Proactive Ransomware Mitigation

15 March 2024

Elevating Security Defences with Threat Intelligence

What’s the cost to your business if you can’t ship products or provide services or access to your platform for days or weeks? What would be the impact if your customers’ personal information was stolen, your stock price declined, or you lost market share? These are just some of the possible outcomes of a ransomware attack. Such devastating consequences have fundamentally changed the way organizations should think about ransomware: it is no longer just a security problem; it is now a business problem.

Gartner warns that ransomware is “One of the key external threats facing organizations today.”

These attacks are soaring at a staggering rate, up 70% year over year from 2022 to 20232, shutting down utilities, banks, hospitals, schools, governments, media outlets, airlines, hotels, and more. No organization

is immune from this threat, with 66% of organizations reporting they’ve already been hit by ransomware.

Because the business impacts are now so severe, preventing ransomware should be considered a high priority at every level within your organization, including the executive team and board.

How can you fortify your business and proactively prevent these attacks? Utilizing threat intelligence for proactive ransomware mitigation arms your organization with real-time, actionable insights so you can:

• Identify, investigate, and prioritize cyber threats

• Prioritize and mitigate vulnerabilities based on risk

• Discover and protect the expanding attack surface

• Prevent misuse of compromised credentials and identities

• Protect the business value chain including vendors, partners, and contractor.

66% of organizations have been hit by ransomware.

84% of those lost business or revenue.

The Threat is Growing and Evolving

Attacks are on the rise

Ransomware attacks accounted for nearly one-quarter of all breaches in 2023, affecting nearly all types of businesses and industries.

Threat actors are growing more sophisticated

Hackers now tailor attacks to specific organizations to yield greater ROI. They also subject their victims to ‘triple extortion,’ in which organizations pay the initial ransom, are attacked again through vulnerabilities hackers discovered during the first attack, and may suffer future attacks when their information is sold as part of the Ransomware-as-a-Service (RaaS) economy to another hacker.

Breaches are direct and indirect

Ransomware is often introduced through phishing attacks with the intent to trick individuals into revealing personal information, like passwords. 78% of organizations have experienced email-based ransomware attacks10. Hackers also gain access to corporate systems via supply chain ecosystems. Enterprises connect with an average of 173 third parties11–each a potential gateway into their network. Consequently, 93% of companies have suffered a cybersecurity breach because of weaknesses in their supply chain.

Business impact

$ 100 million loss due to

• Lost revenue

• Business disruption: Room digital keys and slot machines stopped working, websites for many properties went offline, and guests waited hours to check into the hotel and for handwritten receipts for casino winnings

• Technology consulting services, legal fees, and expenses of other third-party advisors

• Free credit monitoring services for affected guests

Ransomware is a Business Problem

A ransomware attack has a direct impact on a business’s bottom line.

Ransomware payments nearly doubled from 2022 to 2023 to $1.5 million14, and the average total cost of a data breach disclosed by the attacker has risen to $5.2 million15. However, costs can be significantly higher, with Caesars Entertainment making a $15 million ransomware payment in 2023 and MGM spending a $100 million to deal with the total cost of their breach that same year– without paying the ransom.

Ironically, the ransom payment is least of an organization’s concerns, says Gartner: “The real threat is not ransomware itself, but the impact on the business from the sudden elimination or interruption of services or processes. The cost of recovery and the resulting downtime in the aftermath of a ransomware attack, as

well as the reputational damage, can be 10 to 15 times more than the ransom.”

Aside from paying a ransom, financial outcomes can include loss of revenue, business, and market share, with 84% of ransomware victims reporting business and/or revenue loss due to an attack.

Public companies reported suffering a 7.5% decline in their stock values after a data breach, combined with a mean market cap loss of $5.4 billion. Indirect costs can be even more damaging, from reputation damage and customer attrition to massive fines and lawsuits.

Business impact

• Customers were unable to make mortgage payments or access their online accounts.

