ソフォスの資料を参考にして脅威を阻止 ランサムウェア

ランサムウェアはますます進化を続け、より速く、よりスマートになり、さらにコストがかかるようになりました。

フルスケールのランサムウェア攻撃による被害には、平均 $755,991 米ドル*のコストがかかります。このため、ランサムウェアが何であり、どのようにして保護できるのかを把握することが不可欠です。

ランサムウェアの現状

21% の企業が、昨年ランサムウェア攻撃の被害を受けました。その被害者にはならないでください。

社内トレーニングの実施

多くのランサムウェア攻撃は、悪意のあるメールからはじまります。攻撃者は、ユーザー 1人が警戒を緩めるだけで、組織に侵入することが可能になることを理解しています。

ソフォスのランサムウェア対策教育ツールキットは、IT 管理者向けに作成されたており、組織のチェックリスト、セキュリティ意識向上ポスター、従業員向けの教育ビデオなど、ランサムウェアに関するユーザートレーニングに役立つ資料を無料で提供します。

ツールキットをダウンロード

世界トップレベルの保護を導入

今日のランサムウェア攻撃では、多くの場合、複数の高度な手法とリアルタイムのハッキングが組み合わされています。被害者になるリスクを最小限に抑えるには、攻撃チェーン全体を監視して保護する高度な保護機能が必要です。

Intercept X vs. Ryuk ransomware

How Does Ransomware Work?

Many ransomware attacks start with a malicious email as part of a targeted phishing scam. Cybercriminals know it only takes one individual at a company to let down their guard for them to gain access to your organization’s data and systems. To have a fighting chance, you need a ransomware mitigation strategy.

Cybercriminals use ransomware to orchestrate attacks on businesses and consumers 24/7/365. Ransomware attacks usually start with a malicious email as part of a targeted phishing scam. Ransomware mitigation leverages insights and intelligence, appropriate security policies, and company-wide protection technologies. 

For most organizations, managing all of this alone is overwhelming and expensive. Managed detection and response (MDR) offers a comprehensive, cost-effective approach to ransomware mitigation.

What is a Ransomware Attack?

Ransomware attacks can cause your organization to lose access to data, applications, files, and/or be locked out of computers.

Ransomware Explained

Ransomware is a type of malware that is typically delivered via email. The goal is to gain access to and encrypt your company's data in order to block access to it. Ransomware attacks can cause your organization to lose access to data, applications, files, and/or be locked out of computers. These cyberattacks are evolving in sophistication, which is one of the reasons why 21% of all companies fell victim to ransomware in 2022. There is no stopping ransomware attacks. However, businesses can use tried-and-true ransomware mitigation technologies and techniques to address these attacks before they get out of hand. These technologies and techniques help companies limit the damage caused by ransomware attacks. Plus, they allow companies to collect and analyze ransomware insights and use them to find ways to prevent future attacks.

How Does Ransomware Work?

A cybercriminal uses malware, often delivered through a targeted phishing attack, to infiltrate a company's data and systems.

Cybercriminals and Ransomware Explained

A cybercriminal uses malware, often delivered through a targeted phishing attack, to infiltrate a company's data and systems. Modern ransomware attacks often use legitimate IT and end-user tools such as a VPN or Remote Desktop Protocol (RDP) to gain access. Anyone who can access a VPN or RDP is assumed to be trusted--a practice which has proven time and time again to be unwise. If the attack is successful, the cybercriminal can prevent the company from accessing its data and systems. There are two common ways the cybercriminal achieves this: either by locking a target’s device or encrypting certain files or data to make it unreadable. The cybercriminal can then demand a ransom payment in exchange for restoring your data and system access. If a business does not pay a cyber ransom, a cybercriminal may release or destroy its confidential data. At this point, the business can suffer revenue loss, compliance penalties, and brand reputation damage.

Some organizations choose to pay the cyber ransom. In some cases, a cybercriminal may provide the company with access to its data and systems once again. But even if a cybercriminal receives a ransom payment, there is no guarantee that the criminal will restore a company's access to its data and systems. 

Can You Remove Ransomware?

Time-to-response is crucial in ransomware detection. You must detect and remove ransomware from your systems before it has a chance to take hold and cause data loss.

Can You Remove Ransomware?

