WAT C H G U A R D

ENDPOINT SECURITY

Escape the
Ransomware
Maze
Ransomware is an ever-evolving form of malware designed to steal business-critical
data and then sell it or encrypt files on a device, rendering any files and the systems
that rely on them unusable. Malicious actors then demand ransom in exchange for
decryption.

Ransomware attacks are dramatically increasing in number and frequency year over
year, with high-impact, headline-making incidents continuously growing in volume
and scope. Ransomware gangs are also looking at their primary victim’s business
partners to pressure them into paying a ransom to prevent data leakages or business
disruptions caused by the attack.
 Escape the Ransomware Maze / 3

Conventional endpoint protection tools

just aren’t the best defense anymore

+ 150% ≈1 in 2 10 -15 times #1

the frequency and the complexity ransomware attacks use a the cost of recovery and ransomware had been assessed as
of ransomware increased by more combination of encryption and the resulting downtime of a the prime threat for 2020-2021.
than 150% in 20201 data theft to pressure victims to ransomware attack can be 10 to 15 The market for ransomware became
pay ransom demands2 times more than the ransom3 increasingly “professional” in 20214

1. ENISA Threat landscape report 2021 | European Union Agency for Cybersecurity (ENISA)
2. How to Prepare for Ransomware Attacks | Gartner
3. Nearly 40% of new ransomware families use both data encryption and data theft in attacks and CISA
4. ENISA Threat landscape report 2021 and CISA - 2021 Trends Show Increased Globalized Threat of Ransomware
 Escape the Ransomware Maze / 4

With ransomware, attackers no

longer need to focus on stealing
data they can easily resell but
rather exploit the importance of
that data to the victim.

Is your Business
Adequately Protected?
Ransomware is perhaps the most By holding the data hostage and
lucrative method of cybercrime demanding a ransom for its return,
encountered to date, and this makes attackers can monetize data for which
a distinct shift in how cybercriminals they may have had no other use.
derive value from their victims’ data. With
This paradigm shift places a host of
ransomware, attackers no longer need
organizations, many of whom have
to focus on stealing data they can easily
long felt themselves too small to be an
resell but rather exploit the importance
appealing target for cyberattacks, firmly
of that data to the victim.
in the crosshairs of cybercriminals.
Even though the data may not be
sensitive in its content, it may be
business-critical for the organization.
 Escape the Ransomware Maze / 5

Ransomware: Behind the Scenes

Today’s cyberattackers use sophisticated tactics to bypass traditional ransomware
detection measures and hide in the everyday nature and complexity of their target’s
environment. They move through the network seeking to steal data, installing
ransomware, encrypting data and wreaking havoc. Once they have what they need,
they threaten to sell or leak exfiltrated data or authentication information if the Ransomware as a service, spear phishing, attacks
ransom is not paid.
on unpatched systems, double extorsion, and
Top Ransomware Variants Victimizing Critical Infrastructure: supply chain attacks emerged as the top five
initial infection vectors that were used to deploy
REVIL / SODINOKIBI 51 ransomware on compromised networks.5

LOCKBIT
5. Joint advisory highlights increased globalised threat of ransomware 58
5. Joint advisory highlights increased globalised threat of ransomware

CONTI 87

FBI – Internet Crime Report 2021

Top Ransomware trends:

Ransomware Spear Attacks on unpatched Double Supply chain

as a service phishing systems extortion attacks
 Escape the Ransomware Maze / 6

Lifecycle of a Ransomware Attack I

Ransomware follows attack patterns6 attachments are often trojans in the
INITIAL ACCESS CONSOLIDATION
included in the following stages. In form of Office or PDF documents but
Attacker looks for a way to get into the network Attacker attempts to
most cases, it takes just a few minutes to have the ransomware embedded within
execute. Even the most harmless action them. Once opened, and if macros
can make the endpoint become a victim execution is allowed, it can run its
of ransomware, and the sensitive data or payload and attempt to load malware on
business-critical files become hostage to the computer where the document was
extorsion. opened. Ransomware often seems to
Password theft Valid credentials Internet-exposed
come from legitimate sources, including services
Initial access financial institutions, government
In the first stage of the attack, entities, or users within the organization.
cybercriminals are looking to gain a
foothold in the organization’s network. In We also have seen many ransomware
Brute force
most incidents, access is acquired using incidents that started with attackers
one of the following infection vectors: exploiting vulnerabilities in Internet-
password theft, brute force, software exposed services. These have often
Command
vulnerability, or phishing. After sneaking been in remote access systems such &
Control
in, the attacker will try to discover critical as Remote Desktop Protocol (RDP),
Software
identities and obtain login credentials virtual private networks (VPNs), and vulnerability

that let them keep moving forward, other operating systems or third-
bypassing traditional protection. party software vulnerabilities. Some
attackers also attempt brute forcing
Common ransomware attacks use credentials to target weak and easy-
different forms of malware, such to-guess usernames and passwords. Phishing Malicious Malware
attachment
as off-the-shelf or custom malware Most ransomware variants use multiple
(downloaded for reuse or purchased). infection vectors.
Malware is usually propagated
through spear-phishing emails that
have malicious attachments. These

