Skip to main content

Key points from Google and Accenture's ransomware white paper

wordpress-sync/MissingSecurityCourse_feature

November 7, 2022

0 mins read

Ransomware has been around for a long time — since 1989 — but has scaled up significantly since 2016. Author’s from Accenture and Google Cloud, in addition to our very own Vandana Verma Sehgal (from the Snyk Security Relations Team), recently released a white paper, Ransomware State of Mind: How to Better Protect Your Business, which details the current state of ransomware and solutions to address this growing problem. The report covers everything from the impact of ransomware on business and recent high-profile attacks, to zero trust and endpoint security.

Download the report

This article will provide an overview of the key points from the white paper.

What is ransomware?

According to the report, ransomware is a type of malicious software that puts your organization's important data at risk. It is usually, but not exclusively, delivered through spear phishing emails. Once ransomware infects a computer system, it targets critical data and restricts users’ access to said data until a ransom is paid to unlock it. There are several ways ransomware can be delivered, but the most common one are:

  • Social engineering

  • Phishing

  • Remote desktop/terminal protocol (RDP)

  • Software vulnerabilities

Ransomware became a much more menacing threat with the advent of COVID-19 and a worldwide shift to remote work. The change in working conditions extended the corporate network perimeter to employee homes — a more difficult location for an organization to secure.

What is the impact of ransomware?

Whether or not a ransomware attack is successful, businesses feel a significant impact. Gartner estimates that by 2025, at least 75% of IT organizations will have faced one ransomware attack or more. In the short term, a ransomware attack can lead to a loss of access to data for a period of time, incident response and mitigation costs, and litigation costs.

In the long term, companies have reported a series of challenges:

  • 66% of organizations reported a significant loss of revenue following a ransomware attack.

  • 29% reported being forced to lay off employees due to financial pressures following a ransomware attack.

  • 53% of organizations indicated that their brand and reputation were damaged because of a successful attack.

  • A startling 26% of organizations reported that a ransomware attack forced the business to close operations for some period of time.

High-profile ransomware attacks

Here’s a quick overview of some of the highest-profile ransomware attacks in recent years:

Colonial Pipeline

In this attack, ransomware affected the digital assets that manage the pipeline, causing fuel shortages, long waits at gas stations, and surging prices.

JBS Foods

This meat processing giant suffered a ransomware attack that disabled its pork and beef slaughterhouses in the United States, Canada, and Australia.

CD Projekt

CD Projekt is a video game company that produced well-known games like The Witcher. Ransomware attackers threatened to release their intellectual property and employee information if they didn’t pay the ransom.

Key learnings from Google and Accenture

According to estimates from BlackFog, global ransomware damage losses are projected to reach $20 billion this year. Implementing proven strategies and tactics as well as software solutions is vital for companies that want to protect their data, revenue, and reputation.

Let’s look at key learnings from the Google and Accenture white paper, which provide a better understanding of ransomware attacks and how to effectively guard against them.

Ransomware spreads in phases

Ransomware attacks don’t occur all at once. It takes time for the attacker to penetrate the system and then lurk until they find what they’re looking for. Here’s a brief synopsis of the phases of ransomware:

  1. Attacker achieves access through a compromised endpoint that has access to the target network.

  2. Attacker remains hidden and attempts to move laterally throughout the system to build valuable resources.

  3. As they move laterally, the attacker elevates their privileges by exploiting network-based trust relationships.

  4. Attacker releases the ransomware.

The time period an attacker spends moving from step one to step four could be as small as a few minutes, or as long as days or weeks. In the case of the AIDS Trojan, the infected computer booted up 90 times before ransomware was released.

Zero trust is a vital security measure

One of the most proactive and effective security measures companies can use to protect against malicious actors is implementing zero trust security. Zero trust security means no privileges to any applications or systems are given without an authenticated identity.

A few tactics companies use to implement zero trust security include:

  • Secure trusted perimeters (STPs) - established boundaries around trusted entities, including devices used by remote workers.

