We’re excited to bring Transform 2022 back in person on July 19 and pretty much July 20-28. Join AI and data leaders for insightful conversations and exciting networking opportunities. Register today!
Ransomware attacks often succeed because endpoints are so overconfigured with controls that they leave devices unprotected. Today, software conflicts between endpoint controls endanger corporate networks, accelerated by the ever-faster expiration rates of endpoint agents. Absolute Softwares 2021 Endpoint Risk Report found that 11.7 security checks are installed on each endpoint, which expire over time and create multiple potential attack vectors.
Driven by how lucrative ransomware is, cybercriminal gangs and sophisticated persistent threat groups are doubling down on creating ransomware payloads and endpoint attack strategies that evade detection. chain analysis found that $692 million in ransomware payments were made in 2020, nearly double the original estimates. Ivantis latest index found that there is a 7.6% increase in the number of vulnerabilities associated with ransomware in Q1 2022compared to the end of 2021.
Global vulnerabilities related to ransomware have skyrocketed from 57 to 310 in two years, according to Ivanti’s Q1 2022 Index Update. CrowdStrike’s Global Threat Report 2022 found ransomware incidents increased by 82% in just one year. Scripting attacks aimed at compromising endpoints persist: accelerate in record timeunderlining why CISOs and CIOs are making endpoint security a high priority this year.
How endpoint ransomware attacks work
Cybercriminal gangs are constantly looking for gaps and weaknesses to exploit in common endpoint vulnerabilities and exposures. They treat them like a sales team treats leads. Their goal is to defeat an endpoint’s defenses and install their payloads on corporate networks undetected.
Once on the network, cybercriminals often take months to dig in and then move sideways across an organization’s network. Compromised endpoints are then turned into ransomware distribution points, causing more attacks across the organization.
Most ransomware attacks start from unsecured or easily compromised endpoints and follow the following six stages:
Phase 1: Versatile Attacks
Combining phishing, social engineering, identity theft, and virtual meeting hacks, cybercriminals try to get members of an organization to provide privileged access credentials that they can use to defeat endpoint security. Or try to get victims to visit websites designed to compromise systems through browser-based attacks.
VPNs appear to be less effective against this first phase of an attack. Remote browser isolation (RBI) is increasingly used in enterprises as it appears to be more effective than VPNs. power point† McAfee and Zscaler recently joined RBI pioneers Authentic8 and Ericom on the market. However, Ercom is the only one whose solution is designed to address the many technical challenges involved in securing virtual meetings worldwide. Ericom has also applied for patents for their innovations in this area.
Phase 2: Compromising Endpoints
Cyber criminals compromise unprotected endpoints, including those that are overconfigured so that their internal software conflicts make them vulnerable. Payloads are installed on an organization’s networks with careful attention to make them undetectable. Ransomware creators in 2022 aim to make payloads and their executables as unobtrusive as possible to get them onto networks, while evading the creation of a digital footprint.
Phase 3: Begin Stealth Surveillance
Cyber criminals patiently explore corporate networks during this phase of a ransomware attack. It is common for cyber criminals to wait months before scouring a network, in the hope that they will not be detected by anomaly tracking or network monitoring systems. During this phase, cybercriminals begin to determine which systems and assets they will encrypt later in the attack.
Phase 4: Take control of endpoint devices and core systems
The goal of this phase of a ransomware attack is to take control of endpoints and prepare them to carry out further attacks. Once the endpoints are under the control of the cyber attackers, their goal is to turn the endpoints into distribution points for further payloads across the network.
Phase 5: Make Aggressive Side Moves and Arm Endpoints
It’s usually a few months since the first breach and cybercriminals move laterally across organizational networks. They also weaponize endpoints to serve as distribution points for ransomware across the organization.
Phase 6: Encrypt and extort
The final stage of an endpoint ransomware attack begins with encrypting assets and entire systems. At present, endpoint detection and response systems (EDR) have been compromised and infected endpoints have begun to spread ransomware across the network.
