Ransomware attacks (and all cyberattacks, generally) all follow a similar sequence. In order to stop these attacks consistently, your security strategy should aim to disrupt as many stages of this attack chain as possible, which maximizes your chances of stopping the attack even if the threat actors should evade some of your security controls. The stages of the attack sequence are as follows:
Figure 1: Ransomware attack sequence
1. Reconnaissance: Many ransomware attacks–especially ones targeted to large organizations–are extremely well-researched. Threat actors find out all the information that they can about your company, including who works there, what infrastructure is exposed to the internet, what applications are in use, and where you likely keep your most sensitive information. A key tactic to disrupt reconnaissance is to make yourself hard to find and hard to exploit.
– Remove vulnerable, routable appliances such as VPNs and north-south firewalls, in favor of more modern options for secure access.
– Hide your key applications behind a proxy architecture so that they can’t be exploited.
– Keep software and devices up-to-date with the most recent versions and security patches.
– Identify and remediate misconfigurations and oversharing in cloud storage that may lead to discoverable data.
2. Compromise: Once a threat actor maps out their attack plan, they will need to compromise your organization. This could be through phishing, brute force, or through an exploit of a vulnerability. Putting robust inline security controls in place to deeply inspect traffic and block malicious files and behaviors is critical.
– Inspect as much traffic as possible–including encrypted traffic, as attackers utilize encrypted channels in more than 85% of attacks.
– Utilize layered AI-powered security controls, including inline sandboxing, to stop never-before-seen threats. Attackers spin up new infrastructure extremely rapidly; the average phishing page is only 13 hours old. Relying on blocklists that only get updated every 12-24 hours is not good enough.
– Only allow access to your crown jewel applications from managed devices, and ensure that your security strategy includes device posture checks to protect your sensitive data from attacks that start with credential theft.
3. Lateral movement: When the attacker is in, they’re going to escalate their privileges and perform internal reconnaissance, usually starting with the Active Directory. Ransomware attackers will then propagate their ransomware payloads across your infrastructure in order to encrypt data. Utilize zero trust strategies to minimize access and limit the blast radius of these tactics.
– Use ZTNA to maximize microsegmentation, connecting users only to one application at a time–never the network.
– Ring-fence your applications with deceptive decoys that lure and confuse attackers, and that alert your SOC that malicious activity is underway.
4. Data theft: In double extortion or encryption-less ransomware attacks, the threat actor will find valuable information and exfiltrate it to a command-and-control server or a file sharing site where they can then hold it for ransom.
– Know your data: use AI-powered data classification tools to tag sensitive data and give yourself visibility into its movement.
– Inspect your outgoing traffic–again including encrypted channels–and utilize policies to stop data from leaving sanctioned storage locations.