6. How ransomware happens and how to stop it - certnz

 Escape the Ransomware Maze / 7

Lifecycle of a Ransomware Attack II

Consolidation
IMPACT O
and preparation INITIAL ACCESS CONSOLIDATION AND PREPARATION
Attacker ste
Attacker looks for a way to get into the network Attacker attempts to gain access to endpoints
Once they have gained initial access demands ra

to the network, threat actors require

a variety of tools to conduct the
attack. They either enter with malware
containing a package of all the tools
necessary for the attack or, after the
Password theft Valid credentials Internet-exposed Lateral movement
intrusion, they download the required services
tools by establishing communication
with a command and control (C2) server
to move forward with the next attack
steps. This communication is mostly
Brute force
done over trusted traffic like DNS.

C2 tools may also be used to direct

Command
the discovery of other endpoints on &
Control
the network, establish persistence on
devices and obfuscate these activities. Software
vulnerability

Privilege escalation

Phishing Malicious Malware

attachment
 Escape the Ransomware Maze / 8

Lifecycle of a Ransomware Attack II

Hackers use many tools to carry out infrastructure. In this stage, attackers
the attacks such as: typically carve themselves a path to the
• Reconnaissance tools that help the most critical data by breaking through
attacker understand where they are in security layers and gathering additional To ensure victim organizations can’t easily recover
the network and what accounts can privileges.
be targeted further. Examples: Nmap,
data from their backups, most ransomware attacks
One of the most common techniques
Process Hacker, and BloodHound observed in ransomware attacks is the involve the destruction of backups.
• Credential dumping tools that help exploitation of administrator accounts.
compromise the login credentials of Admin accounts are critical targets
other privileged accounts, which the because organizations tend to have
attacker can use to move laterally one common password for all their
within the network. Examples: Mimikatz local admin accounts. By gaining admin
and ProcDump privileges, attackers could tamper with
• Built-in programs such as security configurations in traditional AV
PowerShell, Windows Management and EDR solutions to disable security
Instrumentation (WMI), and PsExec. controls, avoid detection, and download
Security researchers found that WMI and install a payload to the victim’s
and PSExec commands were being endpoint.
used to delete local backup copies, and
Access to domain controllers will also
PowerShell was being used to create
enable them to release malware to all
malicious backdoors.
the systems in the network in one shot.
Attackers have a range of tactics for
Lateral movement and privilege gaining domain admin rights, including
escalation techniques like Kerberoasting, pash-the-
Cybercriminals move laterally within the hash attacks, and stealing passwords
network to find vulnerable privileged stored in the SYSVOL folder.
accounts. Once the attacker gets access
to an account, network, or resource,
they escalate the attack by leveraging
that access to move through the
 Escape the Ransomware Maze / 9

Lifecycle of a Ransomware Attack III

Impact on target INITIAL ACCESS CONSOLIDATION AND PREPARATION IMPACT ON TARGET

In this final stage of the attack, the Attacker looks for a way to get into the network Attacker attempts to gain access to endpoints Attacker steals and encrypts data, then
demands ransom
ransomware has been downloaded and
installed on the victim’s system and now
starts doing what it was designed to
do. Once the attacker has disabled the
system’s critical protection, it will seek
to exfiltrate sensitive information on the Password theft Valid credentials Internet-exposed Lateral movement Data exfiltration
services
endpoint, destroy organization backups
and finally encrypt systems and data.

At this point, ransom notes or lock

screens direct the victim to the Brute force
hacker’s demand for payment (usually
cryptocurrency) and other details to
ensure the victim complies with the Command Destroy backups
&
hacker’s instructions. These details Control
will often include an amount of Software
cryptocurrency in exchange for access vulnerability

to the victim’s files or a second payment Privilege escalation

to prevent the attacker from leaking or
selling the data.

