80% Ransomware Attacks Traced To Common Config Errors In Software And Devices: Microsoft

Ransomware attacks are on a steep rise and it’s also popular these days as a service in the form of RaaS. But the latest report by Microsoft says that over 80 per cent of ransomware attacks can be traced to common configuration errors in software and devices.

According to the latest edition of Cyber Signals (Microsoft’s cyberthreat intelligence brief), a vast majority of ransomware attacks can be (over 80 per cent) traced to common configuration errors in software and devices, which would mean that end point device security management needs to be looked at.

Amongst other findings, Cyber Signals revealed that the median time for an attacker to access a person’s private data if they fall victim to a phishing email is one hour, 12 minutes. For endpoint threats, the median time for an attacker to begin moving laterally within a corporate network if a device is compromised is one hour, 42 minutes.

With the increasing number of cybercrimes around the world, the Cyber Signals brief reported that Microsoft’s Digital Crimes Unit has directed the removal of more than 5,31,000 unique phishing URLs and 5,400 phish kits between July 2021 and June 2022. This has led to the identification and closure of over 1,400 malicious email accounts used to collect stolen customer credentials.

Focusing on the evolving factors that are affecting the extortion segment of cybercrime economy and the rise of RaaS, the second edition of Cyber Signals has shared some deep insights. The insights by Microsoft were obtained from Microsoft’s 43 trillion security signals and 8,500 security experts, which included threat hunters, forensics investigators, malware engineers, and researchers.

“It takes new levels of collaboration to meet the ransomware challenge. The best defenses begin with clarity and prioritisation, that means more sharing of information across and between the public and private sectors and a collective resolve to help each other make the world safer for all. At Microsoft, we take that responsibility to heart because we believe security is a team sport,” said Vasu Jakkal, Corporate Vice President, Security, Compliance, Identity, and Management at Microsoft.

In US alone, the cost of cybercrime in totaled more than USD 6.9 billion (according to Federal Bureau of Investigation’s 2021 Internet Crime Report). Further, EU’s ENISA has also reported about 10 terabytes of data were stolen each month by ransomware threat actors, with 58.2 percent of stolen files including employees’ personal data in between May 2021 and June 2022. This puts the spotlight on ransomware and increasing concerns around it.

Here are some recommendations for ransomware prevention and protection:

Build credential hygiene: Develop a logical network segmentation based on privileges that can be implemented alongside network segmentation to limit lateral movement. 

Audit credential exposure: Auditing credential exposure is critical in preventing ransomware attacks and cybercrime in general. IT security teams and SOCs can work together to reduce administrative privileges and understand the level at which their credentials are exposed. 

Reduce the attack surface: Establish attack surface reduction rules to prevent common attack techniques used in ransomware attacks. In observed attacks from several ransomware associated activity groups, organizations with clearly defined rules have been able to mitigate attacks in their initial stages while preventing hands on keyboard activity.

Harden the cloud: As attackers move toward cloud resources, it’s important to secure these resources and identities as well as on-premise accounts. Security teams should focus on hardening security identity infrastructure, enforcing multifactor authentication (MFA) on all accounts, and treating cloud admins/tenant admins with the same level of security and credential hygiene as domain admins. 

Prevent initial access: Prevent code execution by managing macros and scripts, and enabling Attack Surface Reduction Rules. 

Close security blind spots: Organizations should verify that their security tools are running in optimum configuration and perform regular network scans to ensure a security product protects all systems.