In a recent interview with Deepen Desai, Global CISO and Head of Security Research at Zscaler, we discussed the evolving threat landscape and the company’s innovative approach to combating the ever-growing threat of ransomware.
Traditional ransomware attacks primarily focused on encrypting the victim’s files and demanding a ransom for the decryption key to unlock the encrypted business data. This approach has undergone several transformations over the years, with attackers increasingly adding the component of stealing data and even weaponizing payloads to propagate laterally within the IT environment.
Deepen noted the latest shift, encryptionless attacks, explaining: “Some of the large and more successful ransomware families have also started what they’re calling encryptionless attacks. This is where they will not encrypt a file, instead they will expel large volume of data, often over 10 terabytes. The gangs go to the full sequence of attack using weaponized payloads, using a vulnerability exploit to move laterally, establish environment wide persistence and then just steal data. But they don’t encrypt the data, don’t cause any business disruption.”
Why the Shift to Encryptionless Attacks?
The shift towards encryptionless attacks can be attributed to several factors, including an increased focus from law enforcement and regional agencies, potential fines, and public scrutiny. By avoiding encryption and the ensuing disruption of businesses, the ransomware gangs stay out of the news, the targeted business remains unexposed, and both parties potentially avoid legal attention.
Deepen added, “It’s a win-win situation for them. In fact, some of these groups have started calling these attacks a post exploitation penetration testing exercise. It’s basically a ransomware attack, but they’re calling it pen testing.”
Interestingly, Deepen also highlighted how some ransomware gangs are adopting a form of “customer service” in an attempt to enhance their reputation. They provide victims with reports that detail the vulnerabilities exploited and suggestions for security improvements after the ransom is paid.
The Implications for Cybersecurity
The emergence of encryptionless attacks represents an alarming advancement in the cybercriminal’s arsenal. The ability to extract large volumes of data without encryption or immediate business disruption makes these attacks more covert, insidious, and potentially more damaging.
Encryptionless attacks present a new challenge in the ongoing battle against cybercrime. The shift from encryption to stealthier methods illustrates the rapid adaptability and innovation of cybercriminals.
A fascinating aspect of the conversation was the potential role of generative AI and machine learning in cyber threats. Deepen expressed, “It’s only a matter of time when these guys will start using dark web versions of chat GPT variants to create very effective phishing attacks.”
Advice for Cybersecurity Professionals
Deepen provided a few pieces of advice for organizations in their battle against such attacks, emphasizing the importance of Zero Trust Architecture, which is centered around a fundamental shift away from the traditional trust within a network. The core principles include “Never trust, Always verify,” ensuring that no internal or external access is taken for granted; “Least privileged access,” granting only the necessary permissions required for a specific task; and “Assumed breach scenario,” operating with the mindset that a breach has occurred and taking measures accordingly. Together, these principles emphasize continuous validation, restriction, and awareness, aiming to reduce the attack surface and enhance overall security.
For effective implementation of these principles, Deepen advocated for a staged approach, beginning with “focus on your crown jewel application, implement user to app segmentation first and then go towards more complicated micro-segmentation strategies.” Additionally, he called for the elimination of VPN, characterizing it as a “juicy attack surface for the bad guys.”
Zscaler’s Security Approach
Zscaler’s approach to cybersecurity embodies the principles of zero trust, emphasizing a cloud-first strategy that effectively minimizes the external attack surface through a “never trust, always verify” philosophy. By hiding internal applications and employing a no-VPN approach, Zscaler ensures consistent security with full TLS inspection, regardless of user location. This zero trust model includes proper segmentation and containment strategies to limit the impact of potential breaches and prevent lateral movement within the environment.
Additionally, Zscaler’s inline Data Loss Prevention (DLP) acts to prevent data exfiltration, thereby offering a robust defense aligned with the fundamental principles of zero trust, including assuming breach scenarios, applying least privileged access, and reducing the blast radius if a breach were to occur.
The interview with Deepen Desai provided a fascinating window into the nuanced and multifaceted world of ransomware defense. As the landscape continues to evolve, understanding these new tactics, and responding with equally advanced defenses, will be essential in safeguarding against this next generation of threats.