This Recent Ransomware Attack Did Not Enter Through an Endpoint
Since the first ransomware attack in the late eighties, these deadly attacks have become a standard fixture globally in different sectors and among all business types – large, medium, and small. Every industry has had a feel of the devastating effect of ransomware. To show the powerful impact of ransomware in this age, many companies are beginning to include the cost of at least one ransomware attack in their budgets. However, there is little headway made regarding how to defend yourself from ransomware.
According to Statista, companies worldwide got hit by 493.33 million ransomware attacks in 2022 alone. However, this dropped from 623.25 million in 2021. The United States took the unwanted trophy having 217.5 million attacks. The United Kingdom (second) having less than a third of the United States. All ransomware attackers need to do is send in the ransomware via spam/phishing email (the most common approach for ransomware, followed by endpoints) and request a colossal ransom afterward.
However, a recent ransomware attack perpetrated through a SaaS platform has got the IT world on alert and rocking as we speak. It is also changing how IT professionals and experts approach cybersecurity from the cloud services/SaaS angle. This article will address various pain points. What ransomware is, how the recent attack panned out, and how to protect your business and personal devices from this novel and emerging threat.
Explaining Ransomware and How It Works
In basic terms, ransomware is malware that malicious attackers use to request ransoms from the affected company or business. The actor finds a way to get the malware into the company’s network. Then, usually through a vulnerable endpoint, a phishing email, and, more recently, company SaaS accounts and platforms.
The ransomware gets into the network and executes embedded instructions. These usually entail encrypting specific and vital documents and stopping essential business operations. The attacker then sends a message to the company, asking for a ransom. Companies with no alternatives, such as backup and recovery systems, must comply. The attacker then decides to withdraw or deactivate the ransomware.
Most companies do not even know they have been hacked until they find they have been locked out of business-critical applications and systems.
Ransomware became a thing in 1989 when an attacker sent out twenty thousand floppy disks containing ransomware disguised as HIV surveys in reference to the just concluded WHO AIDS conference. The actor demanded $189 as ransom, and the cost of ransom has been on an upward trajectory ever since.
With the volume of information about hacking and malware on the internet nowadays, it takes two days to develop deadly and effective ransomware. Attackers only have to mark out appropriate targets and send out the malware via phishing emails. They’ll also use infected drives left around for unsuspecting employees to insert in their work devices. This introduces the malware to the target’s network, where the ransomware begins its work. However, going through SaaS accounts seems to be the new approach.
The Recent Ransomware Bypassing Endpoints
The recent ransomware attack perpetrated through Sharepoint Online is one for the books. To understand how it happened and how companies can protect themselves further, the company invited an IT security expert to study how it happened.
The attacker got in via a compromised Microsoft Global SaaS admin account on Sharepoint Online (a cloud service hosted by Microsoft 365). Being an admin account, the attacker revoked the privileges of over two hundred other admins with a newly created Active Directory account which comes with elevated privileges. The attacker then began to extract files without permission, followed up with an upload of multiple .txt files.
The attacker did the upload to inform the company of the breach, establish a way to communicate with the attacker and discuss the terms of the ransom.
One important issue to note is the attacker opting to download files rather than encrypt them. This is because decrypting locked files can be tricky, even for attackers, and will harm their reputation. However, by downloading the files, attackers have an edge when requesting ransoms.
Note: This attack was possible because of the focus of most companies on their endpoint security alone. In terms of cybersecurity, many companies today tend to focus more on endpoints and less on their SaaS or other network platforms. With this newfound way of attack, more attacks of this nature are expected to happen in the coming months. As a result, businesses using SaaS platforms need to be on alert.
How to Prevent Ransomware Attacks of This Nature in the Future
Moving forward, businesses need to understand how to identify and prevent attacks of this nature, as there is sure to be an increase in this type of attack in the coming months. Here are some suggestions and recommendations to help defend businesses from ransomware SaaS attacks:
● Alerts
To do this effectively, admins need to create and monitor alerts for changes in these five aspects:
- Alert on new AD users
- Alert on new AD groups
- Alert on Sharepoint Files
- Alert on service accounts
- Alert on User-Agent
With these alerts, admins can easily monitor newcomers and check if they are the right users.
● Implementing multi-factor authentication
The use of MFA (multi-factor authentication) should also be implemented, especially for high-privilege accounts. This will make credential theft and access more difficult for attackers.
● Introducing tighter SaaS controls and restrictions
Admins should look at reassessing admin privileges and permissions. This will help reduce the overall power admins have and also check the permissions and privileges when admin accounts are compromised. Also, new and tighter SaaS control, policies, and regulations should be put in place.
● Careful integration analysis
SaaS platforms usually need to allow integration with many other platforms, applications, and systems. However, not carefully monitoring the state of these integrations can lead to hackers using them as a cover for the injection of ransomware. Admins and IT professionals of business and SaaS companies should be more intentional about scanning and analyzing every integration and ensuring it is safe.
● Monitoring SaaS activity logs
All activity and audit logs should be monitored, scanned, and analyzed consistently for suspicious patterns. Hackers have customs, and recognizing these patterns on time can help stifle the activity of these malicious actors. It could be the action that prevents a company from losing millions of dollars to ransoms.
Increase Your Cloud Security with Copperband Technologies
Cloud services and offerings are the way to go for businesses in this age, as they offer a better alternative regarding scalability and business operations costs. Copperband Technologies possess vast experience in technical cloud support and related IT areas for Southern Kentucky and Middle Tennessee businesses.