Anatomy of a ransomware attack: How attackers gain access to unstructured data
Ransomware isn’t a new phenomenon, but it’s effects are starting to be felt more widely, and more deeply than ever before. Behemoths like Sony, Nissan, FedEx, Kraft Foods and Deutsche Bank have all been hit in recent years, and the list is growing. The ongoing saga of the ransomware attack in Baltimore, MD has left citizens unable to pay parking tickets or finalize property sales.
American small businesses may bear the brunt of the impact of ransomware’s global spread. A survey by Datto suggests that ransomware attacks cost billions in lost productivity each year.
Shockingly, 77 percent of companies infected were running up-to-date endpoint protection, which tells us that the problem lies somewhere else. Human error, loose passwords, and lax authentication protocols all contribute to higher risk.
Let’s walk through a typical ransomware attack to understand how attackers gain access to your company’s most valuable asset: unstructured data.
Step 1: Identify a vulnerable network using sophisticated tools to detect and probe networks for lax security protocols, unpatched software, or single-factor-authentication.
Step 2: Scrape user password off the dark web. There are billions available.
Step 3: Use a third-party site to verify the stolen password. Check against data on a common social media site such as LinkedIn.
Step 4: Obfuscate their location by logging in via 50+ worldwide proxies.
Step 5: Step Pull down your proprietary data, encrypt it, and spread it across the blockchain in data centers across the globe.
Step 6: Demand thousands of dollars for the safe return of your data and cripple your day-to-day operations in the meantime.
This whole process can happen right under your nose. If you decide not to pay, your data may disappear forever. If you don’t take steps to address the underlying vulnerability, it can keep happening over and over.
There are some common-sense approaches to data governance that can help keep data from being hijacked. First, strong passwords are the first line of defense. Two-factor authentication and a good password manager should be the default posture of every organization.
Second, basic data hygiene and consistent permissions monitoring can limit which data is accessible to a bad actor who logs on with valid credentials.
Third, you must be able to monitor accounts for unusual behavior. When users are suddenly accessing massive amounts of data or downloading hundreds of files at a time, admins need to know.
Finally, ransomware detection should be part of the security posture. This includes scanning unstructured data for suspicious or altered file extensions, known ransomware signatures, and detection of “ransom note” content inside the repository.
The bottom line: if you think endpoint security will save you from ransomware, think again.