Despite increased investment in tools to fight ransomware, 90% of organizations were affected by ransomware in some capacity over the past 12 months, according to SpyCloud’s 2022 Ransomware Defense Report.
Allocation of security budgets
Respondents ranked the risk of attack through third-party vendors as the main factor driving the allocation of security budgets, followed by the rise in frequency and sophistication of ransomware attacks. As a result, organizations’ ransomware mitigation solutions focus increasingly on the risk of account takeover as a precursor to this form of cyber attack.
The number of organizations that implemented or plan to implement multi-factor authentication jumped 71%, from 56% the previous year to 96%. Monitoring for compromised employee credentials also increased from 44% to 73%.
As organizations strengthen their password hygiene and invest in tools like MFA, criminals have doubled down and expanded traditional tactics to circumvent their defenses. For example, deploying malware to personal devices to access corporate applications or pivoting to session hijacking using compromised cookies can allow criminals to bypass the authentication process altogether.
“Multi-factor authentication provides a much-needed added layer of security, but it isn’t perfect. We have heard warnings recently against using SMS authentication for MFA since texts can be intercepted by motivated cybercriminals, but even push notifications and authentication applications are not completely foolproof or secure, which these malware and compromised cookies trends are showing,” Darren Siegel, Cyber Security Expert at Specops Software, told Help Net Security.
“This defense report is a great reminder of the need for employee security education and better security controls. Cybersecurity training should be required regularly for all employees to teach them to recognize cybersecurity threats and how they can help mitigate them – things like thinking twice before clicking a link or approving an MFA notification and setting stronger passwords.”
Cybersecurity measures are failing to close gaps
These recent tactics by criminals ultimately led to no decrease in overall cyber incidents. In fact, the survey revealed organizations are not only still falling victim but are increasingly likely to be hit more than once: 50% were hit at least twice, 20.3% were hit between 6 and 10 times and 7.4% were attacked more than 10 times.
“Organizations are right to be concerned about unwitting insider threats — their cybersecurity measures are failing to close gaps that are leading to ransomware attacks,” said SpyCloud CEO Ted Ross. “Organizations may not be aware that undetected malware infections on personal devices represent the riskiest of those gaps. This report shows organizations are spending time and money on solutions that leave sensitive data exposed. Even if security teams retrieve their organizations’ data, once it’s circulated on the dark web, criminals can use it for more destructive activities – including their next attack.”
Malware infections are more widespread than many organizations realize. Through analysis of botnet logs recaptured this year alone, SpyCloud researchers identified over 6 million malware-infected devices with application credentials siphoned.
Cybercriminals deploy malware to steal data including credentials to workforce applications, browser fingerprints, and device or web session cookies, enabling them to impersonate an employee and access and encrypt data while bypassing MFA and other security controls.
On average, in 2022, SpyCloud researchers found 16 to 26 unique affected applications or domains per infected device, which translates to 96 to 156 million siphoned application login credentials. While wiping an infected device may prevent criminals from accessing more data, it does not remedy the exposure of the broader identity or prevent future enterprise access. Robust post-infection remediation is critical because reimaging an infected device without remediating applications leaves a wide gap in the enterprise’s security posture.
According to 87% of respondents, reports of credential-stealing malware such as RedLine Stealer have elevated their organization’s concern of unmonitored personal devices as a potential entry point for ransomware. Unmanaged devices pose a great concern because security teams are unable to monitor them for threats such as malware and third-party application exposures. As a result, cyber defenders lack visibility into their full attack surface and therefore often underestimate their malware-related risks.
Ransomware prevention strategies
“Effective ransomware prevention strategies must focus on the entry points security teams can’t see – the cloaked attack surface that includes third-party applications and unmanaged machines outside their standard monitoring purview,” said Ross. “A single malware-infected device can compromise hundreds of corporate applications. Even after the malware is removed, the damage is done unless all of those applications are properly remediated post-infection – otherwise doors remain open for ransomware and other critical threats to the enterprise.”
In related news, several U.S. states have recently moved to ban local and state agencies and organizations funded by taxpayers’ dollars from paying off ransomware gangs, and a few more are gearing up to it. To learn more about this, we have a video that talks about the possible repercussions of such legislation and, in general, about the evolving nature of ransomware attacks and the current global efforts aimed at fighting the ransomware threats.