Cyber adversaries of all kinds continue to exploit the expanded digital attack surface in unprecedented ways and at scale. In particular, the rapid shift to remote work and sustained work-from-anywhere (WFA) for many organizations has been an ongoing opportunity for cybercriminals to target employees connecting to corporate resources from often poorly secured home networks and devices. These adversaries continue to target and exploit these workers today, years after the shift to WFA started.
The most common ransomware attacks often begin with social engineering. Essentially, properly conducted social engineering strategies, usually in the form of phishing or spear-phishing, can trick users into divulging critical information, from passwords to financial accounts to personally identifiable information (PII). Today, social engineering is being combined with hacking techniques and malware distribution to power increasingly destructive attacks as recent FortiGuard Labs research points out.
The attack sequence often starts by exploiting the concerns of individuals about social events, such as elections or the tax season, and evolves to attack other computer systems once it connects back into the network.
In a typical ransomware attack, hackers use phishing or other means to introduce malware onto a victim's computer system that then spreads across the network. Once enough systems have been compromised, the hacker triggers the malware to encrypt all infected systems, rendering the files and data on those devices inaccessible to the organization. The hacker then attempts to extract a monetary payment from the organization in exchange for the key needed to decrypt the compromised files.
When a threat actor uses ransomware to withhold your data, the assumption is that you will pay virtually any price to regain control. And if you do not, the hacker will then put your data up for sale on the darknet. However, we are also seeing a growing number of cases in which a victim pays a ransom but never gets the decryption keys needed to restore their network. Or in even more brutal cases, the ransomware went ahead and destroyed the network by wiping the disks off desktops and servers in spite of their having paid a ransom.
Protecting your organization from a ransomware attack requires keeping up-to-date backups of critical files off-network and scanning devices seeking network access for malware infection. But this is just the start. It helps to also understand how ransomware works because once we understand what is happening, there are effective ways to combat it.
Cybercriminals often use sophisticated techniques and tactics to penetrate an organization and compromise an endpoint with the primary goal to encrypt your files. Rather than fighting against this process, what would happen if, instead, you surreptitiously redirected the ransomware to only encrypt fake files-files you intentionally created and placed on the network to entice would-be attackers? By trying to encrypt these fake files, those hackers would expose themselves and their intentions, as well as reveal the existence of their malware, before they could do any damage. In other words, an extremely powerful counterattack strategy is to deceive ransomware into running against a benign target of our choosing to trigger an alert and reveal its criminal intentions. We can achieve this using cyber-deception technology.
Cyber deception allows organizations to rapidly create a fabricated (fake) network that automatically deploys attractive decoys and lures that are indistinguishable from the traffic and resources used in the legitimate network. This pseudo network is then seamlessly integrated with the existing IT/OT infrastructure to lure attackers into revealing themselves.
Deception technology doesn't install any agent on the endpoint, doesn't require any network change, and doesn't rely on any signature or anomaly engine. The question is, how does cyber-deception technology find and mitigate ransomware? The answer is, we use the ransomware's encryption activity against itself.
Cyber-deception technology use ransomware's own techniques and tactics against itself to trigger detection, and it uncovers the attacker's tactics, tools, and procedures (TTPs) that led to its successful foothold in the network, so those vulnerabilities can be mitigated at a security architecture level. Effective deception provide contextual threat intelligence that can be used to trace how an attacker compromised the organization-such as through weak or stolen credentials or a vulnerable endpoint or server that allowed the ransomware to spread-so those gaps in protection can be closed.
Deception technology should be fully integrated with NGFW, NAC, SIEM, sandbox, SOAR, and EDR solutions to automate mitigation responses based on ransomware detection. By combining deception technology with a comprehensive security platform, organizations can detect and respond to attacks, such as ransomware, long before the malware can achieve its malicious goals.
The intelligence gained through deception can be some of the most impactful threat intelligence you can find; it is active intelligence about your network.