As cyber defenses improve and more organizations are taking a proactive approach to prevention, attackers are adapting their techniques. The threat of ransomware and extortion is becoming more audacious with attacks targeting governments, businesses, and critical infrastructure.
Most of these criminals take advantage of similar security weaknesses and share common attack patterns and techniques. 93% of Microsoft investigations during ransomware recovery engagements revealed insufficient privilege access and lateral movement controls.
To help organizations combat and prevent attacks of this nature, Microsoft Security has identified 3 main barriers to protection against ransomware:
- Weak identity controls
Human-operated ransomware continues to evolve and employ credential theft and lateral movement methods traditionally associated with targeted attacks. Successful attacks are often the result of long-running campaigns involving compromise of identity systems, like Active Directory (AD), that allow human operators to steal credentials, access systems, and remain persistent in the network. In 88% of engagements identified by Microsoft, MFA was not implemented for sensitive and high privileged accounts, leaving a security gap for attackers to compromise credentials and pivot further attacks using legitimate credentials
- Ineffective security operations
Organizations which suffered ransomware attacks have significant gaps in their security operations, tooling, and information technology asset lifecycle management. 68% of impacted organizations did not have an effective vulnerability and patch management process, and a high dependence on manual processes versus automated patching led to critical openings. 84% of impacted organizations did not enable integration of their multi-cloud environments into their security operations tooling. Lack of an effective response plan was a critical area observed in 76% of impacted organizations, preventing proper organizational crisis readiness and negatively impacting time to respond and recover.
- Limited data protection
Many compromised organizations lacked proper data protection processes leading to a severe impact on recovery times and the capability to return to business operations. Attackers usually find their way to compromise systems via exploiting vulnerabilities in the organization, exfiltrating critical data for extortion, intellectual property theft, or monetization. 92% of impacted organizations did not implement effective data loss prevention controls to mitigate these risks, leading to critical data loss.
Combating and preventing ransomware attacks requires a shift in an organization’s mindset to focus on the comprehensive protection required to slow and stop attackers before they can move from the pre-ransomware phase to the ransomware deployment phase.