How ransomware attacks are changing
To prevent ransomware attacks, it is becoming increasingly important to consider how they have evolved and the role that seemingly unrelated attacks (such as phishing) play in their success. Some attackers have changed tactics from extorting victims for the decryption of data to extorting victims by threatening the unauthorized release of their data. This change means that, rather than running malware that encrypts files, the focus has shifted to data exfiltration. Compromised identities offer one of the shortest, most reliable paths to access data and phishing is one of the most common techniques for gaining unauthorized access to a user’s account.
The unexpected role of the browser
Phishing is most closely associated with email, but a lack of enterprise browser security can have an even more significant role to play in credential theft and account takeover (ATO). Email, after all, is just a lure but the real damage starts in one of two ways:
- If and when a user clicks a malicious link and directly supplies their credentials to an attacker-controlled website. Once an attacker has valid credentials, they are effectively that user with all the corresponding rights and privileges.
- If and when a user clicks an HTML smuggling link or attachment that downloads malware to the victim’s machine. Regardless of malware type—whether it’s ransomware, a keylogger, or a tool designed to steal authentication tokens and session cookies—the attacker has established foothold in the enterprise.
Unfortunately, where, when, and how the damage stops is another matter entirely. Failure to prevent a ransomware attack that leverages these techniques results in a median time of one hour and 12 minutes to access data, according to analysis by Microsoft. However, even with such a tight timeline for the initial compromise, the full scope may not be known for months and the damages—in the form of ransom payments, lost revenue, settlements, unauthorized data disclosure, and reputational harm—may take even longer to manifest.
Preventing ransomware attacks via the browser is difficult
The real challenge is both making it harder to compromise identities and less likely for similar or related attacks like HTML smuggling to succeed. At the core of both cases are several complicating factors. First, innocent mistakes can have disastrous consequences. A single errant click can be enough to cause a breach and no amount of User Awareness Training (UAT) can guarantee that users won’t be fooled. Second, both conventional phishing and HTML smuggling rely on things doing exactly what they’re supposed to. Modern phishing sites may utilize the Browser-in-the-Browser (BitB) technique, presenting users with very authentic-looking sites and a familiar workflows (like multi-factor authentication/ MFA prompts) to help convince them they are in the right place and doing the right thing. Similarly, HTML smuggling relies on browsers doing the very thing they were built to do: rendering HTML and executing JavaScript. On their own, browsers have no mechanism to distinguish between benign and malicious code. Moreover, conventional security tools have little or no visibility into the browser’s execution environment so they are also unable to detect malicious activity.
Conclusion
Preventing this new style of ransomware attack requires protecting identities and protecting identities requires fortifying the browser. Seraphic Security offers controls to prevent credential re-use, as well as protection against phishing and other web-based attacks.
More information
For more information on how Seraphic Security can help you prevent ransomware by protecting identities and user credentials, visit our Product page, download the ESG Technical Validation of Seraphic or schedule a demo.