• The financial impact has not yet been disclosed, but it will likely be in the tens of millions of dollars or more due to regulatory fines, business disruption, the cost of working with forensic, security and legal services, and providing affected customers with credit monitoring services.

How to Plan Your Défense

Before looking for a threat intelligence solution for ransomware mitigation, ask and answer critical questions to develop the best approach to preventing attacks aimed at your organization.

Where do we focus? What’s exposed?

96% of security decision makers believe it is important to understand which threats could be targeting their organization.20 However, with 2,200 cyberattacks occurring daily and hundreds of ransomware groups and initial access brokers operating–all with different motives, organizations are feeling overwhelmed and vulnerable.

The key to prevention is focusing on those threat actors with a high intent to target your organization, due to either financial gains or for ideological purposes. Intent, though, is nothing without an opportunity to target your organization.

Do you still have the MOVEit file transfer vulnerability unpatched? Unpatched software and exposed credentials provide the chance for a threat actor to target your organization. By focusing in on individual threat actor groups, using comprehensive threat intelligence tools, you can be more prescriptive with how you implement controls that are truly effective.

What’s exposed?

Digital integration has led to an explosion of assets on the public internet due to an uptick in the remote workforce, cloud sprawl, hybrid environments, merger and acquisition events, and more – making it increasingly harder for organizations to maintain a persistent view of their internet-facing assets. To compound this problem, assets move, change, and are added constantly, and this dynamic nature means traditional asset inventory processes cannot keep up. Your external attack surface is in a constant state of change and growth–increasing 18% per year. 22 This can lead to dozens or hundreds of unknown or unprotected assets, greatly increasing the risk of a cyberattack.

76% of organizations have experienced a cyberattack due to an unknown or mismanaged asset.  Because you can’t secure what you can’t see, it’s critical that you uncover blind spots and gain visibility into all assets along your external attack surface. Technology can help you understand what common vulnerabilities, exposures and misconfigurations are active for your company, as well as which internet-facing assets might be out-of-policy, so your team can be more proactive, strengthening your security posture.

What’s vulnerable?

60% of breaches are tied to unpatched vulnerabilities,24 and threat actors are exploiting these vulnerabilities faster than ever. 47% of security practitioners agree the inability to prioritize what needs to be fixed is the primary reason for their vulnerability backlog.

But vulnerability management is overwhelming: patching is resource-intensive, and there are simply too many vulnerabilities to address. Common Vulnerability Scoring Systems (CVSS) prioritization isn’t sufficient, and organizations lack visibility into vulnerability exploitation.

The best way to protect your organization is to understand your attack surface, what vulnerabilities you are susceptible to, and which vulnerabilities are being actively exploited by ransomware groups or other threat actors.

Using threat intelligence, organizations can improve vulnerability management to help security teams track vulnerabilities being exploited in the wild and CVEs that could be weaponized in the future.

What’s stolen?

86% of beaches involve the use of stolen credentials.26 Your dynamic ecosystem of employees, partners, supply chain vendors, and customers is facing a sharp increase in account takeovers. Adversaries are looking to steal credentials so they can access and initiate fraudulent activities. In addition, there is a lucrative market for initial access brokers selling credentials on dark web channels, which organizations are unable to monitor on their own.

Actionable and timely intelligence on novel compromised credentials sold on dark web channels helps security teams be more proactive with getting ahead of risks, which can include issuing a password reset or placing the account under stricter controls. With the proliferation of infostealer malware being used by threat actors, multi-factor authentication is no longer enough to reduce the risk of an account compromise.

Preventing Ransomware Requires Proactive Insights

Threat Intelligence: Identify, investigate, and prioritize cyber threats

When you’re dealing with thousands of alerts daily, it’s difficult to identify which threats are relevant to your organization. Threat Intelligence can quickly provide detailed profiles of the threat actors targeting organizations like yours and the techniques and tools they are using.

