Today's Topic: Ransomware
Vicente Diaz: Ransomware has spread tremendously in a first wave of attacks, most of them through malicious emails and also using weak remote access. But there was a second phase arguably more serious of cybercriminals using these APT-like techniques to get into their victims, having professional teams to break into them, which speaks about how resourceful these things were at the time. But the situation just got worse. They even have more resources nowadays. So there are a few things in this process we can learn of. The first one is that the execution of ransomware attacks is not that different from any other attacks. Some time ago, the security industry focus on countering the ransomware itself. I believe that disrupting the process of the attack is what matters most. The second is that an attack can start from absolutely any malware we find in our environment. It is important not to underestimate the danger of these whole well-known malware families, as many times. this is the easier, simpler, non-suspicious way for attackers to get into our environment. Having a good detection and protection of lateral movement tools typically used in these attacks such as Mimikatz, Cobalt Strike, etc., as well as the scripting languages, makes life harder for automating the spreading in our environment. Finally, it's very important to have a plan B to recover if everything goes wrong. And cloud environments provide an obvious advantage in this direction. I personally believe of the importance of creating a non-blaming culture when it comes to employees and encourage them to report anything suspicious, especially it's important to have a very clear reporting line and also a shared procedure of what to do if anything happens. My final point is on the importance of monitoring how these campaigns are evolving. Keeping an eye on that is providing us with the advantage to prepare before being hit and not being the low-hanging fruit for cybercriminals. So unfortunately there is no silver bullet but at the same time the development of these attacks are not that different from any other attacks we can see in our environment. So please make sure to follow all the recommendations and good practices to the best of your capabilities, have your plan B ready, and please be safe.
