News & Blog

Ransomware and Remote Work: Evolving Threats and Solutions

Agenda

    NRI Secure’s Shu Yoshida (General Manager), Koji Tashima (SOC Manager), and Mr. Hasegawa (moderator).NRI Secure’s Shu Yoshida (General Manager), Koji Tashima (SOC Manager), and Mr. Hasegawa (moderator).

     

    As work styles evolve and cloud services become more widespread, traditional perimeter-based security measures are becoming increasingly difficult to implement. In this context, the "Zero Trust Model" is gaining attention as a new approach to security.


    In this discussion, NRI Secure’s Shu Yoshida (General Manager), Koji Tashima (SOC Manager), and moderator Mr. Hasegawa will explore security threats and trends in the era of remote work. The conversation will focus particularly on the rise in ransomware attacks and the emerging security model known as "Zero Trust," examining specific countermeasures and future outlooks from the perspective of industry experts.

    Note: Glossary of ransomware and Zero Trust terms is provided at the end.

    The Relationship Between Remote Work and Ransomware

    Koji Tashima, SOC Manager, NRI SecureKoji Tashima, SOC Manager, NRI Secure.

    Hasegawa:If there’s been any major ransomware incident in recent news, could you please share it with us?
    Tashima:Yes, ransomware has definitely been a hot topic in Japan. For example, companies like the Kadokawa Group and the U.S.-based CDK Global have both been affected. CDK is a SaaS provider for auto dealerships, and they were attacked by the same ransomware group. This incident was also widely covered in the U.S.
    Hasegawa:Incidents like these give the impression that ransomware attacks have been increasing in recent years. I think one of the factors behind this rise is the widespread adoption of remote work. Is that understanding correct?
    Tashima:It’s true that security attacks in general have increased with the rise of remote work. While I can’t say definitively that ransomware attacks have increased more than others, remote work has made VPN vulnerabilities more exposed, which has brought ransomware attacks into the spotlight.
    Yoshida:We’re also seeing an increase in identity theft and unauthorized access from external sources. There’s been a noticeable rise in breaches of cloud services like Microsoft 365 as well.

    Changes in Corporate Security Awareness and Measures

     

    shu-yoshida-koji-tashima-nri-secure-1NRI Secure’s Shu Yoshida (General Manager) and Koji Tashima (SOC Manager).

    Hasegawa:Thank you. Do you think companies are becoming aware of these risks and proactively seeking solutions, or is it still a situation where we need to raise awareness for them?
    Tashima:Compared to the past, companies are indeed becoming more aware of risks and are taking ransomware threats more seriously. In the past, many companies had an optimistic approach, thinking they could just restore from backups if ransomware hit. But now, it's clear that such a response is no longer sufficient.
    Hasegawa:I see. So, based on this background, many companies are becoming more proactive about security measures, right?
    Yoshida:Yes, especially among small and medium-sized businesses. More companies are taking security seriously. In the past, some companies had systems where everything was connected to the internet, but that’s becoming less common now.

    Evolving Ransomware Attack Methods and Countermeasures

    Shu Yoshida, General Manager, NRI Secure

    Shu Yoshida, General Manager, NRI Secure.

