6 Ways Ransomware Attackers Steal Your Data, And How IT Admins Can Stop Them

As companies invest in stronger firewalls and better IT infrastructure, brute force attacks have become harder to pull off. That’s the good news. The bad news is that hackers, in turn, have found new ways of wreaking havoc. The increasing use of ransomware as a weapon is a prime example of this.

Through phishing or stolen passwords, a ransomware attack can sabotage a company’s most valuable asset, it’s content, without being detected. The result can be a crippling blow to an organization’s reputation and operational ability.

The research firm, Cybersecurity Ventures suggests that globally, by 2021, ransomware attacks will be so common that a business will fall victim to a ransomware attack every 11 seconds. They estimate the cost of ransomware to businesses will top $20 billion in 2021 and that global damages related to cybercrime will reach $6 trillion.

Ransomware is a continuously adapting type of attack tool, and as Malwarebyte’s 2020 State of Malware Report explains, ransomware variants are increasing, making it harder to detect. Shockingly, 77 percent of companies infected were running up-to-date endpoint protection, which tells us that the problem lies somewhere else. Human error, loose passwords, and lax authentication protocols all contribute to higher risk.

As with any threat, understanding the thinking and processes that are required to create them can be hugely instructive in building the right defense. Detection requires insight into user activity, but IT admins and security leaders must also understand patterns of behavior and have baselines for how content is created, used, shared, collaborated with, and stored. Prevention is best understood in the context of how a ransomware attack actually operates and its various stages as it infects data repositories.

How ransomware happens and how to identify it

‍Ransomware functions like most types of thievery; it finds the fastest route to sensitive data that offers the least amount of resistance. Once inside a data repository, the attacker can gain access to everything that a legitimate user has access to. At that point, this data can be exfiltrated, or held for ransom.

Here is a breakdown of the six steps attackers use to target your data, and the corresponding countermeasures you’ll need to stop them:

‍#1: Identify vulnerable networks by seeking those that operate with lax security protocols, unpatched software, or do not require multi-factor authentication (MFA). Using vulnerability scanners and continuous penetration attempts, as well as simpler approaches like phishing emails, attackers identify targets and initiate assaults.

Counter-measure: Mandate MFA for all your users and enforce strict deadlines for installing patches. Using a second validation or authentication method provides another layer of protection around your user login and has shown to be one of the most effective ways of battening down the hatches of your content repositories.

#2: Scrape user password off the dark web. There is a surprisingly vibrant market for stolen passwords, and without knowing it, your employee’s credentials could be among them. With a password, anyone can impersonate a legitimate user and can easily access your network and files.

Counter-measure: Require complex passwords that meet the guidelines created by the National Institute of Standards and Technology (NIST). They suggest no fewer than 8 characters, and passwords should use a variety of ASCII and Unicode characters. Additionally, IT should mandate that passwords are changed regularly, even as frequently as every month.

#3: Use a third-party site to verify the stolen password. This can be done by checking against data on a common social media site such as LinkedIn.

Counter-measure: Provide security training so employees can learn how to recognize anomalies in digital activity on their accounts, and offer Help Desk solutions so they can report and get help on suspicious activity.

#4: Obfuscate their location by logging in via 50+ worldwide proxies. Attackers are experts at deception and they know how to employ a sense of “shock and awe” to reduce scrutiny on their activity. Logging in from multiple locations confuses attempts to pinpoint user location and identity.

Counter-measure: Use bot detection solutions and perform continuous proxy analysis to identify unusual patterns and behaviors. Even if a user account is being accessed with legitimate credentials, identifying these patterns will create an alert to pause and investigate the account in question.

#5: Pull down your proprietary data, encrypt it, and spread it across the blockchain in data centers across the globe.

Counter-measure: Take the appropriate steps to encrypt your data, and use continuous detection to identify behavioral anomalies. Once data has been stolen it’s very difficult to control the resulting damage, so preventative measures are critical.

#6: Demand thousands of dollars for the safe return of your data and cripple your day-to-day operations in the meantime.

Counter-measure: There are many schools of thought about whether or not you should pay off your ransomware attacker. Forrester even has suggested that in some cases, it makes more sense to pay it and move on. Your IT, Legal, and senior management teams need to be on the same page about how you will address this issue. Ideally, you’ll never have to, but if you’re faced with it, it’s best to understand the repercussions ahead of time.

It has become imperative that companies protect their data and not just the infrastructure that transports it. By applying strong access control, limiting visibility of sensitive data to only those who need it, and incorporating ransomware detection and unusual behavior detection, companies can be better prepared to take on modern cyber threats. Attackers prefer the past of least resistance -- fill the path to your data with obstacles and you’re better prepared to prevent an attack.

‍Bear in mind, articles like this can only help so much when the threat landscape is constantly evolving. To stay on top of the environment, check out this webinar on “The State of Data Security 2020” featuring Forrester Analyst Heidi Shey.

‍Photo by Linford Miles on Unsplash