WatchGuard Blog

4 Steps A Cyber Threat Actor Takes

The number and frequency of ransomware cyberattacks are growing every year. The European Union Agency for Cybersecurity (ENISA) recorded a 150% increase in 2020 alone and, as of last year, ransomware attacks have become the number one threat. Added to this, the recovery costs and downtime incurred can be up to 10 to 15 times higher than the ransom demanded by cybercriminals. The figures cited above are just some of the key facts and findings revealed by WatchGuard's new eBook Escape the Ransomware Maze.  

How to Escape the Ransomware Maze?

The publication also describes how hackers today deploy sophisticated tactics to evade traditional ransomware detection measures and take advantage of commonly used processes to break into systems. The criminals move laterally through the network looking for data theft and encryption opportunities. Once they get what they need, they threaten to sell or leak the exfiltrated data or authentication information if a ransom is not paid. The e-Book sets out the steps malicious cyber actors usually follow to achieve this goal: 

  1. Hackers gain access to the organization using one of the following attack vectors: password theft, brute force, software vulnerabilities, or phishing.  

  1. Once they have gained initial access to the network, attackers will attempt to find key identities within the organization to obtain access credentials that will allow them to continue to advance, thus circumventing traditional cybersecurity measures. 

  1. After the intrusion, they use several tools to carry out the cyberattack. They either enter with malware containing a package with all the necessary tools or download any tools they need by establishing communication with a command-and-control server once inside the system.  

  1. In the final stage of the cyberattack, once the ransomware has already been downloaded and installed on the system, it starts doing what it was designed to do. It will attempt to disable cybersecurity measures and try to extract sensitive data, destroy backup copies and, finally, disable the systems and encrypt the organization's data. 

Given these dangers, how can organizations thwart ransomware cyberattacks that use increasingly sophisticated techniques, occur more frequently, and can evade traditional cybersecurity solutions with astonishing ease? The eBook answers this question by proposing several best practices, such as implementing protected backups separate from the organization's connected network, ensuring third-party systems and software are fully updated with the latest patches, and managing passwords and access permissions effectively within the organization. 

But it also warns that although these measures are preventive, they are not infallible and need to be combined with a comprehensive cybersecurity solution that can detect and respond to advanced threats of this nature. This solution must incorporate technologies that focus on a zero-trust model and base their capabilities on protection, detection, and response at the endpoint, helping reduce the attack surface by patching known vulnerabilities. It also needs to run identity management through multi-factor authentication (MFA), anti-phishing, anti-exploit, anti-tampering functionalities, and an automatic classification service for processes and applications, together with a threat hunting service, so that sophisticated threats can be detected proactively.