanced End Point Detection and Response (EDR) services and applications like Bitdefender EDR and Cisco Advanced Malware Protection for Endpoints in your organization, as they provide continuous monitoring, detection, and response to network access and suspicious hardware or software activities. Standard EDR tools combine antimalware, data encryption, intrusion detection, mobile and desktop security, and web browser security with real-time notification and alert functionalities. Notably, least privilege strategies of access management can also contribute to safeguarding your organization against ransomware attacks. This strategy entails providing authenticated and verified users on the network with only access and data necessary to perform predetermined activities. Also, the Role-Based Access Control (RBAC) policy helps prevent ransomware through access and end-user management. Only verified users with specific roles are granted access to data and systems relevant to their intended and reported activities in the network. These strategies for access control are complemented by multi-factor authentication (MFA) and zero-trust architecture.

Regular Intrusion and Readiness Testing

Regular intrusion and readiness testing is the final safeguard against ransomware attacks. This strategy entails simulating breaches using various known and cutting-edge ransomware strategies in discrete and random tests to test personnel readiness, system preparedness, and mitigation strategy performance. In addition, organizations must consider regularly re-evaluating access points and user privileges, identifying new or mutated system vulnerabilities, and creating new security protocols in keeping with the best industry standards. Regular intrusion and readiness testing also involves retraining all organizational personnel on common points of risk like regular password changing with solid alternatives, safe web surfing, and browsing, implementation of robust VPNs by avoiding public Wi-Fi zones, and recognition of suspicious and malicious files or online content. The organization must also regularly train its personnel on the most up-to-date social engineering practices. It is best practice to engage renowned organizational cybersecurity firms periodically in training and retraining activities to understand the developments and needs of the firm fully. Conclusion In conclusion, ransomware attacks are increasingly growing and targeting larger organizations in what is now known as 'big fish hunting.' The frequency of such cyberattacks is increasing, as are the ransom amounts demanded by the attacks. This unfortunate cybersecurity trend coincides with the post-COVID-19 pandemic, where most medium and large organizations have adopted additional online functionalities and embraced remote working. However, you can safeguard your organization from ransomware through employee training and awareness, data backups, regular software and application updates, antimalware software, network segmentation, optimized email protections, application whitelisting, access protection, and regular penetration testing.

References

1. https://www.coveware.com/blog/2023/4/28/big-game-hunting-is-back-despite-decreasing-ransom-payment-amounts
2. https://www.kaspersky.com/resource-center/threats/ransomware-wannacry
3. https://socradar.io/top-five-causes-of-ransomware-attacks/
4. https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/intent-based-network-security-aag.html#:~:text=Intent-based network security is,the distributed network it exists.
5. https://www.fbi.gov/news/press-releases/fbi-releases-the-internet-crime-complaint-center-2020-internet-crime-report-including-covid-19-scam-statistics
6. https://blog.mdaemon.com/dmarc-best-practices-securing-your-email-communications
7. https://learn.microsoft.com/en-us/defender-endpoint/malware/macro-malware
8. https://www.digitalguardian.com/blog/what-role-based-access-control-rbac-examples-benefits-and-more