Is Ransomware Damage Irreversible?
Businesses continue to be impacted by ransomware and in response, they are spending more money, resources, energy, and time to defend against the volume and complexity of ransomware attacks. Ransomware operators have rapidly evolved over the last several months and have moved beyond just encrypting files and data. Historically, organizations have backed up data to recover from ransomware attacks that caused widespread business disruptions by encrypting files and data. Unfortunately backing up data is no longer sufficient for organizations to recover from the full scope of damage inflicted by ransomware attackers and most often the damage is irreversible.
Threat actors are progressively engaging in advanced and persistent attacks to increase monetary gains from an intrusion, hack or a breach and deploying ransomware to conduct attacks beyond encrypting files. In addition to encrypting files, attackers are conducting reconnaissance to find a wide variety of sensitive corporate information by moving across an organization’s network. A recent report by Mandiant found that attackers are looking for sensitive data including termination agreements, contracts, medical records, and encryption certificates(1). Before encrypting data, attackers are exfiltrating data using encrypted channels to evade perimeter defenses that are difficult to operate and maintain.
These data breaches give more power, control and leverage to the threat actors and expose an organization to immense risk and irreparable damage. Businesses stand to lose consumer confidence, brand reputation and employee morale and are liable for legal and punitive damages and class action lawsuits. Ransomware attacks also increase operational and regulatory costs and dramatically slow down business agility and competitiveness which are propelled by adopting new and innovative digital technologies.
Attackers wield the stolen data in a perverse manner and use data leak sites on the dark web using TOR networks or social media sites like Facebook to name and shame their victims. In furtherance of their attack, ransomware operators provide samples of stolen customer or corporate data to reputable media outlets and technology and cybersecurity publications to gain widespread attention and magnify their demands.
The likelihood of preventing leaks of hacked data is nearly impossible and the damage, almost always, is irreversible. CrowdStrike warns of evolving tactics that involve threat actors hosting data stolen by other threat actors which would make it extremely taxing for victims to broker any viable binding agreement to recover or prevent the release of stolen data(2).
In some cases, attacker’s setup searchable PII datasets that are extracted from stolen material and exacerbate the situation by releasing data at a regular cadence, renewing media attention and coverage(2). Attackers pursue internal employees by calling and harassing them and pressure organizations to disclose details of a breach by notifying business partners. These coercive gambits impact employee spirits and engenders mistrust in business relationships.
So, Can You Prevent Ransomware Damage?
Ransomware threat actors continue to innovate and evolve. They can gather a variety of sensitive information while exfiltrating data after the initial intrusion, by moving freely across an organizations’ network, performing reconnaissance of the environment over several months/days and using encryption to evade detection. According to M-TRENDS 2021 report for Mandiant, 81% of newly tracked malware families did not use publicly available tools and code(1). This strongly suggests that signature based preventative measures are woefully inadequate and ineffective in defending against today’s ransomware attacks. Once they’ve made it past prevention tools, how will an attack be stopped?
In over half of all intrusions investigated by Mandiant in 2020, adversaries used obfuscation, such as encryption or encoding to make detection more difficult(1). Traditional security tools have limited visibility and rely on a pre-defined list of trusted services, users, and applications without continuously validating if these trusted services are behaving normally. It is important to recognize that attackers carry out attacks in multiple stages that go way beyond the initial compromise. This includes persistence, privilege escalation, internal recon & discovery, lateral movement, credential access, command and control, defense evasion, exfiltration etc. Mandiant experts observed that attackers use 63% of MITRE ATT&CK techniques among all the threat investigations from 2020.
Traditional preventative tools offer limited security coverage, during initial access or the exfiltration phase of an attack and operationalizing and maintaining these tools requires an ongoing manual effort. Further these tools are manual, agent-based, and notorious for causing business disruptions, further limiting their security efficacy.
Organizations need to address the complexity of the digital attack surface, sophistication of ransomware operators, limitations of traditional security tools and chronic shortage of cybersecurity professionals.
The VECTRA Cognito Platform stops Ransomware
With VECTRA, you can stop ransomware before it can encrypt files and exfiltrate data, as the agentless and AI-driven Cognito Platform continuously and automatically stitches together low-fidelity detections dispersed across time, across the network, across accounts & hosts and transforms and enables your SOC teams to successfully stop sophisticated ransomware attacks.
In the following video, I will demonstrate how the VECTRA Cognito Platform continuously monitors all phases of a Ransomware attack and stops the ransomware attack before it can encrypt files and exfiltrate data. The Cognito platform automatically surfaces at-risk accounts and hosts, across the enterprise network and cloud, and tracks attacker behavior that includes Command & Control communication over encrypted HTTS tunnels, LDAP and RPC calls to map the network, reconnaissance for privileged accounts and RPC calls to move laterally across a flat network.
The VECTRA COGNITO platform offers comprehensive visibility across an organizations digital network that span from on-prem to cloud, hybrid to multi-cloud, office to remote worker, IaaS to SaaS and IoT to OT and continuously and automatically monitors for threats, ransomware and attackers across multiple phases of an attack lifecycle. The VECTRA Cognito is an agentless solution that is powered by industry-leading AI-driven that is always-on & intelligent and is uniquely capable of detecting and stopping the volume and sophistication of today’s ransomware attacks.
To learn how you can meaningfully stop ransomware explore VECTRA’s solution here.
(2) 2021 Crowdstrike Global Threat Report https://www.crowdstrike.com/resources/reports/global-threat-report/