    Hasegawa:Recently, I've heard that attacks using legitimate IDs and passwords are increasing, making it harder for traditional products like antivirus software to detect and defend against them. What kind of countermeasures do you think are necessary to address these types of attacks?
    Yoshida:Yes, attacks where the attacker infiltrates the system as an authorized user and gradually escalates privileges are becoming more common. To counter these, it’s important to strengthen endpoint monitoring and ID management. Implementing EDR (Endpoint Detection and Response) is essential to combat such attacks.
    Tashima:Before and after COVID-19, VPN devices and remote access have become primary targets, and attacks related to remote work have increased.
    Hasegawa:Can you explain in more detail why remote access is being targeted and the specific attack methods used?
    Tashima:A common scenario is a brute-force attack to break into VPN accounts using ID and password combinations, allowing attackers to penetrate a company's network. Additionally, vulnerabilities in the VPN devices themselves can be exploited. Phishing attacks are also prevalent, as remote workers, who are outside the protection of company networks, are more likely to click on malicious URLs, leading to attacks.
    Hasegawa:Some VPN advertisements claim to offer "100% security," but from what you're saying, that's not the case?
    Tashima:Correct. While major VPN services respond quickly to discovered vulnerabilities, companies managing their own VPNs may delay their response. This is particularly problematic at the entry point of corporate networks.
    Yoshida:The increased adoption of VPNs during the COVID-19 pandemic has brought more attention to them, but vulnerabilities are frequently found in the management interfaces of VPN devices. Companies that expose these management interfaces to the internet are especially vulnerable. Ideally, the management interface should be hidden within the internal network, but improper configurations increase the risk of attack.
    Hasegawa:Can you share an example of a real-world attack?
    Yoshida:One case involved a brute-force attack on the VPN management interface, which led to an intrusion. After gaining access, files were encrypted, and a ransom demand message was sent.
    Hasegawa:How did your company respond to such incidents?
    Yoshida:First, we investigated the logs to identify the cause and pinpoint the external access route. Then, we reviewed VPN settings and ID management, implementing measures to prevent recurrence.
    Hasegawa:We’ve discussed VPN-related incidents, but I believe phishing is the most common method for ransomware attacks. For instance, users might click a malicious link in an email, leading to infection that spreads within the company. Have you handled any ransomware incidents like this?
    Yoshida:Yes, phishing attacks where IDs and passwords are stolen, leading to unauthorized access from external sources, are common. The main tactics include business email compromise (BEC) and phishing sites. Human error often becomes the weak link in security.
    Hasegawa:What measures do you take in response to such situations?
    Tashima:For example, if IDs and passwords are stolen through phishing, we immediately reset the passwords and notify users, taking steps to mitigate the issue.
    Hasegawa:Are there also cases where ransomware spreads by opening malicious attachments in emails?
    Tashima:Recently, attacks involving direct ransomware attachments in emails have decreased. Instead, groups known as “initial access brokers” have become active. They sell access to vulnerable company environments, which ransomware operators later exploit to launch attacks.
    Hasegawa:Has the reduction in ransomware email attachments been driven by the advancement of tools like EDR and gateway checks? Can you elaborate on recent attack techniques?
    Tashima:Yes, improved defenses like EDR have reduced direct malware attachment attacks. However, attackers have evolved by abusing tools that come standard with Windows, allowing them to bypass existing security measures. This has made attacks harder to detect, reflecting how these methods are becoming more sophisticated.
    Hasegawa:How are users reacting to these changes, and what actions are they taking?
    Tashima:There's growing fear around ransomware, and it's receiving more media coverage. Many companies are grappling with the decision of whether to pay ransoms, but most are leaning toward not paying. However, in some cases, particularly in life-critical sectors like healthcare, companies may have no choice but to consider payment.
    Hasegawa:Do clients seek advice from you about responding to ransomware attacks during consulting sessions?
    Yoshida:Generally, our role is to conduct technical investigations and assess the situation. Decisions regarding legal or ethical matters are left to the client’s lawyers or executive teams.
    Hasegawa:I see. So, while your company handles the technical investigation, the final decision is up to the client’s leadership.

    Challenges in the Adoption and Implementation of Zero Trust

    NRI Secure’s Shu Yoshida (General Manager), Mr. Hasegawa (moderator), Koji Tashima (SOC Manager).

    NRI Secure’s Shu Yoshida (General Manager), Mr. Hasegawa (moderator), Koji Tashima (SOC Manager).

    Hasegawa:With the rise of remote work, traditional perimeter-based security models are struggling to adequately protect remote access, leaving companies more exposed to external threats. This has led to increased interest in the concept of Zero Trust. Could you tell us about the recent trends surrounding Zero Trust?
    Yoshida:Zero Trust is steadily gaining traction as a security approach. A few years ago, it was highlighted in an executive order issued by President Biden in the United States. Since then, it has been recognized as a core security policy.
    Tashima:Yes, the Zero Trust concept continues to spread and is expected to grow further in the coming years.
    Hasegawa:Could you explain the impact of implementing the Zero Trust security model on business operations? Are there any specific examples of positive or negative effects?
    Tashima:Certainly. For IT professionals, adopting Zero Trust can significantly increase their workload. Implementing Zero Trust requires strict procedures for almost every action, which can slow down operations. For example, when integrating with external services, responding quickly becomes more challenging.
    Hasegawa:So, even for services that are simple to use, the IT department would need to verify them first, right?
    Tashima:Exactly. This kind of process tends to happen in organizations that enforce strict security policies. The challenge lies in determining how much to relax these policies or how to maintain security while remaining flexible.
    Hasegawa:What kind of questions are you receiving from American clients regarding Zero Trust?
    Tashima:Four to five years ago, most questions were basic, such as “What is Zero Trust?” But now, there’s a growing understanding of the concept. However, the solutions to fully implement Zero Trust are still catching up. Zero Trust is, after all, a concept, and implementing it requires flexible access control, which is often difficult to achieve.
    Hasegawa:There’s a perception that Zero Trust requires significant user skills and knowledge, along with high implementation and operational costs. What are your thoughts on that?
    Yoshida:That’s correct. Zero Trust was first proposed around 2010, but the systems at the time couldn't fully support it. It regained attention between 2017 and 2018, and many solutions have since emerged. However, no single package can cover everything. Ultimately, organizations need to combine various solutions, which demands high skill levels and can be costly.
    Hasegawa:So, to adopt Zero Trust effectively, organizations need to choose the right solutions and have the knowledge to utilize them properly. Furthermore, the talent capable of implementing such systems is limited, correct?
    Yoshida:Yes, that’s right. Effective Zero Trust implementation requires deep knowledge and skilled personnel. The cost of implementation is high, which can be a challenge for small and medium-sized businesses. Large enterprises may find it easier to implement, but for smaller organizations, it’s a more difficult proposition.

