RansomOps vs. Extended Detection and Response

With nearly four out of ten global organizations admitting to being victims of a ransomware attack in 2021 alone, it’s apparent that complex ransomware operations–or RansomOps–are only going to become a bigger part of the cybersecurity dialogue than they already are. 

Gartner noted that the threat of new ransomware models was a top concern among executives last year, and when you look at the stakes, the evolving landscape, and the publicized RansomOps attacks this far, you can see why.

RansomOps describes the entire multi-stage ransomware operation with an ensemble of players who contribute to these highly targeted attacks from initial ingress to lateral movement in the network to delivery of the final encryption payload. 

RansomOps take a “low and slow” approach, infiltrating the network and often remaining undetected for weeks as the attackers pivot through the targeted ecosystem, often exfiltrating sensitive data that is leveraged in double extortion schemes to assure payment of the ransom, even if the victim is able to regain access to their systems and data.

Understanding how RansomOps attacks work is the first step in knowing how to defend against them.

Understanding the RansomOps Attack Chain

According to NIST, ransomware “is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access,” and it is a multi-phase process. Rodney Joffe, Forbes Councils Member, explains, “Security teams need to be able to recognize the initial attack long before any information is stolen and encrypted.” This means early detection, so understanding the RansomOps attack chain is necessary. 

While once the domain of simple “spray and pray” email spam campaigns, ransomware operations today are “much more sophisticated and are more akin to stealthy APT-like operations,” which means that every stage must be understood in order to defend against them. 

To do so requires understanding of the MalOp, or the entirety of the process malicious actors take “from the minute of network penetration until achieving their operational goals.” Once you understand that, you can spot opportunities to intercept a ransomware attack at initial ingress, lateral movement, command and control, etc. so you can automate response actions earlier in the kill chain as opposed to focusing solely on the ransomware payload, the tail-end of a RansomOps attack.

ISACA lists the ransomware kill chain steps as infection/ingress, privilege escalation and persistence, credential abuse and eventually data encryption. Using these as a general guide, we’ll explore what security measures can be implemented at each stage to secure at the speed of attack – and hopefully faster. 

Automating Ransomware Prevention 

To keep up with the barrage of RansomOps attacks that have accelerated with the proliferation of Ransomware as a Service (RaaS) platform offerings, many organizations have already adopted automated response strategies. Research from the SANS Institute indicates that upwards of 80% of organizations have partially automated security processes, and 85% plan on increasing that automation in the next year

While it’s good to automate security controls, adopting an operation-centric approach will help you prioritize automating the right ones. The current alert-centric approach reinforces intelligence silos by alerting to one aspect of an attack or another, leaving analysts with the time consuming work of piecing together these disparate intelligence sources because they don’t deliver the full narrative of an attack. 

An operation-centric approach, on the other hand, “allows defenders to instantly visualize the whole of a MalOp from root cause to every affected endpoint in real-time through multi-stage visualizations that deliver all of the details of an attack across all devices and all users immediately.” 

This means the analyst is able to address all aspects of an attack immediately across all impacted devices, users and systems in order to return remediation responses instantly without the the laborious task of triaging and investigating a slew or otherwise uncorrelated alerts, of good portion of which turn out to be false positives.

Mean time to detect and remediate are key measures here, and they can mean the difference between responding to an event versus mitigating an already successful attack.

What Can You Automate?

Using ISACA’s list as a guide, we can break down a ransomware attack chain into several elements and investigate ways that security automation can be used within them. While RansomOps (many of which employ RaaS) can automate at nearly every stage of attack, we will see how automation using an Extended Detection and Response (XDR) solution can be leveraged to disrupt attackers at every stage:

