Recovering from ransomware attacks starts with better endpoint security

Ransomware attacks often succeed because endpoints are so over-configured with controls that they render devices unprotected. Today, software conflicts between endpoint controls jeopardize enterprise networks, quickened by endpoint agents’ accelerating decay rates. Absolute Software’s 2021 Endpoint Risk Report found that every endpoint has 11.7 security controls installed, decaying over time and creating multiple potential attack vectors.

Driven by how lucrative ransomware is, cybercriminal gangs and advanced persistent threat groups are doubling down on creating ransomware payloads and endpoint attack strategies that evade detection. Chainalysis found that $692 million in ransomware payments were made during 2020, nearly double their original estimates. Ivanti’s latest index found that there’s been a 7.6% jump in the number of vulnerabilities associated with ransomware in Q1 2022, compared to the end of 2021.

Globally, vulnerabilities tied to ransomware have skyrocketed in two years from 57 to 310 based on Ivanti’s Q1 2022 Index Update. CrowdStrike’s 2022 Global Threat Report found ransomware incidents jumped 82% in just a year. Scripting attacks aimed at compromising endpoints continue to accelerate at a record pace, reinforcing why CISOs and CIOs are making endpoint security a high priority this year.

How endpoint ransomware attacks work  

Cybercriminal gangs are constantly looking for gaps and weaknesses to exploit in common vulnerabilities and exposures for endpoints. They treat them like a sales team treats leads. Their goal is to defeat an endpoint’s defense and get their payloads installed undetected on enterprise networks.

Once on the network, cybercriminals often take months to burrow and then move laterally across an organization’s network. Compromised endpoints are then turned into ransomware distribution points, launching more attacks across the organization.

Most ransomware attacks get their start from unsecured or easily compromised endpoints and follow the following six phases:

Phase 1: Multifaceted attacks 

Combining phishing, social engineering, identity theft and virtual meeting hacks, cybercriminals look to get members of an organization to provide privileged-access credentials they can use to defeat endpoint security defenses. Or try to get victims to visit websites designed to compromise systems through browser-based attacks.

VPNs are proving to be less effective against this first phase of an attack. Remote browser isolation (RBI) is gaining adoption across enterprises because it’s proving more effective than VPNs. Forcepoint, McAfee and Zscaler recently joined RBI pioneers Authentic8 and Ericom in the market. However, Ericom is the only one whose solution is designed to meet the many technical challenges involved in securing virtual meetings globally. Ericom has also applied for patents for their innovations in this area.

Phase 2: Compromise endpoints

Cybercriminals compromise unprotected endpoints, including those so over-configured that their internal software conflicts make them vulnerable. Payloads are installed on an organization’s networks with careful attention to making them undetectable. Ransomware creators in 2022 are striving to make payloads and their executable files as stealthy as possible to get them onto networks while evading the creation of any digital footprint.

Phase 3: Begin stealth surveillance

Cybercriminals patiently explore enterprise networks during this phase of a ransomware attack. It’s common for cybercriminals to wait months before probing through a network, hoping they won’t be detected by any anomaly-tracking or network-monitoring systems. During this phase, cybercriminals begin to define which systems and assets they will encrypt later in the attack.

Phase 4: Achieve control over endpoint devices and core systems

Getting control of endpoints and getting them ready to launch further attacks is the goal of this phase of a ransomware attack. Once endpoints are under the control of the cyberattackers, their goal is to turn the endpoints into distribution points for further payloads across the network.

Phase 5: Make aggressive lateral movements and weaponize endpoints

It’s typically been a few months since the initial breach and cybercriminals move laterally across organization networks. They’re also weaponizing endpoints to serve as ransomware distribution points across the organization.

Phase 6: Encrypt and extort

The final phase of an endpoint ransomware attack starts with assets and entire systems being encrypted. By this point, endpoint detection and response (EDR) systems have been compromised and infected endpoints begin propagating ransomware across the network.

