Ransomware resilience is more than just having validated backups for restoring your systems after a ransomware attack, vulnerability management has a lot to do with it too – that could be patching or addressing through compensating controls if patching is not possible. While ransomware attacks have negative outcomes no matter the attack vector, Sophos explains that exploiting unpatched vulnerabilities has the greatest business impact.
Using data drawn from their external-facing incident response team, Sophos shares key insights about the impacts of different ransomware attacks. They highlight how ransomware outcomes differ depending on the root cause of the attack and compares the severity, financial cost, and operational impact of these different root causes. While there are many methods threat actors use to gain entry, Sophos explains that threat actors typically use two main approaches: logging in using compromised credentials which is legitimate access from data that had been previously stolen, and exploiting vulnerabilities in applications and tools used by the victim. Overall, the data shows that attacks that start by exploiting unpatched vulnerabilities are particularly brutal for their victims.
Sophos also recently published the "Sophos Active Adversary Report of 2024," which includes data regarding threat actor behavior and insights into where the problems lie.
Key takeaways from the Report:
- Ransomware levels have reached homeostasis
- Timelines have stabilized
- Tooling is stagnant
- Zero days are not the real problem
- And still, defenses aren’t keeping up
In other words, the real problem is with patching the vulnerabilities that we know already exist (it’s not the zero days). This underscores what we all should already know but still fail to do: the importance of implementing proper patch management. No one intentionally plans to prolong patching, but without proper prioritization, deferred patches leave devices in distress and disposed for ransomware. WaterISAC encourages members to review their vulnerability management practices and is also including several resources that help organizations protect against ransomware. For the full Sophos report see Sophos, and for more information visit Unpatched Vulnerabilities: The Most Brutal Ransomware Attack Vector.
Additional Resources:
- StopRansomware (CISA)
- Ransomware Readiness Assessment (CISA)
- Ransomware Guide (CISA and MS-ISAC)
- Ransomware Task Force (RTF)
