Defending Against Ransomware Starts With Better Endpoint Security

Enterprise Security Magazine | Thursday, June 16, 2022

Absolute Software’s 2021 Endpoint Risk Report found that every endpoint has 11.7 security controls installed, decaying over time and creating multiple potential attack vectors

FREMONT, CA: Cybercriminal organizations and advanced persistent threat groups are doubling down on producing ransomware payloads and endpoint attack tactics that avoid detection, owing to the lucrative nature of ransomware. Ransomware payouts totalled USD 692 million in 2020, roughly doubling its initial forecasts. The number of vulnerabilities connected with ransomware increased by 7.6 per cent in Q1 2022 compared to the end of 2021. According to Ivanti's Q1 2022 Index Update, the number of vulnerabilities linked to ransomware has risen from 57 to 310 in just two years. Ransomware occurrences increased by 82 per cent in a year. Scripting attacks aiming at exploiting endpoints are increasing at an unprecedented rate, confirming why CISOs and CIOs are prioritising endpoint security this year.

Cybercriminal groups are continuously on the search for loopholes and weaknesses in endpoint vulnerabilities and exposures. They treat them as leads would be treated by a sales staff. Their goal is to have their payloads deployed undetected on enterprise networks by defeating endpoint defences. Once within an organization's network, hackers often spend months penetrating and then migrating laterally across it. Endpoints that have been compromised are then used as ransomware distribution sites, unleashing more attacks across the company.

1. Multifaceted attacks: Cybercriminals utilise a combination of phishing, social engineering, identity theft, and virtual meeting breaches to persuade members of an organisation to supply privileged-access credentials that they can use to circumvent endpoint security protections. Alternatively, users may try to get victims to visit websites that are designed to compromise systems using browser-based attacks. VPNs are ineffective in the first stages of an attack. Remote browser isolation (RBI) is becoming increasingly popular among businesses as it has proven to be more successful than VPNs. RBI pioneers Authentic8 and Ericom recently joined Forcepoint, McAfee, and Zscaler in the market. Ericom, on the other hand, is the only company whose solution is tailored to address the numerous technical issues that come with safeguarding virtual meetings around the world. Ericom has also filed patent applications for its advancements in this field.

2. Compromise endpoints: Cybercriminals gain access to unsecured endpoints, including those that have been over-configured to the point that internal software conflicts expose them. Payloads are deployed on a company's network with care to ensure that they are unnoticed. In 2022, ransomware authors are attempting to make payloads and executable files as covert as possible to get them onto networks while avoiding leaving any digital imprint.

3. Begin stealth surveillance: During this stage of a ransomware campaign, cybercriminals patiently probe enterprise networks. Cybercriminals frequently wait months before investigating a network in the hopes of avoiding detection by anomaly-tracking or network-monitoring devices. Cybercriminals begin to define which systems and assets they will encrypt later in the attack during this phase.

4. Achieve control over endpoint devices and core systems: The purpose of this phase of a ransomware attack is to gain control of endpoints and prepare them to launch more attacks. Once cyberattackers get control of endpoints, their goal is to transform them into distribution sites for further payloads across the network.

5. Encrypt and extort: The final phase of an endpoint ransomware assault begins with the encryption of assets and entire systems. Endpoint detection and response (EDR) systems have been compromised at this stage, and infected endpoints are spreading ransomware throughout the network. Finally, cybercriminals make extortion demands and frequently leak confidential information publicly to demonstrate their control over a company's networks.

Endpoint protection (EPP) and endpoint detection and response (EDR) technologies must be the foundations of any ransomware defence plan. Both enable insight and control down to the asset level of endpoints when used together. The majority of EDRs have incident-response protocols in place and can detect and respond to malicious behaviour promptly.

Weekly Brief