How to Protect Your Data from Ransomware and Double-Extortion

How to Protect Your Data from Ransomware and Double-Extortion

Malware has been the archenemy of organizations around the globe for years, with ransomware, in particular, being an extremely deadly foe. Locking down victims’ files through encryption and demanding a ransom for decryption has proven to be an effective tactic for cybercriminals, with a steady stream of recent attacks serving as a constant reminder. However, these attackers are continually refining their tactics and have recently turned to double-extortion, whereby they threaten to leak victims’ sensitive files in order to increase the odds of ransoms being paid. Kaseya-style supply chain attacks are another example of ransomware’s growing sophistication. In any event, falling victim to an attack can disrupt business operations, harm brand reputation, lead to significant financial costs, and more.

Adversaries are constantly searching for soft targets they can attack to penetrate enterprise defenses. In recent years, SaaS applications have emerged as appealing prey. SaaS apps are designed to enable rapid file sharing, collaboration, and automation. As a result, once ransomware has been placed, it can easily spread to connected applications as well as to users’ devices. Additionally, SaaS apps contain countless files that can be stolen and used for double-extortion. When misconfigurations exist in data-rich SaaS apps, they create dangerous gaps that can extend access to malicious parties looking to infiltrate the enterprise. Unfortunately, almost no SaaS apps provide native threat protection, and the few that do lack the technological sophistication to identify zero-day threats; they are limited to detecting known threats. Complicating the picture further is the fact that legacy security technologies (in the form of on-premises hardware appliances that lack scalability) are not designed to defend against malware or protect data in our cloud-first, work-from-anywhere world.

The gaps to be filled

Organizations need comprehensive defense against the proliferation of malware and ransomware both within and across their SaaS applications. This requires the use of a security solution architected for the modern, cloud world and capable of defending against malware for any user, any device, and any app over any network (without the need to backhaul traffic to an appliance on premises). Such a solution needs to be able to prevent infected files from being uploaded to cloud applications, but it also must be able to identify threats that have already made their way into the cloud. Organizations must also be able to trust that their solution of choice can defend against any threat, including zero-day ransomware, and not just known malware. In the event of (increasingly common) double-extortion attacks, organizations need to be able to defend their data from being exfiltrated via SaaS, as well.

Controlling the kill chain with cloud DLP

When ransomware successfully infiltrates an organization, cybercriminals typically begin working quickly to appropriate data. As mentioned above, stealing data and threatening to leak it is a common strategy for improving the odds of ransoms being paid. Even if companies don’t feel compelled to pay for decryption, the threat of data exposure can prove to be sufficient incentive. However, for double-extortion to be effective, malicious actors need to successfully exfiltrate data from the enterprise. This is where cloud data loss prevention (DLP) becomes particularly valuable. Leading DLP solutions scrutinize the content and context of outbound files and prevent their movement as necessary to prevent leakage. This disrupts the attack chain by stopping malicious actors from stealing the data from SaaS apps that would allow them to engage in double-extortion.

How CASB helps with ransomware

Cloud access security brokers (CASBs), which serve as visibility and control points in the cloud, can also help with the ransomware challenge. In particular, a multimode CASB proxies traffic to secure data in motion in real time, and integrates with application programming interfaces (APIs) to secure data at rest in the cloud. Consequently, it can prevent the upload of malicious files into SaaS applications and respond to malware and ransomware that already exist inside of corporate cloud apps. Leading CASBs provide advanced threat protection (ATP) capable of identifying any threat—even zero-day ransomware—through tight integrations with cloud sandboxing. As cloud-native solutions, leading CASBs require no hardware appliances in data centers and deliver scalable, omnipresent protections.

Fixing misconfigurations with CSPM

When deploying and managing a SaaS application or IaaS instance, there are many configuration settings that must be properly applied to ensure that the app functions properly and securely. Where misconfigurations exist, malicious actors can gain access to corporate systems; for example, to place a ransomware payload or to exfiltrate data for double-extortion. Cloud security posture management (CSPM) can address such vulnerabilities by identifying costly misconfigurations that could be leveraged by attackers. As an illustration, if sensitive data repositories (such as AWS S3 storage buckets) can be openly accessed from the internet due to a misconfiguration, the issue can quickly be located and remediated.

Choosing the right protection approach

An integrated approach helps stop ransomware all along the kill chain, without the complexity inherent in deploying and managing multiple point products. Zscaler Cloud DLP, CASB, and CSPM are core components of the integrated Zero Trust Exchange, along with leading SWG and ZTNA technologies. In other words, Zscaler has everything necessary for companies to defend comprehensively against malware and ransomware (as well as address their secure access service edge [SASE] requirements).

The company’s DLP provides the breadth and depth of functionality needed for stopping data exfiltration and thwarting double-extortion, from predefined and customizable dictionaries to exact data match (EDM) and indexed document matching (IDM). Zscaler’s multimode CASB shields enterprise SaaS apps from malware and ransomware infections; threats in transit are detected and blocked via real-time proxy, while malicious files at rest can be identified and quarantined or deleted via API. Leading advanced threat protection (ATP) technology is refined by 160 billion daily platform transactions and 100 million threats detected each day. Zscaler Cloud Sandbox, powered by machine learning, safely identifies and blocks zero-day threats both at upload and at rest. The platform’s CSPM scans SaaS and IaaS instances for potentially fatal misconfigurations that could enable attacks, prioritizes uncovered risks, and empowers organizations to respond before malicious parties can take action.

Want to learn more about ransomware? Watch our free on-demand webinar: Advances in Ransomware and How to Defend Against it.

Author's Bio

Jacob Serpa