Ransomware attacks like the ones that wreaked havoc in Baltimore, Maryland, Albany, New York, and Genesee County, Michigan are dominating the headlines in 2019. Holding someone or something for ransom is a simple yet effective strategy that has been used by criminals for many years. Today, cyber criminals are applying these ancient techniques to modern technologies. This raises issues such as what organizations need to know regarding ransomware attacks and what they can do to minimize the risk of being victimized.
Ransomware, which encrypts a victim’s data and demands a ransom to unlock it, can have a major impact on an organization since it represents a loss of sensitive data or can shut down business operations. Ransomware has been around for a few years, most commonly delivered via spam emails, whereby the crimeware was deployed by clicking on an attachment or URL. As defense mechanisms have improved, cyber-attackers have become more sophisticated using spear-phishing emails that target specific individuals and seeding legitimate websites with malicious code. Some recent attacks have even started exploiting smart phone vulnerabilities to penetrate corporate networks.
Upon infection, ransomware begins encrypting files and folders on local hard drives, any attached local storage or backup areas, and potentially other computer nodes that reside on the same network attached to the victim’s device. The infection typically goes unnoticed until either access to the data is denied or a message is presented to the victim that demands a ransom payment in exchange for a decryption key.
Despite the headlines, ransomware incidents have actually declined over 2018 and 2019. Researchers report that only four percent of organizations worldwide experienced ransomware attacks in 2018 — that’s a 44 percent drop from 2017. However, while the number of total attacks might have decreased, the damages associated with ransomware have dramatically increased according to the FBI’s Internet Crime Complaint Center (IC3). The City of Baltimore is a good example, as the damages are expected to exceed $18 million. Thus, ransomware is still a major issue for organizations and is not reliant on data exfiltration in order to be lucrative.
Your Basic Steps to Prevention
There are a few basic steps that an organization can take to minimize their exposure to ransomware attacks:
- Implement security awareness programs to educate employees on how ransomware is being deployed and how to avoid spear-phishing attacks.
- Frequently update anti-virus and anti-malware with the latest signatures and perform regular scans.
- Create an application whitelist, allowing only specific programs to run on a computer. This should include the disabling of macro scripts from Microsoft Office files transmitted over email.
- Back up data regularly to a non-connected environment and verify the integrity of those backups regularly.
Zero Trust Privilege to the Rescue
While these practices cover the security basics, ransomware is just one form of exploit that can easily be replaced by another. According to Forrester, an estimated 80 percent of data breaches are tied to privileged access abuse. By implementing the core tenets of Zero Trust Privilege, organizations can kill two birds with one stone: (1) address the number one cause of today’s data breaches — privileged access abuse — and (2) minimizing the impact of a ransomware attack by preventing malware from running or at least limit its capability to spread through a network.
Leveraging Centrify Zero Trust Privilege Services organizations can stop ransomware attacks in their tracks by:
- Establishing a Secure Admin Environment
When connecting to servers with privileged access, you don’t want to enable malware infection during the session. Privileged access must only be permitted from a “clean” source. Zero Trust Privilege means preventing direct access from user workstations that also have access to the Internet and email, which are too easily infected with malware. Access should only be granted through locked-down and secured privileged administrator consoles, such as an administrative jump box. Modern cloud jump boxes can serve as distributed connector gateways and are a great way to achieve a secure admin environment for dispersed organizations.
- Securing Remote Access
A properly designed Zero Trust Privilege admin environment not only allows staff to remotely access resources 24/7, but is also well suited for outsourced IT or outsourced development users because it alleviates the need for a VPN and handles all the transport security between the secure client and distributed server connector gateways. Without the Centrify Privileged Access Service, if an infected end user’s system were to go undetected, ransomware would spread to the network just as soon as that user were to connect via VPN. With Centrify’s reversed proxy approach, there is no logical path to the network and ransomware is unable to spread from system to the network. This is especially important for a customer that engages with contractors, outsourced IT, and third-party users. The organization often has no control over the systems of those contractors and has no assurance of their hygiene, as they belong to that third-party. In this case, Centrify can ensure specific and secure access, even to a compromised host.
- Zoning Off Access
Centrify Zone Technology provides a privileged user specific access to specific systems. The Centrify Zone in which a user operates is the full reach of ransomware so long as something stands between the user and additional access. In this case, that is controlled via Centrify, and when provided, verified for legitimacy via multi-factor authentication (MFA). Without MFA response, ransomware is unable to reach that next system. By zoning specific systems and organizational units, ransomware may spread but not to those systems that require additional user verification.
- Minimizing the Attack Surface
By vaulting away shared local accounts, organizations can minimize their attack surface. Ransomware does not always need privilege but if it is able to gain it, the impact will be much greater than without. Centrify Privileged Access Service manages these shared, alternative admin and service accounts and provides them “just-in-time” access — not to ransomware but to MFA-verified users.
- Limiting Privilege
Ultimately, Centrify Zero Trust Privilege empowers organizations with granular control of what access a privileged user has and what privileged commands they can run. Without the ability to install files or at least elevate privilege when installation is necessary, ransomware cannot run rampant.
The outlined capabilities of Centrify Zero Trust Privilege showcase its versatility in securing not only your modern attack surfaces but also minimizing your exposure to ransomware attacks. If you are interested to learn more about Centrify Zero Trust Privilege, contact us today!
This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.