Reducing the threats posed by double-extortion ransomware attacks


They’ve been a thorn in the side of IT security teams for years, but now ransomware attacks are taking on a more sinister form.

Since first appearing in the early 1990s, ransomware has carved a trail of destruction and financial loss around the globe. Organisations that fall victim must choose between being locked out of their digital data or paying a ransom demand.

Now, attackers are adopting a new tactic. Besides gaining access to an organisation’s IT infrastructure and encrypting files, they also steal a copy of the data and threaten to leak it online.

Called double-extortion attacks, the logic is that an organisation will be highly likely to pay rather than risk sensitive information ending up in public. This payment is also likely to be made whether or not the victim can recover files from an earlier backup.

SaaS apps now a ransomware target

Cybercriminals are also always on the lookout for new targets, and it appears SaaS applications are well and truly on their radar screens.

These applications are designed to enable rapid file sharing, collaboration, and automation. As a result, once ransomware has been placed, it can quickly spread to connected applications and to the devices of users.

Also, SaaS applications are likely to contain large numbers of files stolen and used for double extortion. If there are any misconfigurations within data-rich SaaS applications, this creates dangerous gaps that can extend access to malicious parties.

Unfortunately, very few SaaS platforms provide native threat protection, and none have the technological sophistication to identify zero-day threats.

More comprehensive protection is required

Australian businesses and government-sector organisations need to have comprehensive defences against these increasing ransomware threats. This requires the use of a security solution that has been designed for cloud-based infrastructure and can defend against malware on any device and over any network.

Such a security solution needs to be able to prevent infected files from being uploaded to cloud applications. However, it must also identify threats that have already made their way into the cloud.

The role of data loss prevention

When cybercriminals succeed in infiltrating ransomware into an organisation, they are usually quick to begin the process of appropriating data. However, for a double-extortion attack to be effective, malicious actors need to exfiltrate that data successfully.. This is where cloud-based data loss prevention (DLP) can be particularly valuable.

DLP software automatically scrutinises the content and context of outbound files and, if necessary, prevents their movement. This disrupts the attack chain by stopping cybercriminals from stealing the data in the first place.

How CASB helps with ransomware

Cloud access security brokers (CASBs), which serve as visibility and control points in the cloud, can also help with the ransomware challenge. In particular, a multimode CASB proxies traffic to secure data in motion in real time and integrates with application programming interfaces (APIs) to secure data at rest in the cloud.

As a result, it can prevent the upload of malicious files into SaaS applications and respond to malware and ransomware inside corporate cloud applications. In addition, leading CASBs provide advanced threat protection (ATP) capabilities that can automatically identify threats and alert security teams.

Fixing misconfigurations with CSPM

When deploying and managing a SaaS application or IaaS instance, many configuration settings must be applied appropriately to ensure that the application functions properly and securely.

Where misconfigurations do exist, malicious actors can gain access to corporate systems. Cloud security posture management (CSPM) can address such vulnerabilities by identifying costly misconfigurations that attackers could leverage. As an illustration, if sensitive data repositories (such as AWS S3 storage buckets) can be openly accessed from the internet due to a misconfiguration, the issue can quickly be located and remediated.

Choosing the right protection approach

The threat of ransomware is very real, but thankfully organisations can put increasingly sophisticated tools in place to protect against attack.

As is often said in security circles, it’s not ‘if’ an organisation will suffer an attack but ‘when.’ So having the best possible protective tools in place early can help to prevent a world of hurt later on.

Steve Singer
Steve Singer is Regional Vice President and Country Manager - Australia and New Zealand for Zscaler.