NEC XON shares lessons learned from ransomware attacks

Divan de Nysschen, Cybersecurity Architect, NEC XON.

---

Every organisation faces the looming threat of ransomware. Malicious actors take control of IT assets and demand ransoms. Whether automated or human-operated, this type of malware encrypts files and folders, compelling victims to pay for decryption keys. Paying up doesn’t necessarily ensure restored access, either, and permanent data loss can be catastrophic.

There are two main categories of attacks. Commodity ransomware attacks are often automated and spread virally, infiltrating through methods like e-mail phishing and malware delivery. Human-operated ransomware attacks involve active infiltration by cyber criminals into an organisation's IT infrastructure. Hallmarks include credential theft and lateral movement with elevated privileges. Commodity ransomware is relatively easier to detect, whereas human-operated variants mimic legitimate IT activities, demanding meticulous attention for detection.

Both commodity and human-operated variants present significant challenges for organisations worldwide. As adversaries become increasingly sophisticated in their tactics, the imperative for proactive defence measures and swift incident response has never been more critical. In the following compilation of lessons learned, we delve into key strategies and insights gleaned from real-world encounters with ransomware attacks:

• Recognise the differences: While community-based variants exhibit predictable traits, detecting human-operated ransomware demands acute precision and attention. Stay vigilant to identify and thwart evolving threats effectively.
• Empower your defence: Take charge of your security posture by fortifying your security awareness programme and tightening e-mail security controls. Proactively validate these measures weekly to stay ahead of commodity ransomware threats.
• Guard your privileges: Proactively defend against human-operated ransomware by implementing a stringent privileged access model. Eliminate avenues for credential theft and safeguard privileged identities with unwavering diligence.
• Establish clarity amid chaos: Pre-empt confusion during crises by establishing clear communication channels and defining roles in advance. Regularly stress-test these protocols to ensure seamless co-ordination when it matters most.
• Detect and respond swiftly: Stay one step ahead of adversaries by deploying endpoint detection and response (EDR) solutions across your infrastructure. Act swiftly to identify and neutralise suspicious behaviour, thwarting modern adversaries' attempts to blend in.
• Secure your data's future: Safeguard your organisation's data integrity by implementing robust backup processes for critical systems. Regularly test restoration procedures to minimise downtime and ensure business continuity in the face of ransomware attacks.
• Fortify your perimeter: Take proactive steps to fortify your infrastructure against adversarial access points. Conduct regular workshops to identify and eliminate vulnerabilities, reducing the complexity of your environment and bolstering defences.
• Contain the threat: In the event of a ransomware breach, act decisively to contain the threat and minimise its impact on your organisation. Isolate compromised endpoints and identities, and swiftly trace the attack's source for elimination.
• Explore partnership opportunities: Unlock the full potential of your cyber security defences by considering outsourcing to a managed security partner (MSP). Let experts handle the burden of studying ransomware threats while you focus on innovation and growth.

Ransomware cartels operate ruthlessly, exploiting double extortion tactics to unlock multiple revenue streams within the cyber criminal economy. Proactive cyber strategies and robust safeguards are essential for preparing against these attacks and mitigating potential business damage.