According to Gartner, “analysis of clients’ ransomware preparedness shows that over 90% of ransomware attacks are preventable.” And yet, every day more organizations—ranging from high-profile brands to small town councils—are failing to stop ransomware. Many of these compromises occur because of human error. We have compiled a list of the most common mistakes leading to ransomware regret. Do you recognize any?
Believing that a backup is enough
Most experts’ advice for stopping ransomware repeats this refrain: “make sure you conduct regular backups”. And, yes, this is a good practice but the problem is that we have been told that having a backup is enough to avoid ransomware impacting our organizations. The bad news is that adversaries know that most companies have a backup plan. Now these threat actors demand money in exchange for not selling the personal data that they steal. Undoubtedly, the best strategy is to prevent the attack before it causes real harm If the attacker is requesting a ransom, you are already too late.
Not tracing Ransomware signals
The network is ransomware’s pathway, which means that monitoring contacts with adversarial infrastructure is a must. A lot of companies and security professionals treat ransomware as a force of nature that can’t be prevented, and that’s far from true. You can leverage your own network metadata to detect traces of the adversary and stop ransomware before any real harm is done. If you wait for evidence of ransomware to appear, it is already too late. You need to start tracking connections to adversarial infrastructure in the earliest stages of the cyber kill chain.
Supposing that my organization, sector, or geography is not a target
No industry, geography, or company is immune. Various reports show increasing attacks on all types of industries such as manufacturing, government, health, agriculture, and even religious services. We can also observe that although the USA has the majority of attacks, the rest are evenly spread in practically all countries. So, if you think your organization does not belong to a group that is an area of focus for adversaries, our intelligence shows that such an assumption is not correct. You can see more details in our Ransomware Flashcard.
Only monitoring the “crown jewels”
We tend to think that attackers only focus on our most critical systems. The reality is, that this rarely happens, most of the time the compromise begins with a simple email with a link or executable. In an increasingly connected world, this is the perfect recipe for disaster. For this reason, not only critical assets should be monitored, but the entire organization including OT and IOT environments.
As Bruce Schneier said in our last Illumination Summit, “We are living in a world where everything is becoming a computer…which means that computer security becomes everything security.” Therefore, monitoring all devices is key. In his book Secrets and Lies, he also states that “The security of the overall system is limited by the security of its weakest link. Any single weakness can destroy the security of the entire system.” Consequently, it is critical to monitor the whole system and do not let the weakest link compromise your system.
Thinking that vulnerability assessments and penetration tests are enough to stop Ransomware
Penetration testing and vulnerability assessment’s goal is to test network security, which is only one part of the problem. These are good practices, but alone, are insufficient to stop ransomware. The first problem is that these practices start with a false hypothesis: that is that the system is secure. However, at the moment you do these tests you do not know if the adversary is already inside.
Another problem is that these tests are incomplete because they are performed only on the “crown jewels”. This is another example of ignoring the weakest link—which we mentioned above—because it is assumed that the attackers get inside the network by exploiting vulnerabilities. The truth is that compromising an organization is as easy as sending an email. We invite you to read this whitepaper that looks at the necessity to evolve security testing.
Ransomware is not a force of nature, it is something that we can avoid and prevent. Do not make the same mistakes that other organizations have made with devastating results. The good news is that you can avoid all these mistakes and stop ransomware attacks by running a Continuous Compromise Assessment with our Lumu Free Account.
For more of Lumu’s freely available research and analysis on the scourge of ransomware, be sure to visit our Resource Center.