International. Due to the magnitude of their attacks, dozens of companies in the region are losing the battle against ransomware, and cybercriminals have become sophisticated enough to use ransomware to penetrate large companies, public administrations, global infrastructures or public health organizations, and paralyze them.
As of 2022, the average cost of a single data breach across all industries in the world was around $4.35 billion. This was found to be more costly in the health sector, with each leak reportedly costing the affected party $10.1 million. The financial segment followed closely, each default resulting in a loss of approximately $6 million, $1.5 million more than the global average.
According to Patricio Villacura, Enterprise Security Specialist for Akamai, there are many variants of ransomware. However, looking for specific Vulnerability Indicators or IoCs based on suspicious domain names, IP addresses, and file hashes associated with known malicious activity can help learn more about the origin of the attack and how to respond.
The expert explained that the methodology used by cybercriminals to carry out a ransomware attack usually obeys the following five steps:
1) Break the perimeter. Through some of the existing techniques such as brute force attacks, vulnerabilities, phishing, etc., the attacker seeks to access the systems.
2) Gain privileges at the administrator level. It is at this point when the attacker seeks to capture credentials of users of high privileges to be able to make modifications in the configurations of the systems and applications with the sole purpose of preventing the correct operation of the services.
3) Move laterally. The attacker moves laterally in order to recognize the surrounding infrastructure, potentially vulnerable services and detect the existence of the backup data repository.
4) Infection. Once the environment is understood, it is sought to advance to the fourth step, which is to continue with the infection of these servers either by attacking potentially vulnerable protocols such as RDP, SMB or SSH that are precisely easy to present in the normal operation of the systems or the execution of malicious tools such as EthernalBlue, Zerologon, among others.
5) Encrypt. Everything that can be encrypted such as system files, sensitive user data, libraries with system configuration details including permissions, among other data that are vital for the normal day-to-day operation of companies and institutions.
Patricio Villacura stressed that the specific controls that can be established in each of these stages are varied to detect and stop each of them, but it is Microsegmentation that can, from an early stage, prevent not only can critical infrastructure and the services that support it be protected, but also reduce the attack surface.
Here's How Microsegmentation Helps Prevent Ransomware
Micro-segmentation is the fastest way to visualize and segment assets across the data center, cloud, or hybrid cloud infrastructure. The software-based segmentation element of Microsegmentation separates security controls from the underlying infrastructure and gives organizations the flexibility to extend protection and visibility anywhere.
According to the expert, it is important to understand how a Microsegmentation solution would act in the face of a cyberattack, for this he exposed a very famous example that could be avoided with a strategy using this tool.
The executive reported that on May 8, 2022, the president of Costa Rica, Rodrigo Chaves, was forced to declare a state of national emergency due to the exfiltration of approximately 700GB of sensitive information of citizens, affecting eight government agencies due to the attack produced by the Conti Ransomware group.
Attackers exploited application source code gaps and gaps in validating public access to government services' SQL databases; They then executed an encryption of the sensitive information of the citizens and then asked for a payment for the ransom of the information before it was disclosed.
According to Patricio Villacura, a Microsegmentation solution could have prevented the expansion of this attack on the operation of the services of the ministries by controlling the communication routes of the tools used by Conti, then by the ability to restrict access to file shares that store sensitive information of citizens and finally, by limiting access to databases and backup servers.
