Few will be shocked to hear that ransomware attacks are continuing to accelerate at a torrid pace - but the more concerning trend is the effectiveness of ransomware at creating chaos and paralyzing business operations.
Sophisticated ransomware attacks can involve fileless intrusion, stealthy command and control activities, and ultimately the encryption of sensitive data that is valuable enough to demand a ransom from the impacted organization. Cyber adversaries seldom operate ethically, so the paying of the ransom is no guarantee of a safe return of the data.
Ransomware attacks can have an impact beyond the encryption of data, as evidenced by the 2020 attack on a German hospital that shuttered operations due to a successful ransomware attack. Inbound patients were redirected to alternate hospitals for treatment, and in a tragic milestone, one of the redirected individuals became the first fatality directly linked to a ransomware attack.
One explanation behind the prevalence of ransomware is the lower bar of entry for deployment and use by less-skilled adversaries than in years past. Bad actors can deploy previously developed ransomware with services, meaning the malware is supported from a coding and distribution standpoint.
Ransomware is lucrative, effective and less complicated for cyber adversaries, so we expect ransomware attacks to continue and further evolve to become even more sophisticated as we move into the future. Frequent assessment and adjustment of your infosec strategy against ransomware attacks is highly recommended for any organization, small or large.
This should include a reassessment of recovery strategies, namely the backing up of critical data offsite so you can restore your data and quickly recover from a ransomware attack without paying the ransom. Unfortunately, attackers are also aware of this strategy as well, so they have found additional “incentives” for victims to pay the ransom.
There is a notable trend of attackers using double extortion techniques. Attackers are increasingly exfiltrating sensitive files and information from their victims prior to the encryption stage and threatening to publish the data unless the ransom demand is met. This means that effective multi-layer ransomware prevention capabilities have never been more important.
Build a baseline that enables future success: It’s hard to improve what isn’t measured. Modern enterprise environments are incredibly complex, and as complexity increases so does the opportunity for an adversary to hide among the noise.
• What percentage of the environment doesn’t have direct visibility and control from the infosec team?
• Is every endpoint monitored?
• Are blocking and firewall policies up to date with the latest threat intelligence?
• To what degree is your team mapping prevention, detection and response to the MITRE ATT&CK knowledge base?
• Is patching taking place as frequently as required?
Due to the granular nature of security posture assessments, these should be outsourced where possible as to spare the already overtaxed and overburdened infosec team. Cybereason offers a variety of posture assessments with near immediate time-to-value. Quickly expose and remediate latent threats in your environment, assess and adjust endpoint controls, and create a trusted security posture moving forward.
Prepare for IT infrastructure attacks: Using exploits in existing IT infrastructure as a launching pad for ransomware attacks is a new and unfortunate trend in cyber attacks, as seen with the recent HAFNIUM attacks that involved 4 zero-day exploits in Microsoft Exchange servers. Embedded IT applications and systems are often trusted as being inherently secure, as the security should be built-in by the embedded technology provider.
This has not been the case, and infosec teams should be prepared for existing exploits in applications and IT infrastructure to eventually be exposed to adversaries and then used to deploy attacks on the endpoint. Application security and patching should obviously be considered, but fileless and behavior-based prevention capabilities at the endpoint are critical for long term success. Cybereason excels at preventing and detecting threats at the endpoint based on behavior-based analysis of enterprise data. Defenders can identify attacks and react at the earliest signs of compromise with enriched and correlated detections based on subtle tactics, techniques and procedures of bad actors.
Build your detection strategy around Indicators of Behavior: It’s difficult to predict how a ransomware attack will be packaged when it arrives unwelcome on a target’s doorstep. Ransomware can emulate any number of files or processes, and operate in ways that are mostly normal and non suspicious.
This reality makes ransomware difficult to predict with a binary approach to detection and response, whereas the behaviors and backend suspicious tactics of ransomware are much easier to track and identify as malicious and related to ransomware - like attempted file encryption from a suspicious process or unusual clearing of the Windows Event Log. An aggregated view of all enterprise data with special analysis given to the tactics, techniques and procedures of suspected malicious operations will uncover benign threats for response before secondary breach activity can escalate.
Aggregating SHA1 hashes and scrubbing any known “bads” from connected endpoints would be a good first pass at eliminating existing threats, but would miss sophisticated malware. A better approach would be to examine endpoint activities that the average user would not participate in but could be an indicator of malicious behavior - like a clearing of the Windows Event Log or a launch and use of Powershell from a suspicious process, both examples would be detected by Cybereason.
Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.