The first known ransomware attack was in 1989, making ransomware a “senior citizen” in the world of cyberthreats. The malware was delivered via infected floppy disk and the hacker demanded a payment of $189.
Ransomware has evolved significantly in the last 31 years. Cybercriminals no longer rely on the US Postal Service to deliver their infected files, and ransom demands have ballooned from $189 to millions of dollars; the current record ransomware payout is a reported $10 million paid by Garmin to regain control over critical components, including its call center and website.
Such a large payout is unusual – but even $111,605, the average ransom paid in the first quarter of 2020, is more than enough to cause headaches for businesses, especially when combined with losses due to companywide downtime, consultation with security exerts brought in to address the problem, and reputational damage.
The Ransomware Trifecta
According to a report from Coveware, when it comes to successful attacks, three vectors lead the ransomware delivery pack in 2020:
- RDP compromise (~60%)
- Email phishing (~24%)
- Software vulnerabilities, especially in VPNs (~15%)
The tremendous increase in the number of people working from home in the second quarter of 2020 due to coronavirus restrictions led to concomitant increase in RDP attacks. RDP has many known vulnerabilities and is very widely used by remote workers, making it an attractive target for cyberthieves.
Email phishing has become increasingly sophisticated. Cybercriminals are leveraging precisely targeted attacks (“spear phishing”) that typically garner much higher payouts than spam-driven attacks. “Branded” attacks, that sneakily exploit legitimate services such as Google Docs or Microsoft Office URLs are also increasingly common, since many users will succumb to phishing emails that seem to originate from a trusted organization, and link to a trusted site.
The third ransomware attack vector, software vulnerabilities, are most often associated with the now-essential VPN appliances that enable millions of users worldwide to remotely connect into their organizations’ systems. A report from SenseCy shows that the two top software vulnerabilities exploited to date in 2020 were both vulnerabilities in VPN appliances.
Even organizations that are obsessive about keeping VPN software updated with the latest versions and patches, extended periods of vulnerability are common. For instance, the most-exploited VPN vulnerability in early 2020 was publicly identified in December 2019, but a patch was not released for a full month, leaving clients running that software vulnerable to ransomware attack.
Protection from Ransomware Threats
Of course, implementing security best practices can help to protect your organization from ransomware attacks via each of these vectors. Many basic cybersecurity techniques – keeping software and patches up to date, requiring good password hygiene, moving to multifactor authorization, training users not to respond to or click anything in emails that are the least bit suspicious – can help spare your organization from becoming a ransomware victim.
As demonstrated by the drumbeat of news about strong, reputable organizations that have been paralyzed by ransomware attacks, these conventional approaches are not enough. Even IT professionals fall for sufficiently sophisticated phishing attacks. Patches and software updates won’t protect your organization if it’s unfortunate enough to be hit by an attack with a zero-day threat on the first day.
Ericom provides Ericom Shield, our Remote Browser Isolation offering, and Ericom Application Isolator (EAI) — two products that, by taking a zero trust security approach, can protect your organization from all three leading ransomware vectors.
Ericom Shield protects organizations from email phishing by rendering all websites — including those opened via links within emails — in a virtual browser isolated in a cloud-based container. If a user erroneously clicks on a link that installs malware, it’s a “dead letter” – the malware never reaches the user’s browser, the endpoint device or the company network. The container, along with all active web content and any malware, is destroyed at the end of each session.
Ericom Shield scans and sanitizes any email attachments for malicious content before opening them. The zero-trust approach treats all websites as potentially dangerous, so there’s no need to rely on whitelists that can — and often do — become obsolete overnight. In addition, unknown or uncategorized websites can be opened in read-only mode to prevent unsuspecting users from credential theft.
For the roughly three quarters of ransomware attacks delivered via RDP compromise and software vulnerabilities, Ericom Application Isolator vastly reduces access to minimize damage.
Extending the zero-trust concept of “least privilege access” (only allowing a user to access the resources or apps that they need) EAI fully cloaks applications from the view of users who are not authorized to use them. These means that even in the event that a user’s credentials are compromised, the cybercrminal’s lateral movement through the network would be severely curtailed.
Significantly, EAI automates policy creation, enabling, policy-based truly individualized least-privilege access even in organizations with tens of thousands of users. Each user is only entrusted with access to only the specific resources and applications they need to get their job done.
Enterprises need to take a defense-in-depth approach to cybersecurity during these challenging times. Of course, go ahead and follow the usual best practices described above. But also add Ericom Shield and Ericom Application Isolator to bring your protection to the next level. With these solutions in place, you know that if a user clicks on the wrong link or has an easy-to-break password, or if a hacker finds an exploitable vulnerability in your VPN or other software, your network will still be secure.