It hasn’t been long since ransomware was an untargeted, opportunistic, verbose, and rapid attack. 2017’s WannaCry and its Server Message Block (SMB) network worm vulnerability EternalBlue propagated its multiple variants spread around the world’s networks at machine speed, impacting over 230,000 hosts in more than 150 counties. While the damage caused by WannaCry was significant, studies found that the UK’s National Health Service incurred over £73 ($95m USD) in cost while the ransomware operator only pocketed a comparatively low number of bitcoins, currently valued around $621K USD.
More recently we’ve seen criminals move from a high-volume, opportunistic approach—or “spray and pray”—to lower volume, targeted ransomware attacks. Instead of monolithic ransomware, or a single piece of software that did everything and was highly automated, today’s ransomware tends to be modular and often obtained from a malicious developer or acquired “as a service.”
There’s an organized dark ecosystem for ransomware with component and service supply chains, not dissimilar to the structures and practices we see in the legitimate world. It’s expeditious to change and morph, which makes traditional fingerprinting for signatures less effective. Much of ransomware detection and response has focused on the identification and mitigation of the actual cryptolocking code and its actions.
Today’s ransomware attacks, such as that from the Maze group, are multifaceted, complex, and unfold over extended periods of time. Initial penetration, data reconnaissance, and exfiltration all occur before cryptolocking begins. This longer timeframe can provide multiple opportunities to detect and respond to the threat—if you know where and how to look.
Cybercriminals will start with open source intelligence gathering and analysis of potential targets. They’ll evaluate a target’s ability to continue operating, along with likely propensity to acquiesce, if successfully penetrated and ransomed. Then, attackers will estimate a pain threshold price that would result in a payment being made. Initial compromise and penetration of a target may be outsourced, or simply purchased “off the shelf” on the dark web from as little as $300.
From the time of the initial infection to the deployment of the ransomware, attackers perform reconnaissance inside a compromised network to discover which systems are critical before stealing and encrypting files.
Once organizations are hit by a ransomware outbreak, they find themselves in an all-hands-on-deck emergency: they need to effectively halt the attack’s progress and immediately restore systems, all while business functions are held hostage. Even if an organization is willing to pay the ransom, there is no guarantee that the encryption key will be provided by the attacker. Without the encryption key, files will have to be restored from a backup, and any changes since the last backup will be lost.
As such, when ransomware encrypts file shares, attacks become very costly due to resulting scale, operational downtime, and data loss.
Early spotting and isolating in the attack lifecycle prevent the loss of data. Rapid host isolation should be considered a good practice once an infected device has been identified. Isolation can occur by quarantine of hosts, removal of offending systems from the network, and killing the processes causing propagation.
Due to the speed and severity of ransomware attacks, isolation could require the use of automation, like orchestration platforms or native integration with hosts or network enforcement points from detection tools.
It is also vital to observe privileged access to know which accounts have access to critical systems. Ransomware can only run with the privileges of the user or the application from which it is launched. Comprehensive knowledge about the systems and users with access to specific services enables security operations teams to monitor misuse of privileged access and respond when that access is compromised―well before network file encryption occurs.
Another strategy to improve detection is to focus on monitoring internal traffic for immutable attacker behaviors. Instead of attempting to detect specific ransomware variants in network flows or executables, focusing on reconnaissance, lateral movement, and file encryption allows you to have a more proactive approach when threat hunting. This approach is especially effective in spotting the precursor activities during the attack’s initial penetration and reconnaissance phases.
To reduce the impact of contemporary ransomware attacks, we need to pivot to a model based on detecting behavior rather than detecting specific tools or ransomware used. Such behavior detection is much more effective and requires in-depth analysis of network traffic. With advances in artificial intelligence (AI) augmenting security teams, we’re already seeing the industry shift to identifying attacker behavior in real time. AI can detect subtle indicators of ransomware behaviors at a speed and scale that humans and traditional signature-based tools simply cannot achieve. This enables organizations to prevent widespread damage.
When organizations recognize these malicious behaviors early in the attack lifecycle, they can limit the number of files encrypted by ransomware, stop the attack from propagating, and prevent a disastrous business outage.
Ransomware will continue to be a potent tool in cybercriminals’ arsenals as they attempt to exploit, coerce, and capitalize on organizations’ valuable digital assets. When you are fighting a ransomware attack, time and contextual understanding are your most precious resources.