Ransomware can’t become the new normal

Another year, more research and statistics dedicated to ransomware. Every day we see leaks and companies stop because of this attack. But are we used to it? We should get used to defending ourselves against ransomware and not wait for the next attack.

Many reports mention a drop in ransomware, but the truth is that it’s still a weapon heavily used by cybercriminals. At the Aspen Cyber ​​Summit in November 2022, FBI director Paul Abbate said the agency had “only seen the problem persist – and worsened” and that “alongside ransomware attacks, the volume of ransomware attacks increased”. related financial losses.”

In Brazil, this has become a separate issue, paralyzing government agencies, hospitals, retailers and many companies of different sectors and sizes. One of the main reasons why this practice is so repetitive is the multi-million dollar networks that support criminals, providing them with the tools and information they need to attack, even if they don’t have the technical knowledge of the subject. It is even more worrying that public services are among the main targets, as confidential State data can be leaked and the country’s citizens are directly affected when the government is attacked.

In Brazil, ransomware was the cause of more than 52% of cyberattacks, versus 35.4% of the global average. The fact that the main target in the world is still the health sector shows that these criminals do not act with any ethics. In Brazil, the public sector was the most attacked, with 42% of the attacks, according to some figures gathered by Tenable researchers.

Yet a key feature of the threat landscape in 2022 is the increasing prevalence of extortion-only attacks. In these attacks, threat actors gain access to target networks to steal sensitive data for ransom or sell it on the darknet, without deploying any encryption malware for which the ransomware is named. An example of this tactic is the LAPSUS$ group, which collects data from several companies in South America and Europe, as well as leading technology companies.

We don’t want this normal.

It’s important to note that major attacks are usually the last stage of ransomware’s final stage of attack preparation, which has long been designed and built. The event does not begin on that fateful day when the machines come to a halt due to encrypted files.

There are several stages that make up an attack, and they are initiated by tactics such as inappropriate access, employee corruption, lack of policy, lack of network visibility, and even outdated and infamous phishing. Such an attack is initiated by breaking into the system where the criminals settle in for reconnaissance without alarm.

Exposure management is therefore essential. Monitor which assets, devices and data are facing the internet. So we can know what really needs to be protected and what is the priority, from updates and patches to an ongoing cybersecurity project.

I would like to list below some guidelines to help people and companies defend themselves against attacks by extortion groups and ransomware:

• Re-evaluate social engineering awareness and help desk policies.

• Enforce password policies: avoid SMS-based Multi-Factor Authentication (MFA); ensure the use of strong passwords; speed up the use of passwordless authentication (using other access tools such as biometrics).

• Use strong authentication options for internet-facing applications.

• Find and fix known vulnerabilities to prevent attackers from escalating privileges and misplacing sensitive data. We’ve seen old bugs do more damage than Zero Days.

• Strengthen cloud security posture: improve risk detections, strengthen access settings.

• Ensure identity security services such as Active Directory are properly configured according to Zero Trust best practices.

Most offensive tactics are already known to organizations and can be preemptively avoided. It is essential for the company to invest in effective defense with tools that allow predictive analytics and management of priorities. But at the same time, educating people is necessary in the education and awareness of everyone. After all, a castle is useless if the door is always open.

Arthur Capella He has been the Managing Director of Tenable in Brazil since June 2019. Capella has more than 20 years of experience in the cybersecurity industry, leading the launch and management of Palo Alto Networks in Brazil and previously leading the operation of IronPort in the country. He has also held management and business development roles at IBM, Xerox and Embratel. The manager holds a Business Administration degree from UFRJ and an MBA in Marketing and Strategies from the same institution.