Back to Blog ブログ一覧へ戻る

Ransomware & RansomOps Contained: How to Best the Digital Pest

By
Rabih Itani
|
September 23, 2021

Ransomware. It is the new digital bogeyman. In the UAE, an industry survey  from June 2021 showed the extent to which the country (and by implication,  the wider region) has been subjected to ransomware. Some 37% of respondents  said they had been victims in the previous two years. A staggering 84%  elected to pay the ransom, only for most of them — 90% of those who paid — to  suffer from second attacks that often came from the same bad actors.  

What is even more concerning is that, particularly over the last  year, the industry has seen a rise in RansomOps. While ransomware attacks  follow the ‘spray and pray’ model (think WannaCry), RansomOps are more  sophisticated, highly targeted APT-style attacks that are often associated  with nation states but could also be the modus operandi of bad actors looking  to maximize financial impact on a specific target. In May alone, there was  the US Colonial Pipeline  incident, an attack on Ireland's Ministry of Health,  and a DarkSide blitz on German chemical distributor Brenntag in which the  company paid out US$4.4 million. More recently, US-based Kaseya's virtual  systems administrator (VSA) offering was infected with REvil ransomware via a  supply-chain attack in which a routine update infected several managed  service providers and potentially thousands of downstream customers.

As CISOs continue to adapt to an escalation in hybrid work, they  must contend with multi-network environments and unvetted personal machines,  both of which present tempting inroads for ransomware. As you read this,  thousands of bad actors are leveraging tried-and-tested strains — or  designing the next variants — of ransomware to extort vast sums from  unsuspecting targets. They take their time; they get the job done.

Ransomware 101

Bad actors first assess potentials from a distance, researching  their business model and determining how damaging downtime would be to them.  From this, the attackers estimate how likely payment might be and calculate  the optimal ransom level. The penetration itself can be outsourced or bought  in “ready” form on the dark web for as little as US$300. Once inside their  target’s perimeter, ransomware-attackers continue their assessment,  evaluating applications and data for encryption. And then comes the pain.

In a digital world, total encryption of processes and files means  the complete shutdown of business operations for any enterprise hit by such a  campaign. Security teams will spring into action immediately but in many  cases, they will face an uphill struggle. They must stop the attack in progress  while restoring digital operations. That is not easy. Nor is determining the  source of the incursion to prevent a repeat occurrence.

And payment of the ransom does not guarantee delivery of the  encryption key. In short, ransomware attacks are more of a test of many  organizations’ business-continuity strategies than of any other aspect of  their threat postures. Without exceedingly sound contingency plans,  ransomware victims suffer lengthy downtimes, data losses and financial  shocks.

The road to mitigation

Early detection is the key to damage mitigation. If infected  hosts are isolated promptly then threat hunters can get to work killing the  processes that foment replication. Ideally, this should be left to automation  tools, as human intervention in real time does little to stem the rapidity of  ransomware propagation. Platforms that have oversight of the entire network  are best placed to make automatic determinations that are effective in  preventing damage and loss.

One key network-wide strategy that is successful in detection of  ransomware is to take a bird’s-eye view of behaviors rather than actively  searching for known ransomware variants in packet traffic or processes. This  strategy is proactive and focuses on uncovering initial reconnaissance and  penetration activity by bad actors, rather than waiting for the payload to be  dropped.

In addition, robust identity-management policies can help stem  the tide if care has been taken to ensure that only a select few have access  to the most sensitive areas of the IT infrastructure. Ransomware must make do  with the credentials issued to the user or application that allowed it to  launch. Furthermore, if tight monitoring of the activity of high-privilege  accounts is in place, security teams can act more quickly to head off a  ransomware invasion.

A new battle tactic: AI-based threat detection and response

These best practices are part of an AI-driven approach to threat  detection and response. By taking a high-level, behavioral angle on the  ransomware problem, we leave behind the too-little-too-late tactic of  searching for the ransomware itself. Tools that deliver this approach engage  in deep analysis of network traffic and have the ability to track attacker  activity pivoting between on-premise, data center, IaaS and SaaS environments.  Machine-learning models are already supplementing the expertise of security  teams and delivering strong results. Only models like these have the scale  and power to accept high volumes of telemetry and compare it with oceans of  historic data in real time to identify risky activity.

These behavioral-based threat detection platforms are dedicated to detection and response within cloud,  datacenter, IoT, and enterprise networks. Early detection, the elimination of  false positives and the reduction of alert fatigue are key features of the  technology, as is the validation of key industry standards—like MITRE D3FEND—which helps to build confidence among an organization’s customers.  

Ransomware is extremely profitable to cybercriminals and is  unlikely to disappear from the threat landscape any time soon. Quick and  accurate detection — which currently only come with AI-based threat detection & response approaches—are the best allies regional business  stakeholders can have in this fight.