Combat ransomware attacks

Ransomware remains a lucrative business for cybercriminals. To bypass corporate security measures, hackers now often use sophisticated spear phishing to make victims click on malicious links and attachments or visit contaminated websites. Once infected, the extortion Trojan starts encrypting files and folders on local hard drives, connected local storage locations, and possibly other computer nodes located on the same network.

The infection usually goes unnoticed until either access to data is denied or a message is sent to the victim demanding a ransom in exchange for a decryption key. However, companies should by no means comply with the extortionists' demands, as this does not guarantee that the data will be decrypted: The GermanWiper ransomware variant, for example, permanently overwrites files with zeros instead of encrypting them in a recoverable way, which permanently destroys them. Moreover, a ransom payment encourages criminals to attack the company again in the future.

Basic best practices for prevention

The impact of a ransomware attack can be devastating, from the loss of confidential, mission-critical data to financial losses from business process disruptions and significant reputational damage. Here are some basic measures to mitigate the risk of ransomware attacks:

Creation of a whitelist for applications: This allows only certain programs to run on a computer. The measure should also include disabling macro scripts from Microsoft Office files that are transferred via e-mail.

Regular data backup: This must be done in an unconnected environment, and the integrity of the backups should be checked regularly.

Safety training: Employees should be fully educated about the risks of ransomware and trained on how to recognize spear phishing attacks.

Regular update of antivirus and antimalware programs with the latest signatures.

Zero-trust approach against malware attacks

In addition to following basic security measures, by implementing a privileged access management (PAM) solution with a zero-trust approach, organizations can both prevent today's leading cause of security breaches - the misuse of privileged accounts and credentials - and minimize the impact of a ransomware attack. This is because it prevents malware from executing, or at least limits its spread across the network. Protection mechanisms include:

1. building a secure admin environment: For example, if an administrator connects to servers, it is important to prevent malware infection during this session. Therefore, access must only be from a clean source. Here, PAM with a zero-trust approach prevents access from user workstations that also have access to the Internet and e-mail, as these are particularly vulnerable to malware infections. Instead, access is only granted via secured privileged administrator consoles, such as an administrative jump box.

2. securing remote access: A well-designed zero-trust privilege admin environment not only enables employees to securely access resources remotely 24/7; it is also suitable for outsourced IT or developer teams because it reduces the need for a VPN and handles all transport security between secure client gateways and distributed server connectors. Without adequate protection, ransomware can spread across the network as soon as an infected end user connects via VPN.

3. zoning for privileged access: By zoning systems and organizational units, ransomware can still spread, but not on systems that require additional user verification. PAM with a zero-trust approach allows user-specific control of privileged access to systems. Thus, the zone a user is in is the only reach of the ransomware as long as there is a protection mechanism between the user and their access to another zone. This access is controlled by the PAM solution and verified for legitimacy through multi-factor authentication (MFA). Without an MFA response, the ransomware cannot jump to the next system.

4. minimization of the attack surface: Ransomware doesn't always require privileges, but if the malware manages to gain elevated privileges, its impact is all the greater. By securing shared local accounts, organizations can minimize the attack surface. PAM solutions with a zero trust approach manage these alternate administrator accounts and service accounts used by multiple users and provide just-in-time access for MFA-authorized users. Here, required privileges are granted only for a limited period of time and/or a limited scope necessary for the task at hand.

5. limitation of privileges: PAM with a zero-trust approach also enables detailed control over what access a privileged user has and what commands they are allowed to execute. This also limits the ability of malware to install files or elevate privileges.

By Martin Kulendik, Centrify