An Operation-Centric Approach to RansomOps™ Prevention

Editor's Note: Unlock the knowledge, resources and expert guidance you need to successfully prevent ransomware attacks from impacting your organization’s operations with this complimentary Ransomware Toolkit...

The theme for the final week of Cybersecurity Awareness Month 2021 is Cybersecurity First. This message highlights the need for everyone—users and organizations alike—to prioritize cybersecurity when online. One of the ways we can do this is by understanding the flow of today’s more complex, low-and-slow ransomware attacks - or what we refer to as RansomOps™.

Ransomware is one of the “loudest” categories in the digital threat landscape in that it overtly displays a ransom note that alerts the victim that they have been the target of a successful attack. This tactic of revealing itself is crucial to stoking a victim’s fear and sense of urgency. It’s also instrumental in communicating the attackers’ ransom demand.

Unfortunately, seeing a ransom note displayed is not the same as detecting a RansomOps attack in progress, it’s simply confirmation that you have likely lost access to some or all of their systems or files. In dealing with RansomOps, the ransomware payload is the tail-end of the attack, and by the time you are at this stage we are no longer talking about prevention strategies, but remediation efforts at this point.

Unlike the early days of “spray and pray” ransomware attacks that relied on large numbers of victims to submit to ransom demands of a fraction of a bitcoin, RansomOps attacks are much more sophisticated and are more akin to stealthy APT-like operations. Furthermore, there are often multiple players from the larger Ransomware Economy at work, each with their own specializations. 

This can include the Initial Access Brokers (IABs) who have already laid the groundwork by infiltrating a target network and spreading laterally to maximize the potential impact from the ransomware payload, to the Ransomware-as-a-Service (RaaS) operators who provide the attack infrastructure, to the affiliates who actually carry out the attack, and so on.

What’s important to understand about RansomOps is that prior to that payload delivery, the attackers have engaged in weeks or even months of detectable activity on the target network. This is where understanding RansomOps and strategies to detect and disrupt them early in the kill chain can turn what would have been a potentially devastating ransomware security event into a less disruptive intrusion and/or data exfiltration attempt.

RansomOps Detection and Response

The only way organizations can successfully defend against ransomware attacks is to be able to detect them early and end them before any data exfiltration or encryption of critical files and systems can take place. This involves being familiar with the stages of a RansomOps attack. J.P. Morgan (PDF) observed that the average ransomware infection consists of seven phases:

    • Delivery: This stage can take on various forms, but ransomware actors commonly use unsecured Remote Desktop Protocol (RDP) systems, phishing emails, or software vulnerabilities to deliver their ransomware.
    • Installation: The ransomware downloads onto a targeted system and executes its code.
    • Command and Control: Upon successful installation, the ransomware phones home to its Command and Control (C2) server to receive instructions from its attackers.
    • Credential Access: The ransomware payload uses those credentials to steal access to other devices and accounts connected to the same network
    • Discovery: At this point, the ransomware scans for supported file types that it can encrypt on the local workstation and other assets it’s already mapped. 
    • Lateral Movement: The ransomware moves across the network, using the credentials it’s stolen to compromise additional accounts and devices along the way.
    • Actions on Objectives: The ransomware encrypts local and network files before displaying its ransom note on each affected asset.

Of course, ransomware attacks have also evolved in the past few years beyond this traditional attack chain. Many ransomware groups now use double extortion in which they steal a victim’s information in plaintext before they launch the encryption routine. Doing so enables the ransomware groups to put added pressure on a victim to pay the ransom; even if they have data backups in place, victims remain at risk of having their sensitive data released publicly if they refuse to pay the ransom demand. 

Ransomware gangs can also use double extortion to make two ransom demands, one for a decryptor and the other for the deletion of a victim’s stolen information from their servers. Other extortion techniques include threat of DDoS, enabling short-sellers to target the victim’s stock price with insider information, and more. In order to be in the position to make these sorts of threats, the attackers would need to have had extended access to the target environment, providing defenders with multiple opportunities to detect and expel them before the final payload.

Detecting RansomOps

Clearly, there is a lot more to detect when it comes to ransomware attacks than just when the final malware payload displays its ransom note. The issue is that organizations can’t achieve visibility over the early stages of a highly-targeted RansomOps attack using Indicators of Compromise (IOCs) derived from other environments, as the tools and techniques are likely unique to the individual target environment. 

Hence the need for organizations to embrace an operation-centric approach which methodology enables organizations to visualize a malicious operation (MalOp) in its entirety beginning with its root cause and across every single affected device and account. It does so by drawing on both IOCs and Indicators of Behavior (IOBs), subtle signs of compromise that help to identify potential security incidents based upon chaining of behaviors that produce circumstances that are either extremely rare or present a distinct advantage to an attacker - even when those behaviors in isolation are common or expected in the network environment.

IOBs can thus provide insight into attack chains that are novel or have never been detected prior. Organizations need the visibility afforded by tracking both IOCs and IOBs if they are to successfully defend against a RansomOps attack. 

The Cybereason Advantage Over RansomOps

The best strategy for organizations is to prevent a ransomware attack from being successful in the first place. To do that, they need to invest in a multi-layered solution that will detect and prevent a ransomware attack at the earliest stages of initial ingress, prior to the exfiltration of sensitive data for double extortion.

The Cybereason operation-centric approach provides the ability to detect RansomOps attacks earlier and why Cybereason is undefeated in the battle against ransomware with the best prevention, detection and response capabilities on the market.

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern ransomware attacks. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed