Front-line Data on Defending Against Ransomware

Posted November 29, 2022

According to new data released by Microsoft, digital threat activity in 2022 reached a new all-time high. Driven by lucrative ransoms, password attacks have soared to an estimated 921 attacks every second. That represents a 74% year-over-year increase. The credentials gained in these attacks are critical to success in ransomware attacks. Unlike malware attacks, ransomware generally requires that the cybercriminals gain access to a highly privileged user account such as a Domain Administrator.

In Microsoft’s 2022 Digital Defense Report, front-line data provided by Microsoft’s response engagements revealed weak identity controls topped the list of contributing factors in successful attacks followed by ineffective security operations and data protection strategy. Ransomware attacks carried out by advanced persistent threats (APT) or human actors continue to evolve in complexity. They rely on credential theft and ultimately the ability to move laterally through a network as they piece together the permissions and resources needed to complete their campaign. These attacks in general eventually include compromised identity systems such as Active Directory (AD). Gaining control of the identity system allows the attacker to steal additional credentials, modify permissions, access secure systems, and remain undetected.

Protecting against these attacks requires implementing directory system security best practices. Misconfigurations in these systems create a weaker security posture and allow a critical path for attackers to escalate the breach. Credential attacks can be further thwarted by implementing phishing-resistant MFA. In Microsoft’s findings, 88% of engagements they responded to did not have MFA implemented for sensitive and highly privileged accounts. Identity controls were also lacking in Microsoft’s findings with administrators across 84% of organizations not implementing privilege identity controls such as just-in-time access to prevent the continued use of compromised accounts. Just-in-time (JIT) security controls can provide elevated and granular privileged access to an application or system in order to perform a necessary task. JIT allows for provisioning secure access when needed and reduces standing access for resources. Further protection against human-operated ransomware can be found in implementing least privilege access and use of privilege access workstations (PAW). In Microsoft’s findings, none of the affected organizations implemented proper administrative credential segregation and least privilege access principles. A PAW provides increased security for IT administrators working with servers and applications that pose a higher risk if compromised. Dedicated PAWs cannot be used for high-risk activities such as web browsing, email, and other controlled applications further protecting them from exploitation.

The 2022 Digital Defense Report also revealed significant security gaps in security operations, tooling, and IT asset lifecycle management across organizations impacted by ransomware.

68% of organizations did not have an effective patch management process
60% of organizations had no use of an Endpoint Detection and Response (EDR) tool
60% did not invest in Security Information and Event Management (SIEM) technology
84% of impacted organizations did not enable integration of their multi-cloud environment into their security operations tooling
76% lacked an effective response plan

Cybercrime as a service (CaaS) is a growing and evolving threat to organizations worldwide and will continue to drive an increase in corporate attacks. In 2022, the Microsoft Digital Crimes Unit (DCU) observed continued growth of the CaaS ecosystem with an increasing number of online services facilitating various cybercrimes, including human-operated ransomware. Phishing, which originates many incidents, continues to be a preferred attack method as cybercriminals can acquire significant value from successfully stealing and selling access to stolen accounts.

Fortunately, cyber defense systems and best practices have kept pace with the latest attacks. If you are ready to take the next step in ensuring your critical data and infrastructure remain available to support your business, contact us. We’re here to help.

Kyle Vinar

Kyle Vinar is Partner / President of Verus Corporation. He oversees all business operations and coaches Verus teams to continually improve on their solutions from client experience to product development and overall solution implementation. He works with all Verus resources to increase efficiencies and excellence in every aspect of their organizational roles. Kyle believes that people are the last real competitive edge that a company can have and constructing a rich culture is a vital step in running a world-class organization. Therefore he strives to create a culture within Verus that allows everyone to show up authentically and grow both personally and professionally, which in turn allows Verus Corp team members to provide clients with top-of-the-line service. Kyle helps balance strategy, capacity, and culture in such a way that has allowed Verus Corp to achieve exponential growth since he joined the company in 2013. One of Kyle’s greatest professional achievements has been in helping lay the foundation upon which Verus Corporation could be named the 2nd Best Place to Work by the Minneapolis/St. Paul Business Journal. Kyle holds a Bachelor of Science in Marketing from St. Cloud State University. He lives in Champlin with his wife and 3 children. He has enjoyed volunteering as a soccer coach for over 6 years and was the former Director of Coaching for Rebels Soccer Club. If Kyle isn’t on the sidelines of one of his children’s soccer games or in the audience of his eldest’s musicals, he can often be found cruising scenic routes on his Harley, in a deer stand, or on the golf course.