Half of all ransomware attacks are easily preventable

Unpatched vulnerabilities are the weakness exploited by 53% of successful ransomware attacks, according to Kaseya

More than half, 53% of ransomware attacks are the result of known vulnerabilities. That's according to Keanan Ball, senior director of product marketing at Kaseya, speaking at the recent Computing Cybersecurity Festival.

With ransomware incidents rising fast, and with a particular surge during the pandemic when many people began working remotely, this figure seems almost unforgivable, but it's really the result of IT and security teams being overstretched, Ball said.

"76% of IT professionals report increasing burden. So you look to your left and look to your right, probably both of those people are burnt out and if one of them isn't probably you are. And if you're working from home, look in the mirror - there's a real strong chance that it's you."

Overstretch means that patches for known vulnerabilities are not being applied in time, and of course attackers are actively targeting such vulnerabilities as a way in for their ransomware.

Other areas of vulnerability include Microsoft 365, whose ubiquity and complexity makes it a top target for threat actors, and ports left open by accident or design.

"Make sure you have the correct firewall settings. Make sure you're closing that door. An open door to attackers is a very easy way for them to target you."

Other common weaknesses occur with lax permissions.

"Privileges user count sprawl is a huge issue." Ball said. "Your CEO does not need admin level permissions unless they're actually doing that admin work. Particularly in internal IT, on't let anyone be an admin, they don't need it. Probably a lot of your team doesn't really need to actually do scripts either. Don't let folks execute scripts unless they absolutely need to."

In terms of best practice, automated patching is key both for security and productivity reasons, said Ball. Remote monitoring and management (RMM) tools have an extensive library of patches and can significantly close the gap between patch release and patch application, including for remote clients.

RMM tools should be configured for early warning, including privilege escalation, snapshots being deleted and boot records altered. MFA should be applied to all clients and unknown scripts prevented from running, and tools should be set up to automatically isolate and quarantine suspicious processes.

Ideally too, all these capabilities should be available in one RMM solutions. A major source of fatigue is having to constantly swap between bespoke or specialised tools, Ball said.

"We spend so much of your day just Alt-tabbing back and forth between different solutions. We call this 'this space between', and it can eat up to 25% of your technicians' day."