Ransomware is only getting faster: Six steps to a stronger defense – Source: www.bleepingcomputer.com

Staying ahead of threat actors is a game of cat and mouse, with attackers often having the upper hand. In 2023, LockBit was the most deployed ransomware variant across the world. And the year previous to that, LockBit was known to be the most active global ransomware group and RaaS provider in terms of the number of victims claimed on their data leak site.

As ransomware continues to rise and evolve, new strains develop. The latest ransomware strain named Rorschach is evidence of this. It is one of the fastest strains on the ransomware market today.

In a test of 22,000 files on a 6-core machine by Check Point, all files were partially encrypted within 4.5 minutes. Compared to 7 minutes for LockBit, previously seen as one of the fastest ransomware strains, Rorschach quickly compromised a system.

Why are the files partially encrypted? A new encryption scheme called intermittent encryption only encrypts part of the file, rendering it unreadable.

By vastly decreasing the time needed to encrypt files, security software, and personnel have limited time to prevent an attack. The result is the same: the victim cannot access their files.

Encryption speed is crucial because it reduces the time available for a user or IT organization to react to a security breach. This increases the likelihood of a successful attack.

Upon success, Rorschach ransomware, for example, can create a Group Policy that deploys the ransomware to every machine in the domain, even if the attack initially targets only one machine.

The question then becomes: what are the best practices for defending against ever-increasing threats? Below are six crucial steps for protecting yourself and your organization against attacks such as Rorschach.

Defending Your Organization Against Cybercrime

1. Access Controls 

One of the first steps in securing your organization is ensuring that each user only has the level of access they need. Implementing strategies such as RBAC (Role-Based Access Control) or ABAC (Attribute-Based Access Control) ensures that no user or compromised account can access data outside its confines.

With proper controls in place, you can audit when an account takes action outside of its allowed permissions, and fast onboarding and offboarding allow for quick reactions to security events.

2. Password Policies

Underlying accounts is a proper password policy. This may include adhering to industry standards such as NIST 800-63B or checking for previously compromised account passwords.

Industry standards and breached password protection are difficult to comply with, and software such as Specops Password Policy with Breached Password Protection can go a long way to making that process easier.

Ensuring that a user changing their password complies with the policy and not using a previously compromised password ensures that your organization is protected.

3. Multi-Factor Authentication (MFA)

Account compromises can occur, but layering on two-factor (2FA) or multi-factor authentication can help mitigate this risk. By pairing a strong password with a second level of authentication, a threat actor who has compromised an account may not be able to use the stolen password.

MFA (multi-factor authentication) is especially important for privileged accounts, as it enhances account security even if a password is stolen.

With data breaches being common, using multiple methods, such as a time-based one-time (TOTP) number or a biometric factor like a fingerprint, will make an attacker’s job much harder.

4. Zero-Trust Architecture 

One of the more recent security strategies in the industry is to move to a zero-trust architecture. Instead of implicit trust, every connection and action must be authorized and authenticated.

By removing the default trust implied to everything within a network, zero-trust ensures that even if an account is compromised, it can nearly instantly be disabled from further access.

5. Penetration Testing

Despite all of the proper precautions, to be truly proactive and uncover situations where security may be lacking, it’s critical to perform penetration testing. By actively attempting to compromise and attack your infrastructure, you can quickly uncover security vulnerabilities before a threat actor does.

6. Data Backup

Finally, it is crucial to have proper comprehensive data backups that cover your entire infrastructure, even in a ransomware attack. This will allow you to quickly recover your infrastructure if the worst happens and ensure that you can restore services and functionality.

By recovering quickly, you start to mitigate the impact that a successful ransomware attack can have, along with learning what may have been compromised.

Protecting Your Organization

While the previous six steps cannot guarantee fool proof securirty, it can protect you against increasingly sophisticated threats like Rorschach. Although this ransomware uses unique code to speed up encryption, there will likely be many enhancements in the future.

These actors often target low-hanging fruit, such as previously compromised passwords, so preventing such attacks by enforcing a stronger password policy can force them to look elsewhere.

You can also run a free download to scan of your Active Directory for over 940 million compromised passwords. Make sure your users aren’t using already stolen credentials.

By prioritizing proactive security and implementing security measures to protect your frontline defense, an organization can stay ahead of threat actors seeking to exploit any vulnerability.

Sponsored and written by Specops Software