Finally, cyber criminals make extortion demands and will often disclose confidential information to prove that they have control over a company’s systems.
One-time defense won’t work against ransomware
Ransomware attacks can no longer be treated as silo attacks when they can potentially disable an organization permanently. An example of how serious an attack can happen was earlier this month when Lincoln College was forced to… discontinue business activities as a result of a ransomware attack. As a result, Lincoln College offers a cautionary tale showing why any ransomware cybersecurity strategy must secure all tech stacks, operational sites, and remote teams.
Endpoint Protection (EPP) and EDR platforms should be the cornerstones of any ransomware defense strategy. Deploying both provides visibility and control down to the asset level of endpoints. Most EDRs have incident response workflows and can quickly identify and respond to malicious activity. Banks, financial services, government agencies and global investment firms should consider conducting cloud-based EDR pilots with network traffic analysis if they are not already using these platforms to protect against ransomware.
Who stops ransomware at the endpoint?
By combining real-time visibility and control of endpoints down to the asset management level, organizations can win the ransomware arms race. Look for leading EPP, EDR and endpoint vendors to push their ransomware containment roadmaps forward using a lifecycle-based approach. In addition, some EPP solution providers offer cyber insurance for ransomware to demonstrate confidence in their protection against ransomware.
Leading vendors delivering real-time visibility, control, and asset management of endpoints to thwart ransomware attacks include:
- Ransomware Response from Absolute builds on the company’s expertise in endpoint visibility, control and resilience, including a proven track record of delivering self-healing endpoints. What is unique about Absolute’s approach is how the solution gives security teams the flexibility to define cyber hygiene and resilience baselines and assess strategic readiness across endpoints, while monitoring the security health of devices and sensitive data.
They can speed up device recovery and limit device re-infection after a ransomware attack, as well as freeze endpoints to limit the spread of an attack. Absolute can also self-heal ransomware-affected endpoints by relying on their Resilience platform, which is now factory-installed in firmware by 28 device manufacturers. They can also provide real-time visibility and control over any device on a network or not, along with detailed asset management data.
- FireEye Endpoint Security uses multiple protection engines and deployable client modules designed to identify and stop ransomware and malware attacks on the endpoint. FireEye sets itself apart from other endpoint providers in how effectively they have combined signature-based, machine learning-based, and behavior-based protection capabilities.
In addition, FireEye is known throughout the industry for the broad range of security capabilities that enable it to collaborate on threat intelligence findings, enabling its customers to provide an integrated response to incidents.
- Sophos Intercept X relies on deep AI techniques combined with anti-exploit, anti-ransomware and monitoring technology to predict and identify ransomware attacks. Intercept X relies on a comprehensive suite of technologies to deliver hardened endpoint protection. It is also designed to provide a level of resilience by rolling back the changes made during a ransomware attack that initially evaded their platform’s protection.
Intercept X’s next-gen antivirus includes anti-ransomware technology that detects and shuts down malicious encryption processes before they spread across a corporate network. Sophos also has expertise in preventing file and master boot record ransomware attacks.
It is well known in the cybersecurity community that the Intercept X agent has a larger footprint than most other endpoint security clients, which has been a problem for organizations with large virtual workforces. This becomes an issue when updates need to be delivered over low speed or bandwidth internet connections.
Protecting endpoints can prevent ransomware attacks
Cyber criminals target endpoints as part of their ransomware attacks because they are the perfect distribution point for additional payloads across a corporate network. Therefore, stopping ransomware attacks must start with more resilient endpoints that provide greater visibility and control. Fortunately, innovation is happening faster and faster in the field of endpoint security, EPP and EDR platforms. Absolute, CrowdStrike, FireEye, McAfee, Sophos and others are doubling down on their R&D efforts to thwart ransomware attacks that originate at the endpoint.
The mission of VentureBeat is a digital city square for technical decision makers to gain knowledge about transformative business technology and transactions. Learn more about membership.