  • Multi-factor authentication (MFA) - requires a user to verify their identity with two or more methods when access is requested from a high-risk service.

  • Single sign-on (SSO) - gives each user one set of login credentials that provides access to a pre-approved set of applications and services.

Protect in-house apps with secure code review

In-house apps are integral to most businesses, and therefore provide multiple opportunities for malicious actors to obtain a wealth of sensitive information. Here are a few common areas of concern for DevSecOps teams attempting to secure these applications.

  • Infrastructure misconfigurations like publicly-accessible storage buckets

  • Toolchain vulnerabilities like unauthorized host and storage access

  • Open-source supply chain issues like unmanaged binaries

  • Insecure coding practices due to human error or inexperience

  • Build integrity issues like unauthorized tampering

Protecting these apps is possible with tools like a secure code review, static application testing (SAST), and software composition analysis (SCA).

  • Secure code review is a shift-left strategy that examines source code for vulnerabilities early in the software development lifecycle (SDLC).

  • SAST tools like Snyk Code scan code as it is written to uncover vulnerabilities and quickly fix them with dev-friendly remediation advice.

  • SCA tools like Snyk Open Source help developers find, prioritize, and fix security vulnerabilities and license issues in open source dependencies.

Manage infrastructure as code (IaC) with GitOps

GitOps is gaining popularity as a method of automating infrastructure security. It takes the concepts of DevOps — Git, code review, CI/CD, etc. — and applies them to infrastructure. Google and Accenture’s report offers several suggestions for applying GitOps:

  • Express infrastructure definitions as code (e.g., YAML files).

  • Use a source code management system to manage infrastructure configuration.

  • Automate enforcement so that every change in the repository is applied to the actual cluster and every out-of-band change gets rolled back.

  • Express change requests as branches in the source code management (SCM) repository.

  • Express every change as a merge to the master branch.

Another simple solution to IaC automation is using Snyk IaC. With this tool, developers can automate IaC security and compliance in development workflows pre-deployment, and detect drifted and missing resources post-deployment.

Automate security policy and testing

Using automation like code scanners can reduce mean time to resolve (MTTR) without slowing down the release process — and since they occur earlier in the dev cycle, developers can address issues within the context of their workflow.

Feature branch merges are an excellent place to apply automated testing. The process of automating this task is as follows:

  1. Create a dedicated environment for dynamically testing the security of every feature branch.

  2. Execute the tests.

  3. Present the results to the code review team.

From there, developers can decide to fix the vulnerability, accept the risk of the vulnerability, or postpone the project until an alternative solution is found. Alternatively, Snyk’s policy as code engine enables security professionals to build security rules, custom policies, and compliance-mapped security rulesets using OPA and Rego. This creates a unified, consistent single source of truth for policies from code to cloud.

How to prevent ransomware

While achieving 100% ransomware prevention might be a lofty goal, providing adequate protection that minimizes risk is not. Apply the following strategies to get the upper hand on the growing threat landscape.

  • Ensure security principles have been applied to all three security layers: PaaS overlay, platform, and foundation.

  • Solidify the security of infrastructure by declaring and configuring infrastructure as code.

  • Test and validate source code, open source libraries and dependencies, attestations, and deployed artifacts.

  • Shift security left using SAST and SCA automation, as discussed earlier in this article.

  • Leverage a Value Stream Delivery Platform to create a single audit trail for all activities.

Final thoughts

Minimizing the threat of ransomware is a goal of companies across the globe. It might seem to be an impossible task, but with today’s technologies, protection against cybercriminals is possible. Snyk is here to help with scanning tools that protect code, open source dependencies, IaC, containers, and more —  all powered by Snyk’s industry-leading security intelligence. Get started today with a free forever account.

wordpress-sync/MissingSecurityCourse_feature

How to Build a Security Champions Program

Snyk interviewed 20+ security leaders who have successfully and unsuccessfully built security champions programs. Check out this playbook to learn how to run an effective developer-focused security champions program.