Phishing Malicious Malware Encrypt data

attachment
 Escape the Ransomware Maze / 10

Stopping Ransomware with WatchGuard Endpoint Security

INITIAL ACCESS CONSOLIDATION AND PREPARATION IMPACT ON TARGET
Attacker looks for a way to get into the network Attacker attempts to gain access to endpoints Attacker steals and encrypts data, then
demands ransom

Password theft Valid credentials Internet-exposed Lateral movement Data exfiltration

services

Brute force

Command Destroy backups

&
Control

Software
vulnerability

Privilege escalation

Phishing Malicious Malware Encrypt data

attachment

WatchGuard Solutions & Features

Patch ART/ Shadow RDP Anti- Anti- Zero-Trust Contextual Decoy Threat Hunting Anti- Password Multi-factor
Management Data Control copies protection phishing exploit App Service detections files Service tamper manager authentication
 Escape the Ransomware Maze / 11

Prevent incidents before they passwords, avoid duplications, and embedded in Office files as well as
happen provide military security level keys. attackers using living-off-the-land (LotL)
With ransomware attacks is especially Implement multi-factor techniques.
important to prevent the attack before authentication (MFA) It spots the misusage of existing
it happens. Once the ransomware is in Ransomware attacks typically start with applications at the endpoint that try
your organization and starts encrypting the theft of a user credential that gives to bypass the security control and gain
the files in your laptops, computers an attacker access to the network or a access to the system or move laterally
and servers can be too late. The costs sensitive business account. AuthPoint, to other endpoints. This is a highly
associated with a ransomware attack are our multi-factor authentication (MFA) effective protection against exploits
huge, so the best defense is prevention. solution ensures that attackers can’t get taking advantage of web browser
Our unique protection layer contains where they don’t belong with stolen vulnerabilities and other commonly-
different protection layers and tens credentials alone by requiring additional targeted applications such as Java,
of advanced technologies to protect factors to prove a user’s identity. This Adobe Reader, Adobe Flash, Office, etc.
against ransomware. minimizes the impact of lost and stolen Our products include hundreds of
Use a strong password manager passwords while giving transparency contextual detections to stop attacks
system into user access. based on the context. All of these
detections are proactive as they are not
Password security is essential to Even if one credential becomes
based on signature files or any other
protecting your organization’s data, compromised, unauthorized users
reactive technology.
but many companies fail to implement will be unable to meet the second
proper password use and management Part of the context is obtained from
authentication requirement and they
across their teams. This simple line Windows AMSI (Anti-malware Scan
will not be able to access the targeted
of defense can drastically reduce the Interface). The use of AMSI provides
physical space, computing device,
chances of a ransomware attack or our solutions with telemetry and
network, or database.
any other cyberattack. Organizations additional information about script and
Note: Companies looking for cyber insurance will be macro execution, improving protection
that prioritize a robust password required to prove they are protecting emails, servers,
management system will be more remote access, and sensitive data with MFA. without negatively impacting computer
successful in preventing an attack. performance.
Contextual detections
With Password Manager, admins
manage all their passwords under one Our Endpoint Security products include
master key, auto-fill forms for speed and behavioral detection to prevent and
ease, synchronize passwords, update block fileless attacks based on scripts
 Escape the Ransomware Maze / 12

Decoy files applications with the flexibility of adding solutions receives a successful login Many ransomware attacks will attempt
Decoy files are a honeypot to monitor authorized software with granular rules attempt from an account that previously to freeze the protection installed on
if some specific files deployed by our for those organizations that build their failed due to invalid credentials, endpoints before they try to spread
solutions are modified. If these files own software. the account is considered to have over the network and encrypt files in
are changed, an event is sent to our This protection layer allows us to have been compromised. As a mitigation the whole organization. It is crucial to
behavioral detection engine. It is likely malware-based attacks under control, mechanism, all external RDP connections include anti-tamper protection against
that this action will be classified that and it is essential for already-infected that have tried to connect at least once hackers trying to stop or suspend
ransomware is the root process killed, organizations to stop lateral-movement with the target computer in the previous services and processes.
preventing the file’s encryption on the attacks inside the network. 24 hours are blocked. Our anti-tampering protection uses
endpoints. proprietary technologies, and it also
RDP protection Anti-malware technologies
leverages the ELAM (Early Launch
Anti-exploit technology RDP protection is part of the Threat As many other next-gen antivirus
Anti-Malware) technology included in
Anti-exploit technology is an important Hunting Service, and it is available for all solutions do, our Endpoint Security
Windows 10, Server 2019, or higher
protection to prevent lateral movements customers acquiring our EDR solutions. solutions include signature files, access
operating systems.
by adding virtual patching capabilities to to our real-time protection to our
Among the cyberattacks that target
our EDR solutions. It complements Patch Collective Intelligence, and heuristic
companies, RDP brute force attacks are
Management solutions by protecting technologies using deep learning to
the most frequently used by adversaries,
against unpatched applications or those prevent ransomware attacks not using
especially where systems are directly
applications that have reached the end LotL (living-off-the-land) techniques.
exposed to the Internet. Our EDR
of their maintenance period, such as solution detects and protects network
Windows XP or Windows 7. computers against attacks that use the
Unlike other solutions, our anti-exploit RDP (Remote Desktop Protocol) as an
includes generic detections based on infection vector. Hackers are constantly
the anomalous behavior of exploited
processes.
When a computer protected by our looking for holes and
solutions receives many RDP connection
attempts that fail due to invalid backdoors to exploit.
Zero-Trust Application Service
Our EDR products are the only solution
credentials, the protection software puts By vigilantly updating
the computer into Initial RDP attack
on the market that classifies 100% containment mode. In this mode, RDP your systems, you’ll
of running processes. Any unknown
application is blocked until it is validated
access to the computer is blocked from minimize your exposure
IPs outside the customer network that
as trustable by our machine-learning have sent a large number of connection to known vulnerabilities.
technologies (99.98%) or by our attempts over the last 24 hours.
cybersecurity experts worldwide (0.02%).
If a computer protected by our EDR Anti-tampering protection
And all is done in real time for unknown
 Escape the Ransomware Maze / 13

Patch to reduce the attack surface since the advent of fileless living-off-the- Isolate your endpoints to contain Apply remediation actions with
Hackers are constantly looking for holes land attacks. the attack ‘shadow copies’
and backdoors to exploit. You’ll minimize Our Threat Hunting Service identifies In the event of ransomware infection, Many ransomware attacks go one step
your exposure to known vulnerabilities abnormal behavior and suspicious the attacker tries to infect the entire further, and apart from encrypting files,
by vigilantly updating your systems. activity and their categorization as network. You can contain the attack by they try to destroy all kinds of backups
indicators of attack (IoAs) with a high isolating the endpoints affected and created by the customers.
Ransomware like WannaCry and Petya
degree of confidence and without false avoiding lateral movements from one With our endpoint security solution, you
relied on unpatched vulnerabilities to
positives. Usually, they are attacks at an machine to another by exploiting the can create shadow copies leveraging
spread around the globe. The Locky and
early or at the exploitation stage that do vulnerability, using stolen credentials, the operating system technology, and
Cerber ransomware attacks used a flaw
not use malware. copying itself and using the SMB we will protect them using our anti-
in Adobe Flash to distribute themselves
protocol, etc. tampering technology so you will be
to victim workstations. We recommend that you contain or
remediate them as soon as possible. It would help if you patched as quickly as able to recover the information after a
You can prevent many attacks by possible to minimize the impact of the ransomware infection.
ensuring that operating systems and Broad Platform Support attack and decrease the number of files IT professionals use the shadow copies to
third-party applications are updated and encrypted in your organization.
Your security is as strong as the weakest recover files from critical system failures,
patched. It is essential to patch early and
point in your organization’s security Isolated computers can communicate but it is also an excellent technology
patch often, at least once a month, for
infrastructure, so it is critical to keep with our servers so you can still manage for recovering files encrypted by
critical vulnerabilities. the security of all the endpoints. You can ransomware.
every single endpoint protected.
Anti-phishing protection even add some exceptions and allow Contrary to other solutions that make
We support legacy systems starting
them to communicate with specific copies of each encrypted file consuming
Phishing via email is one of the most in Windows XP, and we support
processes that you need for remediation a lot of disk space, shadow copies are
common methods for starting a systems based on Intel and ARM-based purposes. optimized only to save the differences.
ransomware attack. Blocking phishing processors.
So, the chances of running out of disk
URLs will help reduce the likelihood that In addition to Windows, we support Activate all the prevention
space are minimal. Our solution allows
a user clicks a link they shouldn’t. macOS and a broad set of distributions in technologies
you to configure the percentage of
Linux, Android and iOS devices. Ensure all the protection layers disk space dedicated to shadow copies,
Threat Hunting service mentioned before are active and the although the 10% allocated by default
Even a robust EDR solution can’t rely Lock mode is activated in the advanced should be sufficient in most cases.
on prevention technologies for all protection so as not to allow any
detections ...sometimes it just takes a unknown applications being executed
human brain to spot a hacker, especially regardless of where they come from.
 Escape the Ransomware Maze / 14

10 Ways to Defend Against a Ransomware Attack

1 2 3 4
Perform frequent backups of Use multi-factor Limit access to resources over internal Make sure your security
critical data, system images, authentication (MFA). Set and networks and enforce time-based solutions are up to date. UTMs
and configurations regularly. enforce strong passwords, access for privileged accounts. with sandboxing can detect
Test your backups and maintain managed through a password Restrict permissions, remove local malicious files coming into
them offsite and offline where manager. administrator rights from end users, the network.
attackers can’t find them. and block application installation by
standard users.

