Zscaler’s CISO discusses trends in ransomware – and how to combat this malicious technology.
Ransomware is on the rise and it’s coming from multiple sources. Additionally, whether the goal is to collect ransom for data or disrupt a company’s supply chain, these attacks are growing in sophistication.
Zscaler is a security company that closely follows existing and emerging cyberthreats. Zscaler’s Zero Trust Exchange is a security cloud that processes more than 200 billion transactions and 150 million blocked attacks daily. This integrated platform of services protects users and workloads using zero trust, which involves applying security policies to control access.
In a recent ZKast, I discussed the evolution of ransomware and other cyberthreats with Deepen Desai, Chief Information Security Officer and VP of Security Research at Zscaler. Desai also explained how Zscaler’s security research arm, ThreatLabz, uses insights from the Zero Trust Exchange to understand emerging threats and improve its platform. Highlights of the ZKast interview, done in conjunction with eWEEK eSPEAKS, are below.
- ThreatLabz consists of more than 100 security experts located in seven countries across the globe. Their job is to track the evolving threat landscape through the Zero Trust Exchange. Zscaler has aligned its ThreatLabz team across four critical stages of the attack chain:
- The first group is focused on the initial delivery vector, where the attackers are trying to gain entry into a company’s environment. This team proactively tracks phishing campaigns, drive-by download attacks, and malicious websites where attacks start.
- The second group is responsible for vulnerability exploit coverage. There are often gaps when patching is applied to systems, creating a window of opportunity for attackers. This group reduces that window by adding detections for organizations that are applying patches.
- The third group is responsible for malware tracking—both crimeware and other malware families. The team comes across half a million unique payloads every day. It leverages artificial intelligence (AI) and automation to process a large volume of malware payloads.
- The fourth group is focused on the command and control stage. When a system gets infected, it attempts to communicate with the attacker’s server. The team has developed automation that emulates this activity and provides access to real-time intelligence to block the attack.
- ThreatLabz has observed several trends since the start of COVID-19. Early in the pandemic, the focus was on remote work. Many organizations were vulnerable to attacks due to having to support a large remote workforce. Now, the focus has shifted to hybrid work, with apps and workloads residing in public clouds.
- Ransomware continues to be one of the more prevalent threats, despite law enforcement and government crackdown. Over the last three years, attackers have been using tools and tactics to target organizations by encrypting data and demanding ransom. Even if an organization is able to recover from backups, stolen data can remain in the hands of cybercriminals. This is the case with double extortion attacks.
- Zscaler’s recently published 2022 ThreatLabz State of Ransomware Report found an 80 percent increase in ransomware attacks year-over-year. This is a new record for both the volume of attacks and the cost of damages. Eight out of the top 11 ransomware families are leveraging ransomware as a service (RaaS), where non-technical threat actors use infrastructure to launch attacks.
- The other trend examined in Zscaler’s report is a rise in supply chain attacks that inflict significant damage on organizations. Historically, supply chain attacks took advantage of geopolitical conflicts like the latest Russia-Ukraine war. Going forward, Zscaler predicts an increase in more sophisticated ransomware that targets supply chains.
- Phishing as a service (PhaaS) is also becoming more popular. Similar to what’s happening in ransomware, threat actors are rebranding themselves to get around the government and regional crackdowns on cybercrime. That’s why every organization should have a response plan in place to proactively deal with these threats.
- Organizations that want to protect themselves from ransomware should first reduce the external attack surface by not being visible to threat actors. Second, they should prevent compromise by applying consistent security policies using technologies like sandboxing browser isolation. Third, they can decrease the attacker’s blast radius by implementing micro segmentation.
- Zscaler offers endpoint deception, which reduces the blast radius and blocks insider threat activity or compromised activity as the attack is happening. If a user tries to access an app, they’re redirected to a decoy farm and all access to critical apps is cut off. It’s an effective way to protect against ransomware by deceiving threat actors into thinking they’re going after the corporate environment.
- Zscaler takes a platform approach with endpoint deception by providing it as a “one click” option integrated with existing deployments. Zscaler is able to protect against the loss of data across all users and locations—including workloads running in the public cloud—through full inline secure sockets layer (SSL) inspection.