You must detect and remove ransomware from your systems before it has a chance to take hold and cause data loss. Time-to-response is crucial in ransomware detection. The longer ransomware dwells in your systems, the greater the damage it can do. Security professionals classify three major types of ransomware. Cryptoworm is a standalone ransomware that replicates itself to other computers for maximum reach and impact. IT's crucial to disconnect a device with a cryptoworm infection from the internet and all other devices and systems as soon as possible. Ransomware-as-a-Service (RaaS) is sold on the dark web as a distribution kit to anyone who can afford it. This means that the cybercriminal doesn’t need much skill or know-how to execute a ransomware attack. Automated Active Adversary is deployed by attackers who use tools to automatically scan the internet for IT systems with weak protection. When such systems are found, cybercriminals establish a foothold, and from there, they carefully plan the ransomware attack for maximum damage. Using Next Generation Antivirus, it’s possible to delete or quarantine malware. Manual removal of ransomware is best done by experienced security professionals.

What is Ransomware Mitigation?

Ransomware mitigation involves a series of best practices and tools that focus on each of these aspects.

About Ransomware Mitigation

Smart companies develop and deploy multiple layers of ransomware mitigation that encompass prevention, detection, and response. Ransomware mitigation involves a series of best practices and tools that focus on each of these aspects. For example, prevention may involve deploying multifactor authorization (MFA) and regular backup of data. Prevention also includes providing regular employee training to help users recognize the signs of a phishing attack that may be linked to ransomware. Detection focuses on monitoring for any signs of suspicious behavior linked to ransomware. The best ransomware detection leverages endpoint detection and response (EDR) or managed detection and response (MDR), as well as extended detection and response (XDR). And finally, response to a ransomware attack involves incident investigation and forensics, as well as sophisticated threat hunting to get the most value out of your ransomware mitigation efforts.

Can Ransomware Be Detected?

The average user may not detect a ransomware attack on their systems until it’s too late.

Detecting Ransomware

The average user may not detect a ransomware attack on their systems until it’s too late. However, trained security professionals with the right detection and response tools can often spot unusual activity that may indicate a ransomware attack is imminent. There are a few different techniques security professionals use to detect ransomware attacks. They involve a mix of automation and human investigation and analysis to discover malicious files early. An example of automation is signature-based ransomware detection, which compares a ransomware sample hash to known signatures. Endpoint detection and response platforms and Next Generation Antivirus software can work together to monitor, capture and analyze data extracted from an executable file to determine whether it’s ransomware. Most antivirus software takes this step in a scan for malicious software. Behavior-based ransomware detection is more in-depth. Experienced security analysts know that ransomware’s behavior is its Achilles' heel, which is why professionals in a Security Operations Center (SOC) spend so much time studying it. Security professionals use their expertise along with robust tools to compare recent behaviors within the network or systems against average behavioral baselines. For example, has an employee accessed a desktop machine remotely from another state, when the employee has been logged in from the office all day? Security teams can examine traffic patterns for any anomalies and further investigate anything that appears suspicious.

MDR for Remediation

With MDR, your company’s data and systems are backed by a team of experienced threat hunters, engineers, ethical hackers, and security operations specialists.

Ransomware Remediation with MDR

An MDR provider delivers around-the-clock security monitoring across its IT environment. It also ensures that a company can proactively hunt for ransomware and other cyber threats and protect against them. With MDR, your company’s data and systems are backed by a team of experienced threat hunters, engineers, ethical hackers, and security operations specialists. Together, these cybersecurity professionals search far and wide for cyber threats like ransomware. If any threats are identified, they are resolved right away. The threats are also evaluated, ensuring a company can protect against such issues moving forward.

New ransomware variants are created and released every day. The only way to mitigate harm is to detect and block ransomware before it can take root. The result is a continuous struggle between defenders, with their security controls and detection systems finely tuned to spot suspicious code and behavior, and adversaries, with their ever-evolving bag of tricks designed to outfox these controls – or to get the job done before the controls catch up with them.

ソフォスの各種のテクノロジーが連係して、複数の段階にわたる Ryuk ランサムウェア攻撃を阻止します。

Sophos vs ryuk ransomware

常にベストプラクティスを適用

攻撃のリスクを最小限に抑えるために、次のヒントに従ってください。

  • 多要素認証 (MFA) を使用
  • 複雑なパスワードを使用して、パスワードマネージャーで管理
  • アクセス権の制限、つまりユーザーと管理者アカウントに必要なアクセス権のみを付与し、それ以上のアクセス権を付与しない
  • 定期的なバックアップを作成し、攻撃者がアクセスできないオフサイトおよびオフラインへ保管
  • パッチを早期かつ頻繁に適用。WannaCry や NotPetya などのランサムウェアは、パッチを適用していない脆弱性を利用して世界中に拡散しました
  • RDP のロックダウン。不要な場合は RDP をオフにし、必要に応じてレート制限、2FA、または VPN を使用します
  • タンパープロテクション機能が有効になっていることを確認 - Ryuk やその他のランサムウェアの亜種は、エンドポイント保護を無効にしようとします

* エンドポイントセキュリティの現状に関する調査、ソフォス、2018年