  • Reconnaissance: Before the initial strike, bad actors are scoping out your network and its defenses. Unlike the old spray-and-pray ransomware models, RansomOps targets are chosen for a reason–typically because they have the ability to pay a large ransom demand, but also because they are vulnerable An XDR solution can be useful in correlating the clues from different telemetry sources that together can reveal the network is being probed. An XDR solution can allow Defenders to easily investigate network mapping and discovery attempts launched from unexpected sources.
  • Ingress: This is where the attackers, often Initial Access Brokers where RansomOps are concerned, gain initial access to your network. An XDR solution with an operation-centric approach can automate detection and response at this early stage so that–if we are doing our jobs right–we never even know it was a potential ransomware attack, but instead just another run of the mill intrusion attempt. Defenders can leverage an XDR solution to thwart phishing attempts, disable tainted links and malicious macros in email attachments. Defenders can also detect and block binaries that are attempting to create new registry values or other suspicious activity on endpoints.
    • Lateral Movement and Persistence: Once inside, the attacker will work to move deeper into your network, regardless of whether on-premises or in the cloud. An XDR solution can be the key to quickly connecting the dots between unusual user activity, north-south traffic on the network, external communication with a machine in an unusual geolocation, the spawning of additional processes and more. Correlations and context are key to reducing the mean time to respond here. Defenders can also use XDR’s behavioral detections to prevent account compromise and credential theft attempts and to flag attempts to gain access to other network resources with which they don’t normally interact.
  • Exfiltration and Encryption: If we have not detected and disrupted the attack by this stage, the attackers are in the position to simply take the data they want, encrypt the systems and issue a ransom demand. Defenders can leverage an XDR solution to block outbound connections to attack infrastructure when the operation attempts to establish command and control or exfiltrate data. As well, Defenders can use an XDR solution to prevent the abuse of legitimate services, block unapproved scripts and the execution of payloads from running on the system.

Defend Against Complex RansomOps

Simply put, you cannot defend against RansomOps in traditional ways because it’s not a traditional threat. Enterprise SIEMs miss 80% of detections for MITRE ATT&CK techniques, according to a recent report. And a focus on detecting the ransomware executable alone is risky because that is the tail-end of a longer attack sequence, where the adversary already has unfettered access to your network and may be engaging in data exfiltration. 

Because RansomOps are an entire campaign, defending against the payload alone is like “fighting terrorism by focusing only on the explosive device or waiting to hear the ‘boom’ to know where to focus resources,” as Cybersecurity Insiders states. You need to see the whole of the malicious operation, not just the conclusion. 

“Against this backdrop, 2022 will demand a refocusing of anti-ransomware tactics away from the encrypting malware itself and onto the Indicators of Behavior (IOBs) associated with RansomOps, allowing the defending organization to circumvent encryption entirely,” notes Intelligent CISO.

An effective ransomware prevention plan includes actions like:

  • Following Security Hygiene Best Practices: This includes timely patch management and assuring operating systems and other software are regularly updated, implementing a security awareness program for employees, and deploying best-in-class security solutions on the network.
  • Implementing Multi-Layer Prevention Capabilities: Prevention solutions like NGAV should be standard on all enterprise endpoints across the network to thwart ransomware attacks leveraging both known TTPs as well as custom malware.
  • Deploying Endpoint and Extended Detection and Response (EDR and XDR): Point solutions for detecting malicious activity like a RansomOps attack across the environment provides the visibility required to end ransomware attacks before data exfiltration occurs, or the ransomware payload can be delivered.
  • Assuring Key Players Can Be Reached: Responders should be available at any time of day as critical mitigation efforts can be delayed during weekend/holiday periods. Having clear on-call duty assignments for off-hours security incidents is crucial.
  • Conducting Periodic Table-Top Exercises: These cross-functional drills should include key decision-makers from Legal, Human Resources, IT Support, and other departments all the way up to the executive team for smooth incident response.
  • Ensuring Clear Isolation Practices: This can stop further ingress into the network or the spread of ransomware to other devices or systems. Teams should be proficient at disconnecting a host, locking down a compromised account, blocking a malicious domain, etc. Testing these procedures with scheduled or unscheduled drills at least once every quarter is recommended to ensure all personnel and procedures perform as expected.
  • Evaluating Managed Security Services Provider Options: If your security organization has staffing or skills shortages, establish pre-agreed response procedures with your MSPs so they can take immediate action following an agreed-upon plan.
  • Locking Down Critical Accounts for Weekend and Holiday Periods: The usual path attackers take in propagating ransomware across a network is to escalate privileges to the admin domain-level and then deploy the ransomware. For more information on Weekend and Holiday ransomware threats, refer to our other 2021 study, Organizations at Risk: Ransomware Attackers Don’t Take Holidays.

Ultimately, your multi-layered approach leveraging XDR should allow you to analyze ALL data in real-time (not just endpoint data), protect you against double extortion, and prevent never-before-seen executables so you can truly have a proactive anti-ransomware strategy in place.

Cybereason is dedicated to teaming with defenders to end ransomware attacks on the endpoint, across enterprise, to everywhere the battle is taking place. Learn more about predictive ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed