How Ransomware Impacts Businesses | Security Against Ransomware

Did you know that 51% of the organizations in the world were hit by ransomware in the last 12 months? There was a 46% increase in the ransomware variants in 2019 alone. But how ransomware impacts businesses? And amidst the advancements in technology and security against ransomware, which one should you opt for? We answer all these questions and many more in this article.

Reasons for Increase in Ransomware Attacks

What are the reasons for the increase in ransomware problems?

  1. Anonymity of cryptocurrency — The use of decentralized and distributed architectures provides benefits but they are not without their cons. They make it very difficult to know where the assets actually are! So if you were to face a security threat, ransomware is just the tip of the iceberg. These decentralized architectures can be used to attack or infiltrate certain environments globally.
  2. Lure of financial gain — Nearly 86% of the security breaches are financially motivated.
    Source — https://www.varonis.com/blog/cybersecurity-statistics/
  3. International tensions — The information with a nation’s government is extremely sensitive. Rival countries are always on the lookout to infiltrate and compromise such information. AirGap networks teach not only companies but also government agencies the best practices for traffic isolation and also the protection of various traffic mechanisms. This will help establish control over malicious propagations — both domestic and international.
  4. Economic depression — With the advent of the Covid pandemic and the economic depression that it brought, criminals are resorting to ransomware attacks for monetary and espionage gains. The ease of attacking home IT systems in this work-from-home era has led to a spike in ransomware attacks. We discuss this in detail further.

How Ransomware Impacts Businesses | Steps of Threat Propagation

Before we come to the solution, let’s get to know about the problem in detail. Here are the steps in which a threat propagates in an organization.

Step 1: Breach of the perimeter

No matter the investment that you do to protect the perimeter, it will always be at risk of a breach. A Phishing solution, a targeted campaign, or any other security is still not foolproof. Apart from a network infiltration, the perimeter can get breached by a device that has been compromised in the supply chain.

For example, an employee using an online purchased security camera in his house. If it is connected to his laptop which in turn is connected to the office network, the entire system gets compromised.

Step 2: Lateral Propagation

This is where the fundamental flaw starts to surface. Almost every organization has a VLAN based architecture. Imagine that you have two laptops hanging off an access port of a switch that is on the same VLAN. If these devices are intertwined with each other, there is no technology available that will give you control or visibility. This problem has been amplified since people started working from home.

The other type of network architecture, called the ‘flat network’, is even worse than a VLAN one. With flat networks, there is no protection against lateral propagation. Not only will you have negligible visibility of any lateral propagation, but you will also not be able to control the spread in any way.

Recent surveys suggest that most of the organizational networks in the industry are still flat which is concerning. The system is not even aware that it is packing the information into a bundle and handing it out to some other person.

We discuss the need to avoid flat network infrastructures further in the article.

For example, if you are an engineering organization with access to engineering servers. The engineers may not have gotten authenticated themselves, yet they have authorization to the servers which means that if there is an unpatched vulnerability on the engineering servers, a bad actor controlling the engineer’s laptop will be able to easily exploit the vulnerability.

Also, the integration of third parties with your company is of significant concern. This is because you will have people who are not working within your organization access to segments of your network.

In fact, this has been the pattern of past breaches, namely, get into the perimeter, start propagating laterally, and once there is access to enough devices, the attackers can have authorization into your crown jewels like your data center and whatnot.

Note that even the firewalls that you have invested in will not be of any aid since they are made for outside-in protection and not inside-out protection.

Step 3 Exploiting business apps and data

Through the use of legacy protocols such as Active Directory, Windows File System, RDP, etc., attackers aim to steal and encrypt your organization’s data.

The Need To Avoid Flat Network Infrastructures

Customers need to segment their network properly and the first step to achieving this is the removal of flat network architectures. Once you do this, you will have control over who comes in and goes out of your network and also the degree of control that a user gets in your network.