This information enables your threat hunters to work smarter and faster by prioritizing searches for the most dangerous threats to your organization.

Some solutions provide context like Indicators of Compromise (IOCs), sandbox analysis, and hunting packages to give you the information you need to take action, power remediation, mitigate threats directly, and integrate the intelligence into your existing security tools.

Vulnerability Intelligence: Prioritize and mitigate your vulnerabilities based on risk

With thousands of new critical vulnerabilities disclosed each year, security operations teams are increasingly overwhelmed trying to prioritize vulnerabilities using traditional asset criticality and severity inputs. Vulnerability Intelligence prioritizes threats based on risk, allowing security teams to focus on critical vulnerabilities that pose a real risk to the organization’s sensitive data and overall security posture.

By automatically collecting, structuring, and analyzing billions of indexed facts from a massive volume of open, dark, and technical sources, Vulnerability Intelligence can alert your teams to newly disclosed vulnerabilities days before they’re published in the U.S. National Vulnerability Database (NVD), and give them the comprehensive intelligence needed to make fast, confident prioritization decisions.

Attack Surface Intelligence: Discover and protect your expanding attack surface

Many of your internet-facing assets may be forgotten and unsecured while new assets are added every day. Because organizations often rely on manual or ad-hoc processes and inefficient technologies to discover and track these assets, security teams are operating with limited visibility into their attack surface, causing delayed responses to critical vulnerabilities, a backlog of exposures to remediate, and an unclear picture of what to prioritize.

Attack Surface Intelligence reduces risk by improving asset visibility, prioritizing exposures to remediate, and enforcing security controls. It automatically and continuously discovers and tracks internet-facing assets associated with your organization, as soon as they surface on the internet, including high-risk CVEs, misconfigurations, exposed administrative panels, assets that fall out of policy compliance, and more. Armed

with actionable exposure scoring and a real-time inventory, security teams can prioritize and remediate risky assets.

Identity Intelligence: Prevent misuse and protect compromised credentials and identities

Unable to keep up with the growing onslaught of attacks and continuous monitoring of the dark web for compromised credentials on their own, organizations are not able to be proactive and are left exposed to financial, legal, and reputational consequences.

Identity Intelligence enables users to monitor for compromises in real time, and access critical details, such as password length, complexity, and whether the leak was novel or recycled. Armed with this real-time evidence, security and IT teams can quickly prioritize identity threats and initiate downstream response workflows, integrated directly into their existing security and identity tools.

Third-Party Intelligence: Protect your business value chain

While your vendors, suppliers, partners, contractors, and resellers all add value to the business, they also introduce risk. Third-Party Intelligence uses machine learning and natural language processing to monitor in real time for key indicators that a member of your ecosystem has been compromised.

These indicators include evidence of ransomware extortion, security incidents, malicious network activity, credentials leakage, domain abuse, vulnerable infrastructure, web application security, and more. By receiving risk-prioritized alerts in real time, your security team will immediately know about new risks and their severity, and have the context and evidence required to address threats quickly and confidently.

Related News

New “Paste and Run” Phishing Technique Makes CTRL-V A Cyber Attack Accomplice

09 Jul 2024

A new phishing campaign tries to trick email recipients into pasting and executing malicious commands on their system that installs DarkGate malware.

Read More

How the CISO Can Transform Into a True Cyber Hero

08 Jul 2024

Three steps that can help CISOs bring calm to incident response, redefine how they are perceived, and emerge as the hero in a cyber crisis.

Read More

Microsoft Outlook Flaw Exploited by Russia's APT28 to Hack Czech, German Entities

07 May 2024

Czechia and Germany on Friday revealed that they were the target of a long-term cyber espionage campaign conducted by the Russia-linked nation-state actor known as APT28, drawing condemnation from the European Union (E.U.), the North Atlantic Treaty Organization (NATO), the U.K., and the U.S.

Read More