When it comes to cybersecurity and ransomware response, initial attacks tend to get a lot more attention than the post-breach phase. This is understandable; the first priority is making sure hackers don’t gain access to your network at all. This leads some to neglect cyber security concepts that are central to how ransomware spreads, like lateral movement.
What is lateral movement and why does it matter?
Lateral movement is a term that describes the process of malware moving from one machine to another within a network.
Many businesses have had the unfortunate experience of having some or all of a network encrypted by ransomware. The extent of the infection is one of the main factors that determines how much damage is done. The more widespread the malware is able to spread through the network, the more leverage the attackers have when demanding a ransom.
When it comes to ransomware, lateral spreading is especially important. Many networks have regular backups, and if the backup is secured from infection, the entire attack will fail since the system can simply be restored to the pre-infection state. This is why one of the first things ransomware gangs do after breaching a system is look for backups.
Ransomware gangs also frequently try to extort victims by threatening to release sensitive data. Usually, the higher the security privilege required to access information, the more valuable that information will be, and the more leverage it gives the attacker over the victim.
Network security is not uniform, and networks are usually configured to guard against threats from the inside. Attackers may find it much easier to find vulnerability on the PC of a low-level employee. After gaining access to their system, it’s much easier for them to access the rest of the network, including the files of higher level employees or management.
This has serious implications— for example, one defense contractor responsible for the maintenance of the US nuclear arsenal lost a large amount of sensitive data in a ransomware data breach.
Does ransomware spread on its own?
Yes and no. How ransomware spreads depends on the type of ransomware, the value of the target, and the method of operation of the ransomware gang. Ransomware infections spread via mass phishing emails are more likely to target individual PC owners. They will try to spread to any other computers connected to the network, but this process is more likely to be automated.
Attacks on higher value targets like government agencies or large corporations usually require extensive research and planning. The ransomware gang is likely to be directly involved in some aspects of the breach.
How ransomware spreads
Most ransomware variants will automatically search for ways to access the rest of the network as soon as they breach a single system, but additional steps may also be required.
One method used in complex, multi-phase ransomware attacks is internal phishing. Attackers hijack an email account of one employee, and then use it to send a targeted phishing email with a malicious link to another employee. Since the recipient receives emails from their co-workers all the time, they might not expect a bad link and take the bait.
Once they gain access to a machine, attackers may use different methods to escalate their privilege. One of the most common is credential harvesting. Network permissions can be complex, and users may often have administrative privileges they shouldn’t. When hackers gain access to a machine, they collect tokens, hashes, or other data which they can use to access even more of the network.
Lateral movement and credential harvesting feature in almost every major ransomware attack, so knowing how to guard against them can greatly decrease the chances of a catastrophic data breach.
Is it possible to slow or stop how ransomware spreads?
There’s a few relatively simple steps that can reduce a hackers mobility once they gain access to your network.
- Apply the Principle of Least Privilege (POLP).
The Principle of Least Privilege states that users in a network should have only the privileges they absolutely need. This minimizes the chance of an attacker gaining access to high level privileges.
- Keep up to date with all patches.
Cyber-security is a never ending arms race of finding and patching vulnerabilities. Using outdated software significantly increases vulnerability, so it’s important to stay on top of updates.
- Use Multi-Factor Authentication (MFA).
Multi-factor authentication can make it much more difficult for a hacker to gain the administrative privileges needed for lateral movement.
- Improve password management.
A surprising amount of ransomware attacks use brute force attacks at some point during the process of deploying malware. Using unique, strong passwords for each user and machine can make life more difficult for the hackers.
- Implement Detection and Response Services.
Hackers have to engage in extensive reconnaissance before conducting a complex attack. If you can detect them in this early phase, it is much easier to prevent an attack. For example, by using an Intrusion Detection System (IDS) it is possible to be alerted that an attack is being planned through techniques like port scanning detection. Using a managed detection and response service may be cost effective for some organizations.
There’s an old saying that goes: “Plan for the worst, and hope for the best”. This is certainly true when it comes to ransomware preparation. There is no 100% secure cybersecurity configuration. A well-rounded ransomware defense strategy should slow down attackers, increase the likelihood of detection, and prevent lateral spread. A few precautionary measures can make the difference between a minor inconvenience and a total shutdown of operations.