    The Importance of Basic Security Measures

    NRI Secure’s Shu Yoshida (General Manager) and Koji Tashima (SOC Manager).

    NRI Secure’s Shu Yoshida (General Manager) and Koji Tashima (SOC Manager).

    Tashima:While Zero Trust is certainly important, the reality is that many companies haven't even implemented basic security measures. Before adopting Zero Trust, it's crucial to address vulnerabilities in VPNs and properly manage the attack surface.
    Hasegawa:So, you're saying basic measures are essential, and many companies are falling short in that area. Can you give some examples of the specific measures needed?
    Tashima:For instance, updating vulnerable systems and minimizing the attack surface. It’s also vital to manage permissions and access control properly. Without these basics, implementing Zero Trust will be difficult.
    Yoshida:What’s most important is managing your assets and patching systems effectively. Many companies are lacking in this area, so that's where they should start.
    Hasegawa:For users looking to enhance their security, is it possible to support them with these fundamental measures as the first step?
    Yoshida:Yes, we can provide consulting and support to help strengthen basic security measures.
    Hasegawa:It’s hard to completely eliminate security incidents, but I believe understanding the current situation and monitoring is also important. What are your thoughts on that?
    Tashima:Absolutely. In particular, ID management and monitoring of devices and networks are critical. Many security incidents start with compromised IDs or passwords, so managing those effectively is essential.
    Hasegawa:It’s important to stay grounded and focus on basic measures, without getting too distracted by buzzwords like Zero Trust or two-factor authentication.
    Tashima:Exactly. Two-factor authentication is effective, but it doesn’t mitigate all risks. It’s crucial to first focus calmly on the basic measures.
    Yoshida:When implementing security, I believe it’s crucial to start with 'visibility.' While measures like Zero Trust and two-factor authentication are often highlighted, the most effective approach is to first understand the state of your systems and networks and identify where to begin securing them.
    Hasegawa:Thank you. I now understand that the first step toward strengthening security is focusing on visibility and monitoring, and addressing basic security measures before implementing Zero Trust. Thank you for sharing your insights.

    Simplified Explanation: Ransomware and Zero Trust

    What is Ransomware?

    Ransomware is a type of malware that encrypts files stored on a PC or system’s hard drive, essentially holding them "hostage." The attacker demands a ransom (payment) from the victim in exchange for the decryption key. Notable ransomware examples include WannaCry, which caused global damage in 2017, along with other variants like NotPetya and Nemty.

    In recent years, Ransomware-as-a-Service (RaaS) has emerged, where components of ransomware can be purchased as a service, making it easier than ever for attackers to obtain these tools.

    Blocking ransomware with traditional signature-based antivirus software alone is difficult. To counter it, organizations are encouraged to regularly back up data, apply system patches, strengthen email security, use EDR (Endpoint Detection and Response) solutions, and provide ongoing training for employees.

    What is Zero Trust?

    The Zero Trust model is a security approach that does not differentiate between internal and external networks. It assumes that no entity—whether inside or outside the network—should be trusted by default, and all access requests must be verified.

    As cloud services, mobile devices, and remote work environments grow, the boundaries between internal and external networks are becoming blurred. This makes it harder to protect against threats like data breaches and malware through traditional network security measures. To address risks such as internal data leaks and increasing cloud-based security threats, the Zero Trust model has gained attention.

    The concept of Zero Trust was introduced in 2010 by Forrester Research. Historically, security was based on the belief that internal networks were safe while external networks were dangerous, leading to perimeter-based security defenses. In contrast, Zero Trust follows the principle of "Verify and Never Trust."

    Source: NRI Secure Security Terminology Guide