The ransomware scourge continues, with incidents hitting a U.S. record in the second quarter of 2021, as attackers expand into vertical industries and target critical infrastructure. Ransom demands have also been growing. According to IT Governance, the average decryption key rate from attackers is $140,000 yet many organizations end up paying much more than that.\n\nThe ransomware threat is evolving faster than people\u2019s ability to keep track. A common misconception is that payloads are usually delivered by phishing emails. While that may be true for many cases, the new breed of ransomware is much more likely to be launched by an intruder who has already breached the network. In fact, the battle is now focused on monitoring activity within your environment rather than preventing users from clicking unknown links.\n\nAnother out-of-date belief is that frequent backups are the best recovery strategy. While that may be true for less capable attacks, an attacker that is already inside a network not only has the opportunity to compromise backups, but also exfiltrate (and ultimately leak) critical data.\n\n\n\nClose back doors\n\nThe most common entry point is remote desktop protocol (RDP), a feature of Microsoft Windows that permits one computer to connect to others to display a graphical user interface for applications like shared whiteboards. RDP vulnerabilities continue to proliferate, with many being the result of poor configuration or failure to apply patches.\n\n\u201cThanks to so many recent, high-profile attacks at the hands of an emerging hacker group, Lapsus$, we\u2019ve seen first-hand how effective RDP access can be to providing that all-important initial entry,\u201d said Rodman Ramezanian, Enterprise Cloud Security Advisor at Skyhigh Security. \u201cOnce they\u2019re in, the ransomware payload itself may come hours or days later.\u201d\n\nPerforming advanced reconnaissance enables intruders to target assaults for maximum pain. The increasing precision of attacks is one reason ransom demands are climbing, despite businesses taking more proactive steps to protect themselves.\n\nFocusing prevention efforts on detecting attacks before they happen is closing the barn door after the horse is already halfway across the field. In fact, the attack is often the last stage in a breach.\n\n\n\nSegment, detect, and govern\n\nData has no jurisdiction. As more data continues to move to the cloud, ransomware follows. When you consider that attackers can get their hands on even more data there, it\u2019s easy to see why the cloud has become so alluring to them.\n\nFor this reason, unified data protection across user devices, web traffic, and cloud environments is imperative. With a Security Service Edge (SSE) strategy that includes data loss prevention (DLP) capabilities, security teams will be able to block data exfiltration automatically, thereby preventing the common double-extortion threats from ransomware nowadays.\n\nThe principle tenets of a zero-trust architecture tie back to the fundamentals of least privilege, where a user is given the minimum levels of access or permissions needed to perform their job. A true zero-trust approach connects a user directly to the application they need, without ever exposing the network. Security teams can continuously authenticate users and connect them directly to applications, rather than inherently trusting traffic from an internal network or corporate device.\n\nMicro-segmentation is another core zero-trust concept. It involves restricting access to applications and resources so that attackers who breach one can\u2019t inflict damage to others. It also combats the \u201cland and expand\u201d techniques intruders use to move from an entry point to other targets on the network.\n\nThe use of legitimate RDP services and valid credentials continues to challenge security teams in distinguishing between trusted activities and malicious ones. User and Entity Behavior Analytics (UEBA) and anomaly-based controls can help spot and mitigate abnormal and potentially dangerous behaviors.\n\n\u201cBy examining common behaviors, security practitioners can build a baseline of \u2018normal activity\u2019 for that specific context, to ultimately highlight any anomalies, deviations, or generally suspicious actions for swift action to be taken,\u201d Ramezanian said. \u201cEvaluating user activities beyond an initial login to include user movements, access to organizational assets and the context with which that access occurs, is fundamental to catching out ransomware threats spawning covertly\u201d.\n\nIt has been 10 years since ransomware first gained widespread attention and the scourge shows no signs of abating. Although there is no foolproof protection against ransomware, keeping current with trends and preventions can minimize the risk of damage.\n\nCompanies must go above and beyond basic cybersecurity to protect against ransomware. Get more info on a complete SSE Strategy here.