Posted
The new year is almost upon us, and 2022 has been a game of ransomware hardball. However, lessons learned this year can help organizations take proactive steps to protect themselves from ransomware in 2023.
If you followed Cybersecurity and Infrastructure Security Agency (CISA) alerts on ransomware for the year, you would have noted malicious activity attributed to many ransomware variants. CISA noted that threat actors’ ransomware tactics and techniques were continuing to evolve and become more technologically sophisticated with every passing month. That makes high-fidelity threat intelligence and a proactive security stance critically important to success in 2023.
Change it Up in 2023 – Get Ahead of Known Vulnerabilities
Many threat groups successfully leverage aging vulnerabilities, which, if they had been patched by their victims, may have prevented an attack. Organizations can have hundreds, thousands (or more) of un-remediated vulnerabilities that could open the door for an attacker. In a recent survey, respondents indicated that 57% of all observed vulnerabilities are more than two years old, with as many as 17% being more than five years old.
For example, in December 2022, CISA issued an advisory on Cuba ransomware. One of the most common techniques used by Cuba actors exploited known vulnerabilities. In one featured example, Cuba actors exploited a vulnerability in the Windows Common Log File System (CLFS) that allowed them to steal system tokens and escalate privileges.
Cuba ransomware was first observed in 2019. In late 2021 and 2022, Cuba ransomware delivered an increasing number of high-profile attacks. By the end of 2022, Cuba ransomware threat actors had compromised over 100 organizations worldwide. Its demands for ransom have exceeded $145 million, with collections exceeding $60 million. While a top attack vector for Cuba is the exploitation of known vulnerabilities, the actors’ techniques also include phishing campaigns, compromised credentials, and remote desktop protocol exploits.
When it comes to Cuba and similar threats, access to high-fidelity threat intelligence to help identify the highest risk, most actively exploitable vulnerabilities can help prioritization efforts when organizations are faced with a backlog of vulnerabilities to address. Tools for phishing analysis and remediation that save security operations teams time and help find indicators of compromise across a sea of suspicious messages can also make a big difference in the fight against ransomware.
Collaboration and Information-Sharing Can Make A Difference
One initiative in the European Union has helped more than 1.5 million ransomware victims. These victims decrypted their files without accepting the ransom demands saving these individuals an estimated $1.5 billion. The program, No More Ransom, was conceived and supported by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky, and McAfee and offers over 135 freely available decryption tools that can help with 165 variants of ransomware. No More Ransom now includes 185 partners from the public sector, private industry, law enforcement, and academia.
The key to the success of an effort like No More Ransomware is information-sharing and collaboration. Combating malware, ransomware, and malicious cyber attacks has always relied on information sharing, exposure of actors’ TTPs and the dissemination of reliable threat intelligence so that security professionals can quickly develop mitigations, remediations, and update their defenses to block future attacks.
Get Ready for Ransomware in 2023 with the ThreatConnect Platform
The ThreatConnect Platform centralizes threat intelligence, improves decision-making, automates key activities, and enables information sharing and collaboration across the internal security organization and with external partners to help combat threats like ransomware in real-time. TI Ops teams, security operations, and everyone within the security organization will benefit when threat intelligence is aggregated, enriched, analyzed, and acted upon from a single source.
It’s well-known that ransomware can be delivered via un-remediated vulnerabilities, but many security teams are overwhelmed by the sheer number they are facing. Organizations can leverage threat intelligence in the ThreatConnect Platform to quickly prioritize and help drive vulnerability remediation.ThreatConnect collects real-time intelligence from the CISA Known Exploited Vulnerabilities Catalog and Google Project Zero, as well as other feeds and sources, enriching it with insights from sources such as the National Vulnerability Database (NVD) and the global ThreatConnect community. When combined with the data from your vulnerability scanners, it delivers a full picture of the exposures in your environment. Vulnerability Management teams are provided with vulnerabilities prioritized by those that are being actively exploited in order to take the right actions. Low-code automation of processes can make the required actions fast, reliable, and repeatable.
Another common delivery mechanism for ransomware attacks is via phishing emails, compounding the problem for security teams already overburdened with managing an ever-growing volume of suspicious messages that require review. ThreatConnect simplifies the processing, categorization, and response to suspicious emails, reducing the time to remediate active threats from days to minutes. The Platform can look for indicators across file attachments, embedded links, and more and provide in-platform risk scoring. Indicators can be enriched with data from third-party sources and CAL™ to identify and prioritize known malicious indicators. Once identified, indicators can be automatically sent to security tools, like secure email gateways and firewalls, to block threats in real-time.
Learn More
To learn more about how ThreatConnect can help you prepare for the potential of a ransomware attack, check out the ThreatConnect Platform.
Better yet, reach out to us, and we’ll be pleased to share a customized demonstration of the ThreatConnect Platform.