7 6 5
Lock down accessible services Implement robust anti-phishing Patch everything, patch early and patch
at the firewall. If you don’t protection with different security often to keep all operating systems
need it, turn off RDP, and use layers at the endpoint and and software up to date. Ransomware
rate limiting, 2FA, VPN, or other perimeter. attacks like WannaCry and NotPetya
remote access tools. relied on unpatched vulnerabilities to
spread around the globe.

8 9 10
Ensure anti-tamper protection Monitor and respond to alerts. Raise awareness among users
is enabled – Ryuk and other Consider implementing advanced about the risks of phishing
ransomware strains attempt to endpoint security solutions such and educate them about the
disable your endpoint protection. as an EDR that includes a zero-trust dangers of social engineering
protection model approach with as part of the best cybersecurity
multiple layers of defense. practices.
 Escape the Ransomware Maze / 15

Ransomware attacks are growing and more sophisticated than ever. They are a
sustainable and lucrative business model for cybercriminals. In some cases, it is easier
and cheaper to pay the ransom than to recover from backup, but paying the ransom
also does not guarantee that a victim’s files will be recovered, or the system will be
accessible, and the endpoint will still be infected.

Traditional protection methods relying on malware signatures are not enough

against ransomware threats. Indeed, attackers design their ransomware to
bypass conventional protection layers. These threats should be managed with a
comprehensive security solution that responds to the latest threats.

Now is the time to secure your organization with

WatchGuard Endpoint Security from these threats – before the next
ransomware attack impacts you.
 Escape the Ransomware Maze / 16

WatchGuard Portfolio

Network Security Secure Wi-Fi Multi-Factor Authentication Endpoint Security

WatchGuard Network Security solutions are WatchGuard’s Secure Wi-Fi solutions, true WatchGuard AuthPoint® is the right solution WatchGuard Endpoint Security is a Cloud-
designed from the ground up to be easy to game-changers in today’s market, are to address the password-driven security gap native, advanced endpoint security portfolio
deploy, use, and manage – in addition to engineered to provide a safe, protected with multi-factor authentication on an easy- that protects businesses of any kind from
providing the strongest security possible. airspace for Wi-Fi environments, while to-use Cloud platform. WatchGuard’s unique present and future cyberattacks. Its flagship
Our unique approach to network security eliminating administrative headaches and approach adds the “mobile phone DNA” solution, WatchGuard EPDR, powered by
focuses on bringing best-in-class, enterprise- greatly reducing costs. With expansive as an identifying factor to ensure that only artificial intelligence, immediately improves
grade security to any organization, regardless engagement tools and visibility into the correct individual is granted access to the security posture of organizations. It
of size or technical expertise. business analytics, it delivers the competitive sensitive networks and Cloud applications. combines endpoint protection (EPP) and
advantage businesses need to succeed. detection and response (EDR) capabilities
with zero-trust application and threat
hunting services.

About WatchGuard
WatchGuard® Technologies, Inc. is a global leader in network security, endpoint security, secure Wi-Fi, multi-factor authentication, and network intelligence. The company’s award-winning products and services
are trusted around the world by more than18,000 security resellers and service providers to protect more than 250,000 customers. WatchGuard’s mission is to make enterprise-grade security accessible to
companies of all types and sizes through simplicity, making WatchGuard an ideal solution for midmarket businesses and distributed enterprises. The company is headquartered in Seattle, Washington, with
offices throughout North America, Europe, Asia Pacific, and Latin America.

NORTH AMERICA SALES 1.800.734.9905 INTERNATIONAL SALES 1.206.613.0895 WEB [Link]

No express or implied warranties are provided for herein. All specifications are subject to change and expected future products, features or functionality will be provided on an if and when available basis. ©2022 WatchGuard Technologies, Inc. All rights
reserved. WatchGuard, the WatchGuard logo, Firebox, and AuthPoint are registered trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. All other tradenames are the property of their respective owners.
Part No. WGCE67583_052322