Security

The Security Toolbox: Facing the Real Business of Ransomware

By Stefano Alei and Clementina Altamirano

This blog is part of a series to help organizations of any size optimize their security. Our experts provide insights and recommendations based on common security use cases, customer questions, and security software developer needs.

Who do we think about when we think of criminals? Murderers, kidnappers, bank robbers, embezzlers, and thieves are likely to come to mind.

How about cybercriminals? For most of us, the term “cybercriminal” is a little murkier. We might imagine one-off thieves working through technology to steal credit card data or identity credentials to gain access to credit or money. Or we may think of internet-based illicit drug sellers or fake art dealers. But today’s biggest threat is ransomware.

Like choosing a profession based on lifetime earnings potential, threat actors choose to utilize ransomware for the same reason: it’s highly profitable and often lucrative. They research, plan, work in collaborative groups, maintain active user communities, and problem-solve for more successful outcomes—much like anyone in any profession for any business. The reality is that many cybercriminals are organized and sophisticated in their work, and it’s a mistake to underestimate their capabilities.

In the case of ransomware, we know that cybercriminals “kidnap” technology or data and release them only after a large amount of money is paid to those asking for the ransom. Understanding how threat actors do this is the first step to mitigating the damage ransomware can cause.

There are several key trends that are driving ransomware threat actors to penetrate complex environments.

  1. Cross-platform functionality: adaptive ransomware developed to thrive in different architectures and operating systems
  2. Ransomware as a Service (RaaS): subscription-based, consistently updated, ready-to-launch software complete with guidance and support
  3. Conflict-based: state-sponsored attacks based on geopolitical sides or ransomware groups acting based on their own beliefs
  4. Wiper functionality: rather than encrypting files, wiper ransomware wipes them from a system (deleted files are not fully removed from a system, while wiped files are unrecoverable and unreadable)
  5. Duplicative: ransomware that makes copies of itself within a system, often in the hundreds

The above are examples of ransomware trends to be aware of, but new ransomware is always in development.

What can organizations do to better protect the data they’re entrusted to safeguard?

The best way to prepare for a ransomware attack is to follow security best practices: maintain and update all software and hardware, back up all data properly and regularly, enforce a least-privileges policy, and educate all users on security awareness and activity. While these actions sound simple, many organizations don’t consistently execute security best practices.

Another action to take is for organizations to ensure that they have enough staff with cybersecurity expertise unique to their technology environment. While security technology may lull businesses into a sense of safety, professionals who know how to implement, maintain, and interpret data from the technology is paramount to an IT environment’s security.

Finally, when faced with a cybersecurity coverage gap, an organization can get support to determine the best approach to mitigate their risk from ransomware. A security assessment is a good start to help organizations leverage every visibility and monitoring capability they can to catch anomalies.

What should an organization look for in technology to mitigate ransomware?

With so many security technology options and managed service providers (MSPs) available, organizations need to carefully consider how a technology will work within their environment, staffing, and current operating systems, hardware, and software. Look for the following in your security technology providers.

  1. Versatile protection: multifaceted solutions that target the different ways threat actors target organizations are better choices than a patchwork of solutions which may or may not work well together for every cybersecurity use case
  2. Independent testing: technologies that are listed in objective testing lists or have received industry recognitions and offer a trial period are more trustworthy than those that offer a single test or only supervised access before purchase
  3. Technical support: choose support that’s always available—24 hours a day, 7 days a week—with local support a big plus
  4. Training: continuing learning options are necessary to help staff maintain and manage optimal performance in the IT environment

It’s highly recommended that your security technology provide support for the endpoints, network, and data layers. Reach out to VMware Professional Services for Security at [email protected] to learn about how our Ransomware Mitigation Service can help.

What can employers do to increase ransomware awareness for employees?

Because ransomware is often deployed through phishing, organizations should consider an ongoing ransomware training program for all employees. This type of program should advocate the importance of every person’s actions in protecting the organization’s data and their customers’ data.

Employees should learn how to recognize phishing emails, texts, or social media messages. They also need to learn how to hover over any links before clicking on a possible phishing website or app. In addition, they should be able to recognize the dangers of connecting unknown devices or USBs to their computers.

Ransomware awareness programs also need to include clear and easy actions to take to report threats and include reminder ongoing training sessions.

Get started on your ransomware journey

If you’re not sure about your security posture or the level of vulnerability in your organization’s IT environment, a security assessment can help you develop a clear view of your current state and possible remediations needed. Visit the Professional Services for Security resources section for overviews on the different types of assessments available, and contact us at [email protected] to learn more.

For more support, read the other blogs in this series: