Ransomware impacts more than seven in ten companies worldwide, and understanding how ransomware spreads is critical to finding solutions to stop it
Ransomware is malicious software threat actors use to infiltrate a network. Cybercriminals design ransomware to block access to a computer system or encrypt data they find in an architecture they have infiltrated and withhold a decryption key from the victim’s organization until they pay a certain ransom.
Today, ransomware groups can operate within the anonymity of the internet and make most ransom demands in the form of cryptocurrency to avoid being traced. Every year, the rate of ransomware occurrences increases dramatically. For example, there was an 18 percent increase in the number of ransomware attacks between the first and second quarters of 2022. During all of 2022, 71% of companies worldwide were affected by ransomware. It is a problem that is not going away. In this post, we explain how ransomware spreads and explain how microsegmentation can mitigate the threat and control the damage ransomware can cause.
Eight factors that play a part in how ransomware spreads
- Phishing emails
Threat actors send emails that appear to be from legitimate sources, often with malicious attachments or links. If the user clicks on the link or opens the infected attachment, the ransomware is deployed on their system.
- Malicious websites
Visiting compromised or malicious websites can also lead to ransomware infections. Drive-by downloads or exploit kits can be used to deliver the malware automatically when a user visits an infected website.
Attackers compromise ad networks and display malicious ads on legitimate websites. When a user clicks on such an ad, they may unknowingly download the ransomware.
- Software vulnerabilities exploitation
Cybercriminals exploit unknown (zero-day) or unpatched security vulnerabilities in software applications or operating systems. When a user fails to update their software, they may become vulnerable to these attacks.
- Remote desktop protocol (RDP) exploits
Attackers can exploit weak or default credentials for remote desktop services like RDP to gain unauthorized access to a system. Once inside, they can deploy ransomware on the victim’s machine.
- USB drives and external devices
When users connect these devices to their computers, threat actors design some ransomware strains to spread to their systems. A real problem, easily highlighted by leaving an infected drive, bearing a suppliers branding, in the staff canteen during red team exercises.
- Network spread
Once a system is infected with ransomware, some strains are designed to spread laterally across a network. Lateral movement enables them to infect multiple machines within the same network and increase the chances the victim will get a ransom notice.
- Social engineering
Hackers may use social engineering techniques to trick users into installing ransomware themselves. For example, they might impersonate tech support personnel and convince users to download and install a fake software update that contains the ransomware.
How microsegmentation stops how ransomware spreads
Microsegmentation divides a network into smaller segments (microsegments), enabling administrators to apply security policies to each segment. The principal benefit is gaining the ability to control communication between the segments, which can significantly reduce the spread of ransomware within a network. Here are some of the specific ways microsegmentation helps stop ransomware spread:
- Systems isolation
If a ransomware attack manages to infect one segment, microsegmentation confines it to that segment and prevents it from moving to other parts of the network. This minimizes the impact and limit the number of compromised systems.
- Segment-level access controls
By carefully defining what communication is allowed between segments, microsegmentation dramatically reduces the attack surface for ransomware. Security teams can tailor access controls and security policies to the specific needs of individual microsegments. For example, administrators can isolate critical systems that don’t require internet access from the rest of the network and mitigate their exposure to ransomware.
- Reduces lateral movement
Microsegmentation enables users to automate granular control and enforce strict traffic rules. This limits the ability of ransomware to move laterally and infect multiple systems within a network. Even if a device or a server is compromised, ransomware won’t be able to spread beyond its segment.
- Quicker detection and response
Microsegmentation facilitates better network visibility and monitoring. Any attempt by ransomware to traverse segments will trigger security alerts, enabling administrators to respond promptly.
- Containment and remediation
If an organization suspects or confirms a network is infected with ransomware, security teams can quickly isolate infected microsegments and take them offline, limiting the impact on the rest of the network. They can apply remediation measures without affecting other segments.
- Enhances perimeter security
Microsegmentation enhances internal network security. When IT teams combine it with solid perimeter security measures like firewalls and intrusion prevention systems, they can create true defense-in-depth against ransomware threats.
TrueFort technology knows how ransomware spreads and mitigates the risk
The threat actors that unleash ransomware on your network don’t care if you detect it. What really matters is stopping the spread, which as a practical matter can be a hard thing to do. Oftentimes ransomware will prey on minimally supported, “forgotten” legacy systems that you inherited or acquired over time. Unfortunately, only when the ransomware encrypts the data contained in them and causes an outage are you reminded they exist.
Here at TrueFort, we isolate ransomware from reaching critical workloads by only allowing previously understood application and workload behavior. Our technology blocks unauthorized network connections between applications, disables incorrectly used privileged accounts, or kills unknown processes as they execute to minimize the blast radius of any ransomware attack. Get this Whitepaper and find out how you can do it, too.