International. Guardicore shared that cybercriminals, when spreading a ransomware attack, most often use emails, malicious URLs, and the remote desktop protocol.
According to a study by Guardicore (part of Akamai) "Ebook for 5-step ransomware defense, how to strengthen your defenses beyond the perimeter" a ransomware attack carries several extremely harmful consequences such as disruption in productivity, such as brand damage and loss of customer loyalty, among others.
Such damages were estimated to happen every eleven seconds in 2021 and cost $20,000 dollars. Meanwhile, the average cost of a ransomware payment is $84,000 and the average downtime left by this type of incident to a company is 16.2 days.
Considering the overflowing growth of ransomware-type cyberattacks in recent years, Oswaldo Palacios, Senior Account Executive for Guardicore, opined that one of the weaknesses in the cybersecurity strategies of the organizations that most exploit attackers is the lack of east-west visibility in data centers.
Likewise, he added that lateral movements are rarely detected in a timely manner, a matter of knowledge of ransomware developers, who take advantage of security weaknesses and gain access to critical assets, due to that lack of visibility and segmentation.
The Guardicore expert was emphatic that the most used way for the spread of ransomware in a company is still email, because having weaknesses of the protocol, it is taken advantage of that it is relatively simple to confuse the user by saying that he has a package pending delivery, a rejected purchase or striking names.
3 Most Common Ways to Introduce and Spread Ransomware
In the words of Oswaldo Palacios, the common techniques to generate and spread a cyberattack using malware are:
1. Emails: These emails can be general or involve spear phishing tactics that tailor content to a specific organization or person, hoping it will provoke an interaction, such as opening an attachment or clicking on a link, and giving bad actors a vehicle to deliver malware.
2. Malicious URLs: Malicious URLs commonly appear in phishing campaigns, but they can also be embedded in a website or anywhere a user can click. In the case of ransomware, after the target interacts with the URL, the malware will often attempt to self-install on the victim's machine, where it can begin to spread and spread to multiple assets.
3. Remote Desktop Protocol: The use of virtual desktop infrastructure (VDI) has become a fast-growing attack surface. A significant VDI risk includes the fact that all infrastructure and applications are often located on the same server. If an attacker can successfully introduce malicious software, it can be difficult to detect it until it is too late.
Palacios also assured that the active directories and critical applications are among the most attacked points, since there resides the information of the users such as their permissions, accesses and privileges within the company. That is why once an attacker has taken possession of the active directory, the access of the users to the business applications will be compromised, causing a total or partial affectation in the operation.
Defense against ransomware
In that sense, the expert commented that one of the best defenses against ransomware is to avoid lateral movement within its perimeter, an issue that can be difficult to perform for traffic from east to west with traditional firewalls.
He also stressed that while some segmentation is achieved using VLANs, it is often broad and not exactly the most agile approach when you need to isolate assets on the fly, as in the case of a successful breach.
"You can't protect what you can't see; therefore, companies need a tool that gives them complete visibility into all data center communications, not only incoming or outgoing from the perimeter, but those that exist within networks and that by not being visible by firewalls can result in threats moving laterally."
Finally, the executive assured that there are cybersecurity tools such as microsegmentation that gives visibility at the process level within the servers, allowing segments so small as to allow or deny communication between processes of an asset.