The world has witnessed a meteoric surge in ransomware-involved breaches over the past five years. According to Verizon’s 2022 Data Breach Investigations Report, ransomware breaches grew nearly 13% year-over-year in 2021, an increase of more than the total of the past five years combined. And while ransomware comes in different strains, the modus operandi of these breaches is not so diverse. What is helping to drive these ransomware scams? One word: users.
THE HUMAN ELEMENT IS A COMMON FACTOR IN ALL RANSOMWARE SCAMS
Verizon reported a staggering 82% of data breaches involved the human element (i.e., the use of stolen credentials, successful phishing, misuse, or simply human error).
Phishing examples include falling victim to a phishing email or pretexting scenario. Credentials can be stolen from users or purchased from dark web marketplaces. Cybercriminals favor credentials as a data type because they’re extremely useful for masquerading as a legitimate user in a compromised system. Misuse typically involves incidents that are driven by unapproved or malicious use of legitimate privileges.
Hackers can simply work around a particular security control. Loopholes are discovered to gain access and target the business. Human errors can include incidents where an unintentional action can result in a compromise of a security attribute or information asset. This can involve anything from weak passwords, poor user practices, emails going to the wrong recipients, misconfigured or outdated access controls, and cloud settings that attackers can exploit.
Per the report, three out of four top ransomware vectors also include the human element: desktop sharing (40%), email (35%), and direct install (5%). So how does an attacker get access to a user’s endpoint, get them to share their desktops, or get them to respond to an email? The answer again is simple: either via phishing attempts or credential compromise. Verizon refers to phishing and credentials as two of the “four key paths leading to your estate” (the other two being exploiting vulnerabilities and botnets). Hackers frequently use phishing and credentials as entry points to gain access to a protected network and launch ransomware attacks.
RANSOMWARE ATTACKS ONLY INVOLVE A HANDFUL OF STEPS
Per Verizon’s event chain data describing the flow of an attack, a vast majority of breaches only involve three steps. The first is phishing (tricking a user into completing an action or breaching confidentiality). The second is the downloader (dropping malware onto the system). The third is ransomware (encrypting critical systems and data). The reason why attackers would want to avoid longer attack chains is because every additional step is an opportunity to prevent, detect, respond, or recover from the attack.
WHAT YOUR ORGANIZATION CAN DO TO PREVENT RANSOMWARE
Ransomware is on the rise. Humans are a common element in the majority of all breaches. Threat actors are using compromised credentials to access endpoints and email. Phishing seems to pervade all of this. For organizations to effectively prevent ransomware, security teams should focus on these six best practices:
1. TRAIN USERS: Since humans are the weakest link in data breaches and ransomware attacks, your organization should invest its efforts in strengthening this element. This includes regular classroom training, real-world simulations, and tabletop exercises that help employees recognize and report suspicious behavior and phishing activity. Additionally, they should also learn the art of good security hygiene (strong passwords, file sharing best practices, social media etiquette, etc.) and understand the consequences, responsibilities, and liabilities of their actions.
2. DEPLOY TECHNICAL CONTROLS: Organizations should employ a variety of critical security tools to bolster security defenses. These include next-gen firewalls, endpoint detection and response, multi-factor authentication, data leakage prevention, anti-spam, password managers, and strong data backup. It’s also a good idea to disable Remote Desktop Protocol or limit its use to authorized users.
3. PATCH REGULARLY: Software vulnerabilities are a common entry point attackers use to gain entry into a network and deploy ransomware. Security teams should therefore ensure they have a mechanism in place to keep software updated as these often contain security and bug fixes for known vulnerabilities.
4. FOCUS ON CREDENTIAL HYGIENE: Security teams should ensure users use strong credentials that cannot be brute-forced. They must monitor privileged access to critical assets, regularly remove inactive users, and check password exposure websites like haveibeenpwned.com to proactively determine if user credentials have been leaked online.
5. MONITOR THE ATTACK SURFACE: Security teams should prioritize critical assets in order of importance and sensitivity. They must regularly analyze logs, conduct spot checks, scan for vulnerabilities, test defenses for attack readiness, and monitor the threat surface for suspicious activity.
6. BE PREPARED: Every business should have a living document that is updated regularly with security best practices, key contacts, and security procedures in case a security incident is encountered. The idea is to be prepared and ready for any kind of eventuality. Invest in cyber insurance if feasible.
Always remember that no matter how much money organizations throw at information security every year, the threat of ransomware will persist. Why? Because there is one element in the entire security stack that can neither be programmed nor predicted—us humans. Organizations that invest in a defense-in-depth approach, a healthy mix of technical controls, security training, and policies and procedures can be more resilient to ransomware attacks than those that don’t.
Stu Sjouwerman is the Founder and CEO of KnowBe4 Inc., the world’s largest Security Awareness Training and Simulated Phishing platform.