Most companies are using a multi-network strategy and not a flat one because they are aware of the fact that they can’t afford to shut down the entire ERP system when under a ransomware attack as it will stop the entire company from operating. Having the ERP system and its connected databases fixated to a private and separate system (via a multi-network strategy) will help the concerned people work through it and resolve the issue.

Airgap combines the pros of both the network systems. It provides the simplicity of a flat network and the control of a granularly segmented network.

Why Choose Airgap For Security Against Ransomware?

There are fundamental flaws in the corporate environment that even the so-called ‘adept security systems’ miss. Airgap is designed to not only find, but also successfully eliminate such flaws that have threatened stakeholders for a long time. With technologies such as the Zero Trust Isolation and the Ransomware Kill Switch, Airgap will equip you to face any threat and that too, without having to mellow down your business activities during the remedial process.

People are becoming increasingly aware of the technical debt that they’ve been carrying because of overlooking the prioritization of security requirements in the past. It is important to address them at the very beginning to avoid security breaches later

Zero Trust Isolation

Ransomware threats will continue to increase as people will continue to find new ways to compromise certain endpoints of an organization. Also, the rate of digitization across government and civilized organizations is so high that the rate of security is falling behind. This is part of the reason we are seeing this divide between secure and insecure assets within an organization.

With this, various other problems will arise but Airgap’s Zero Trust Isolation will be able to negate those effects. Here’s what we are talking about.

The Zero Trust Defense

The key to ward off a ransomware threat is to move on the assumption that the perimeter is already breached. A “zero trust” on the perimeter!

Airgap doesn’t claim to protect your perimeter either. Although you might have already made certain investments in securing your perimeter, they may not be sufficient and chances are that your perimeter is already breached or will be breached soon enough.

Here is where we come in!

Once the assumption is established (or there is an actual breach), AirGap will negate any lateral propagation inside your organization.

The Zero Trust Defense’s approach is fundamental and inspired by the mobile telco approach.

Deployment — We Avoid Agents & Unnecessary Information

No one likes agents and we have opted against them as well. There are no agents at any end-points.

We do not need information about your infrastructure like the router, switch, or firewall, let alone give us access to those components. We understand that the IT team is not comfortable giving access to such critical assets to any third party vendors like ourselves.

You need to make no fundamental changes to your network infrastructure. All that we will do is deploy a virtual machine for every corporate environment (regardless of the number of components in that environment). There is also the option to install more than just a single virtual machine in a given environment.

No Wholesale Commitment Needed!

Airgap provides you the option to slowly migrate rather than commit to a wholesale security system. No need to face the skepticism that a wholesale commitment brings — One VLAN at a time!

Let Airgap prove the case by isolating the traffic running on a particular network first and then move onto further networks within your organization.

Blocking Unauthorized and Unnecessary Communication

Airgap blocks all unauthorized communication inside your corporate environment. The authorized communications such as to print laterally, or a zoom room, etc. will be allowed. The filtering here takes place most elegantly via algorithms that detect such communications. Apart from this, we at Airgap will also monitor what’s happening inside the communications and if we find any anomaly, we can communicate the same to the IT department.

Most security systems look only at the traffic and try to find anomalies in that. This is synonymous with finding a needle in a haystack and will waste a lot of time. On the other hand, we skim through only a tiny amount of traffic to find discrepancies. This is much more effective.

Access under Airgap can be given on several different levels. You could either give access based on identity such that one person may have access to a particular protocol but the other person may not. Or you could also restrict access to a particular device, or service, or even a combination of all the three.

We also understand the need to get more protocol specific. Propagating things up to level 7 where you have individual control of protocols is the necessary step forward. On the same lines, Airgap also allows you to isolate access to individual protocols and keep other traffic away.

Independence From Policy Generation

Generally, the rule of writing and defining policies is product specific. Therefore, if you move from one network architecture to the other, the challenge arises in the form of loss of policies and you will have to generate a fresh policy.

Airgap gives you independence from policy generation! This means that you will not be writing different sets of policies based on what cloud provider your virtual machine or container might move to — an absolute headache for administrators. You will be able to easily control the traffic layers at the virtual or container level.

There are unique mechanisms where you can learn the system and user behavior and build a policy around that so that the IT department doesn’t have to spend time writing a policy manually. Note that the manual policy generation can never go down to zero but such a mechanism will automate a majority part of it (up to 90%). An automated policy will be more secure since a manual one is more prone to error — 95% of security breaches occur due to human errors.

The Work-From-Home Scenario and The Need To Increase Security

People working outside their office environment and network are subjected to more risk.

How is this?

As stated in an example above, if you buy a camera (or any other commercial IOT device such as a smartwatch or a smart refrigerator), there is a risk that the preloaded malware in such a device can infect your laptop.

Airgap’s technology puts your device in stealth mode after it automatically detects that you are not in the office and puts policies in place that further puts your device in cloak mode.

Therefore, you need not worry about the camera, etc. infecting any other device in your home or scanning your laptop. Since the laptop will be in stealth mode, the camera wouldn’t be able to find the laptop but vice versa will be possible.

The Ransomware Kill Switch — Your One-Stop Solution For Security Against Ransomware Attack

The first step in most antiquated ransomware responses is to try and identify the devices that are infected and then isolate them. This is a completely faulty response since it will take a lot of time to identify the devices and in the meantime, those devices will be propagating the threat across the board.

Another popular novice response is to shut down the entire system when it is faced with a ransomware attack. This is ill-advised because it will create damage that is too difficult to recover from. More so, you cannot have a business interruption when addressing a security issue.

We have listed the don’ts, but what should you do when impacted by ransomware?

Use Airgap’s Ransomware Kill Switch.

An instantaneous response is needed in such situations — a security system that guarantees that the propagation is stopped. You can then take an hour or a day to identify the infected devices and eliminate them from the system.

The Ransomware Kill Switch is the most potent response to ransomware. It will instantly stop the propagation of ransomware. You will get more time to debug and diagnose the attack and find answers to questions such as ‘From where the attack is coming?’ and ‘Which devices are targeted?’

All you need to do next is eliminate those devices, turn off the switch and go back to normal. And most importantly, the productivity of your organization is kept intact because there is no need to disturb the entire system during the remedial process. Only the devices that may participate in the ransomware (either laterally or vertically) are shut down. The other activities like an employee communicating on slack or editing a doc continues.

Simple and Easy-To-Use Technology

The Ransomware Kill Switch is as easy to use as a switch!

Under this, there are three policy buckets — yellow, orange, and red. You can put anything in those policy buckets, literally anything.

For example, if the attack belongs to the yellow bucket, a predetermined response (fed in earlier) will take place. The same applies to attacks of the orange or red level.

The three policy buckets are also integrated with the email system. This is because communication is key when you are addressing an incident response.

For example, when the switch moves from the green bucket to the orange one, an email will be sent to the key stakeholder with a pre-decided template such as “Your security team is going through an incident response audit, you may experience some service disruption…”

Once it goes back to green, another email will be sent stating that the problem is resolved and anything else that you might have fed in.

Eliminating Non-Essential Communication When Under Attack By Ransomware

Airgap provides a switch to disconnect all non-essential communications (such as employees checking their social media, bank accounts, etc.) from the network during a ransomware attack. Also, you don’t want to be deciding as to what communication is essential and what is not in the thick of things i.e. under a live attack. The segregation and also the policy generation needs to be done beforehand and that is where the Ransomware Kill Switch will assist you.

End Note

With increasing risks to your data and security, you surely want to be amongst the 5% of companies that are properly protected. How do you achieve security and negate a ransomware attack from impacting your business? Use Airgap and its Zero Trust Isolation Platform and Ransomware Kill Switch that is loaded with the above-mentioned pros and is easy to use and understand.

Need further assistance with any of your queries? Contact us on +1 415 480 8075 or info@airgap.io. We will strive to get a response back to you in the shortest possible time.

Source for statistics: https://www.varonis.com/blog/cybersecurity-statistics/

Zero Trust Isolation — The Best Defense Against Ransomware Propagation. https://airgap.io