Ransomware attacks often succeed because endpoints are so over-configured with controls that they render devices unprotected. Today, software conflicts between endpoint controls jeopardize enterprise networks, quickened by endpoint agents' accelerating decay rates. Absolute Software's 2021 Endpoint Risk Report found that every endpoint has 11.7 security controls installed, decaying over time and creating multiple potential attack vectors.
Driven by how lucrative ransomware is, cybercriminal gangs and advanced persistent threat groups are doubling down on creating ransomware payloads and endpoint attack strategies that evade detection. Chainalysis found that $692 million in ransomware payments were made during 2020, nearly double their original estimates. Ivanti's latest index found that there's been a 7.6% jump in the number of vulnerabilities associated with ransomware in Q1 2022, compared to the end of 2021.
Globally, vulnerabilities tied to ransomware have skyrocketed in two years from 57 to 310 based on Ivanti's Q1 2022 Index Update. CrowdStrike's 2022 Global Threat Report found ransomware incidents jumped 82% in just a year. Scripting attacks aimed at compromising endpoints continue to accelerate at a record pace, reinforcing why CISOs and CIOs are making endpoint security a high priority this year.
How endpoint ransomware attacks work
Cybercriminal gangs are constantly looking for gaps and weaknesses to exploit in common vulnerabilities and exposures for endpoints. They treat them like a sales team treats leads. Their goal is to defeat an endpoint's defense and get their payloads installed undetected on enterprise networks.
Once on the network, cybercriminals often take months to burrow and then move laterally across an organization's network. Compromised endpoints are then turned into ransomware distribution points, launching more attacks across the organization.
Most ransomware attacks get their start from unsecured or easily compromised endpoints and follow the following six phases:
Phase 1: Multifaceted attacks
Combining phishing, social engineering, identity theft and virtual meeting hacks, cybercriminals look to get members of an organization to provide privileged-access credentials they can use to defeat endpoint security defenses. Or try to get victims to visit websites designed to compromise systems through browser-based attacks.
VPNs are proving to be less effective against this first phase of an attack. Remote browser isolation (RBI) is gaining adoption across enterprises because it's proving more effective than VPNs. Forcepoint, McAfee and Zscaler recently joined RBI pioneers Authentic8 and Ericom in the market. However, Ericom is the only one whose solution is designed to meet the many technical challenges involved in securing virtual meetings globally. Ericom has also applied for patents for their innovations in this area.
Phase 2: Compromise endpoints
Cybercriminals compromise unprotected endpoints, including those so over-configured that their internal software conflicts make them vulnerable. Payloads are installed on an organization's networks with careful attention to making them undetectable. Ransomware creators in 2022 are striving to make payloads and their executable files as stealthy as possible to get them onto networks while evading the creation of any digital footprint.
Phase 3: Begin stealth surveillance
Cybercriminals patiently explore enterprise networks during this phase of a ransomware attack. It's common for cybercriminals to wait months before probing through a network, hoping they won't be detected by any anomaly-tracking or network-monitoring systems. During this phase, cybercriminals begin to define which systems and assets they will encrypt later in the attack.
Phase 4: Achieve control over endpoint devices and core systems
Getting control of endpoints and getting them ready to launch further attacks is the goal of this phase of a ransomware attack. Once endpoints are under the control of the cyberattackers, their goal is to turn the endpoints into distribution points for further payloads across the network.
Phase 5: Make aggressive lateral movements and weaponize endpoints
It's typically been a few months since the initial breach and cybercriminals move laterally across organization networks. They're also weaponizing endpoints to serve as ransomware distribution points across the organization.
Phase 6: Encrypt and extort
The final phase of an endpoint ransomware attack starts with assets and entire systems being encrypted. By this point, endpoint detection and response (EDR) systems have been compromised and infected endpoints begin propagating ransomware across the network.
Finally, cybercriminals make extortion demands and will often release confidential data publicly to prove they have control of a company's systems.
One-and-done defenses don't work against ransomware
Ransomware attacks can't be treated as siloed attacks anymore when they can potentially take down an organization permanently. An example of how severe an attack can potentially happen was earlier this month when Lincoln College was forced to permanently discontinue operations due to a ransomware attack. As a result, Lincoln College provides a cautionary tale showing why any ransomware cybersecurity strategy needs to secure all tech stacks, operating locations and remote teams.
Endpoint protection (EPP) and EDR platforms need to be the cornerstones of any ransomware defense strategy. Implementing both provides visibility and control down to the asset level of endpoints. The majority of EDRs have incident-response workflows and can quickly identify and act against malicious activity. Banking, financial services, government agencies and globally based investment firms need to consider running cloud-based EDR pilots that include network traffic analysis if they are not already using these platforms to protect against ransomware.
Who is stopping ransomware at the endpoint?
Combining real-time visibility and control of endpoints down to the asset-management level allows organizations to win the ransomware arms race. Look for leading EPP, EDR and endpoint vendors to make a strong push on their roadmaps to contain ransomware using a lifecycle-based approach. In addition, some EPP solutions providers are offering cyber insurance policies for ransomware to demonstrate confidence in their ransomware defenses.
Leading vendors delivering real-time endpoint visibility, control and asset management aimed at thwarting ransomware attacks include the following:
Protecting endpoints can prevent ransomware attacks
Cybercriminals are targeting endpoints as part of their ransomware attacks because they're the perfect distribution point for additional payloads across an enterprise network. Therefore, shutting down ransomware attacks needs to start with more resilient endpoints that provide greater visibility and control. Fortunately, an accelerating pace of innovation is happening in endpoint security, EPP and EDR platforms. Absolute, CrowdStrike, FireEye, McAfee, Sophos and others are doubling their R&D efforts to thwart ransomware attacks that originate at the endpoint.