How to Fend Off Ransomware Gangs

Most of our work life is spent being helpful. Fix a problem here, solve an issue there – that’s what we’re paid to do. But when you’re tasked with stopping ransomware, you get to play the spoiler.  Today, we will cover how to frustrate ransomware gangs, ruin their plans, and shut them out of your network. First, let’s briefly recap what ransomware gangs need for their attacks and how you can interfere. Ransomware Simplified: Ransomware has four steps: recon, infiltration, weaponization, and exfiltration.

  1. Reconnaissance is about finding a door into your company. Common entry points or “doors” include virtual private networks (VPN), remote desktop protocols (RDP), servers, or databases. 
  2. Infiltration is about opening up a door into your company. Ransomware gangs need a “key” to unlock the doors. Credentials, phishing, CVEs, and other tricks are the keys to gain entry.
  3. Weaponization is the infection phase. This is where malware is introduced into your system. It could be a phishing email with a bad attachment or a direct download. Either way, you’ve been breached, and now they’re rifling through your data.
  4. Exfiltration is where ransomware gangs profit by removing data, encrypting data, and/or extorting the victim. A company has few options once an attack reaches this stage. 

Stages 3 and 4, weaponization and exfiltration, are where ransomware gangs hurt your company.  With that in mind, if you’re going to play spoiler, your best chance is interfering with stages 1 and 2, the recon and infiltration steps. How to Interfere with Ransomware: Your best options to interfere with ransomware are finding the “doors” first and hiding the “keys.” To do so, your teams need to know where all the doors are and what keys are available. 

1. Find the Doors:

Finding all the doors in a house is easy. Finding all the digital doors in a company’s network is much trickier. With the shift to “Work from Home,” companies are adding more doors in the form of Remote Desktop Protocols (RDPs) and Virtual Private Networks (VPNs.) Most of these are added by the IT department and are secure. Many, however, are unknowingly added by other departments without security considerations. This is shadow IT, and it is a weakness ransomware gangs are actively exploiting. So how do you find all the “doors” into your network? To do so typically requires advanced digital risk prevention tools such as Asset Discovery and Monitoring. These tools enable securing of your network by locating all physical devices, cloud storage, and RDPs that are part of your network. These assets are then continuously monitored for vulnerabilities, such as common vulnerabilities and exposures (CVEs), that could expose the organization to ransomware and other cyber attacks. Asset Discovery and Monitoring is a powerful tool for your SOC or IT teams. We’ve seen how we can find the “doors” into a network. Now it is time to lock away the “keys”. 

2. Lock Away the Keys:

There are three common types of “keys” used by ransomware gangs. Those “keys” are exposed credentials, phishing, and CVEs. Luckily, many useful tools can remove these keys from the hands of ransomware gangs.  Exposed credentials are seen in 80% of hacking techniques and can give a ransomware gang undetected entry to your system. Using a credential monitoring service or an Account Takeover Prevention tool, you will know if credentials are exposed on the clear, deep, and/or dark web. Integrating these tools into a Security Information and Event Management (SIEM) process can prompt users to update their passwords rendering old exposed ones useless.  Phishing is a significant vector for ransomware being used to gain access or to deliver malware. Often phishing makes use of typosquatting on existing domains or using dormant ones to send real-looking emails. Domain Protection helps stop phishing attacks by securing domains with dual DNS search combined with a domain watchlist to secure dormant domains and “on request takedown” services provides an entire domain protection solution. Asset Discovery and Monitoring, which we covered earlier, is useful for locating assets with CVEs or known exploitable flaws that can bypass security or authentication. Luckily once an IT team is made aware of the assets, they can apply a code patch to remove the CVE. 

3. Go Get Them:

We’ve shown you how three digital risk prevention tools, Account Takeover Prevention, Domain Protection, and Asset Discovery and Monitoring, can help you fend off ransomware gangs. But you don’t have to do so alone. CybelAngel offers all these digital risk prevention tools, and more, in one advanced platform. You can read more about our products here or contact us for an in-depth discussion. If you want to learn more about ransomware, try our new guide, Don’t Pay, Prevent.