How ransomware attackers evade your organization’s security solutions

How ransomware attackers evade your organization’s security solutions

 

You might be surprised to learn that just about every reputable antivirus product on the market can reliably stop the majority of ransomware families. In fact, most ransomware authors don’t even try to hide their ransomware through obfuscation or packing, which makes detection fairly straightforward for good antivirus solutions.

Why then are so many organizations still falling to ransomware? The issue isn’t so much about the capabilities of your antivirus software, nor is it really about ransomware – it’s about what attackers can do after compromising your network.

In this blog post, we’re going to show you exactly how ransomware attackers evade your security solutions, what happens during a post-compromise attack and what you can do to secure your network.

The shift to post-compromise deployment

Historically, ransomware groups have taken a shotgun approach to attacks. They used spam campaigns, hacked websites and exploit kits to indiscriminately deliver ransomware to as many targets as possible and demanded a relatively modest three-digit ransom to decrypt files. It was a quantity over quality game, and attackers didn’t spend much time, if any, investigating victims’ networks before deploying their ransomware.

However, this has changed dramatically over the last couple of years as threat actors shifted toward more selective and sophisticated post-compromise attacks. While distribution methods have largely remained the same (along with the notable rise in RDP-based attacks) malicious actors now spend more time gathering information about the target network before deploying ransomware payloads. The median malware dwell time, defined as the length of time between compromise and detection, is 56 days, according to a report by threat intelligence firm FireEye.

Careful reconnaissance allows threat actors to maximize the impact of an attack and the corresponding ransom amount. But what exactly are attackers doing during these 56 days?

Importantly, post-compromise attacks also allow threat actors to assess a target’s security systems and disable security processes before the ransomware payload is delivered. After obtaining high-level privileges, attackers can disable security processes via the security product’s centralized dashboard or simply whitelist ransomware executables, ensuring the final ransomware payload escapes detection.

The most common attack vectors for ransomware

Ransomware is a symptom of a larger, systemic issue, and should be viewed as what it really is: a currently popular way to monetize compromised networks, just as cryptojacking, password stealing and financial fraud once were.

With this in mind, organizations should focus on detecting and blocking the initial point of compromise rather than investing in ransomware-specific protection. Organizations should pay particular attention to the biggest ransomware attack vectors, which include:

Protecting against post-compromise ransomware attacks

Organizations shouldn’t rely exclusively on specialized ransomware protection products because, as we’ve learned, ransomware isn’t the core problem. Instead, organizations should focus on preventing the initial point of infection, using proven cybersecurity practices to minimize the risk of compromise.

Below is a non-comprehensive list of cybersecurity best practices that can help protect the network against compromise and, by extension, post-compromise ransomware attacks.

Conclusion

Modern ransomware is typically deployed post-compromise, which allows threat actors to learn more about the target system, steal sensitive data, disable security processes and ultimately maximize the impact of an attack.

Reducing the risk of compromise also reduces the risk of ransomware. Thus, the most efficient and cost-effective way to mitigate ransomware attacks is to investigate and address potential network vulnerabilities rather than investing in ransomware-specific protection.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

 

Jareth

Jareth

Writer. A picture is worth a thousand words but unfortunately I can't draw. The world of IT security has always fascinated me and I love playing a small role in helping the good guys combat malware.

What to read next