Endpoint Protection Best Practices to Block Ransomware
66% of organizations were hit by ransomware in the last year.
Is your endpoint protection solution optimally configured to protect against these devastating attacks?
Read this guide to:
- Learn how ransomware attacks work
- Discover the six endpoint-protection best practices all organizations should deploy
- Get top security tips to help keep ransomware at bay
How Ransomware Attacks Are Deployed
There are many ransomware actors and many types of ransomware attacks. Some are highly targeted, while others are opportunistic. Often, adversaries scan networks looking for weaknesses that will allow them access — consider the quote below from a ransomware gang that attacked a Canadian education organization:
“You had an old critical Log4j vulnerability not fixed on Horizon, this is how we were able to get in initially. It was a bulk scanning; not like we were targeting you intentionally.”
This quote also highlights the common exploitation of unpatched vulnerabilities by adversaries, which was the number one method of entry used in cyberattacks (N.B., not exclusively ransomware) that Sophos incident responders investigated last year.
Much of the recent increase in the volume of ransomware attacks can be attributed to the growing ransomware-as-a-service (RaaS) model. There has been a shift from threat actors who make ransomware and use it to attack organizations using this model.
With RaaS, a cybercrime group builds ransomware and leases it out to other attackers. This approach lowers the barrier to entry, making ransomware accessible to a greater number of adversaries than ever before.
Once adversaries are inside their victims’ environments, they often spend many days, weeks, or months exploring the network, escalating privileges, exfiltrating data, and installing malware. In 2021, the average dwell time in ransomware attacks was 11 days. This gives defenders a window to identify and stop intruders before an attack.
Remote Desktop Protocol or Ransomware Deployment Protocol?
Remote Desktop Protocol (RDP) played a part in at least 83% of cyberattacks investigated by the Sophos incident response team in 2021, up from 73% the year before.
RDP and desktop sharing tools like Virtual Network Computing (VNC) are legitimate and highly useful features that allow administrators to access and manage systems remotely. Unfortunately, without proper safeguards, ransomware actors commonly exploit these tools.
Interestingly, how attackers are using RDP is changing. In 70% of incidents investigated by Sophos, RDP was used only for internal access and lateral movement. Meanwhile, RDP was used for external access only in 1% of cases, and 12% of attacks showed adversaries used RDP for external access and internal movement.
It is essential to prevent adversaries from using RDP for external access, internal access, and lateral movement.