Finally, cybercriminals make extortion demands and will often release confidential data publicly to prove they have control of a company’s systems.

One-and-done defenses don’t work against ransomware 

Ransomware attacks can’t be treated as siloed attacks anymore when they can potentially take down an organization permanently. An example of how severe an attack can potentially happen was earlier this month when Lincoln College was forced to permanently discontinue operations due to a ransomware attack. As a result, Lincoln College provides a cautionary tale showing why any ransomware cybersecurity strategy needs to secure all tech stacks, operating locations and remote teams.

Endpoint protection (EPP) and EDR platforms need to be the cornerstones of any ransomware defense strategy. Implementing both provides visibility and control down to the asset level of endpoints. The majority of EDRs have incident-response workflows and can quickly identify and act against malicious activity. Banking, financial services, government agencies and globally based investment firms need to consider running cloud based EDR pilots that include network traffic analysis if they are not already using these platforms to protect against ransomware.

Who is stopping ransomware at the endpoint?

Combining real-time visibility and control of endpoints down to the asset-management level allows organizations to win the ransomware arms race. Look for leading EPP, EDR and endpoint vendors to make a strong push on their roadmaps to contain ransomware using a lifecycle-based approach. In addition, some EPP solutions providers are offering cyber insurance policies for ransomware to demonstrate confidence in their ransomware defenses.

Leading vendors delivering real-time endpoint visibility, control and asset management aimed at thwarting ransomware attacks include the following:

  • Absolute’s Ransomware Response builds on the company’s expertise in endpoint visibility, control and resilience, including a proven record of accomplishment in delivering self-healing endpoints. What’s unique about Absolute’s approach is how its solution provides security teams with the flexibility of defining cyber hygiene and resiliency baselines and assessing the strategic readiness across endpoints while monitoring device security posture and sensitive data.

They can expedite device recovery and limit re-infection of devices following a ransomware attack, freezing endpoints to limit the spread of an attack. Absolute can also self-heal ransomware-impacted endpoints by relying on their Resilience platform, which is factory-embedded in firmware by 28 device manufacturers today. They can also provide real-time visibility and control of any device on a network or not, along with detailed asset management data.

  • FireEye Endpoint Security uses multiple protection engines and deployable customer modules designed to identify and stop ransomware and malware attacks at the endpoint. FireEye is differentiated from other endpoint providers in how effectively they have combined signature-based, machine-learning-based and behavioral-based protection capabilities.

In addition, FireEye is known throughout the industry for having a broad set of security capabilities that enable it to collaborate on threat intelligence findings, so its customers can provide integrated incident response.

  • Sophos Intercept X relies on deep-learning AI techniques combined with anti-exploit, anti-ransomware, and control technology to predict and identify ransomware attacks. Intercept X relies on a comprehensive series of technologies to deliver hardened endpoint protection. It’s also designed to provide a level of resilience by rolling back the changes made during a ransomware attack that initially evaded protection from their platform.

Intercept X’s next-gen antivirus includes anti-ransomware technology that detects malicious encryption processes and shuts them down before spreading across an enterprise network. Sophos also has expertise in preventing file-based and master boot record ransomware attacks.

It is common knowledge in the cybersecurity community that the Intercept X agent has a larger footprint than most other endpoint security clients, which has been a problem for organizations with large virtual workforces. This becomes an issue when updates need to be delivered over internet connections with low speed or bandwidth.

Protecting endpoints can prevent ransomware attacks

Cybercriminals are targeting endpoints as part of their ransomware attacks because they’re the perfect distribution point for additional payloads across an enterprise network. Therefore, shutting down ransomware attacks needs to start with more resilient endpoints that provide greater visibility and control. Fortunately, an accelerating pace of innovation is happening in endpoint security, EPP and EDR platforms. Absolute, CrowdStrike, FireEye, McAfee, Sophos, and others are doubling their R&D efforts to thwart ransomware attacks that originate at the endpoint.