Ransomware Attacks are Evolving – Is Your SOC Ready?

Ransomware actors are known to innovate on a regular basis, and these past few years have seen an acceleration in the evolution of tactics and techniques designed to make the attacks more effective.

Recently, ransomware developers have been particularly focused on finding new ways to compel non-compliant victims to pay. That effort gave rise to double extortion, a technique employed by many ransomware strains in which the attackers first exfiltrate a target’s sensitive information before launching its encryption routine.

The attackers then threaten to publish the data publicly if the ransom demand is not met by the stated deadline. Data backups can nullify the need for a decryptor to recover the encrypted files, but data backups can’t prevent a nefarious attacker from publishing a victim’s information on the web, which means that defending against ransomware attacks requires a robust prevention strategy.

Attackers have also gotten more creative in how they announce a ransomware infection. Sometimes that involves using media other than a digital ransom note to inform victims that they’ve been infected. The Egregor Ransomware gang recently attracted the attention of Bleeping Computer when it abused all of the local printers on an infected network to repeatedly print out copies of their ransom note. So too did the DoppelPaymer Ransomware group when it began calling victims to demand that they pay up, as the FBI warned in December 2020.

Other times, ransomware attacks focus on a targets’ customers instead of the victims themselves. Those responsible for the Clop Ransomware made headlines in March 2021 when they began contacting victims’ customers via email, for instance. The attackers informed the customers that they had stolen their personal and financial information. At that point, they urged them to “[c]all or write to this store and ask to protect [their] privacy.”

Defending Against Ransomware Attacks

The innovations discussed above are helping to fuel a surge in ransomware attacks, and many organizations are feeling the pressure as a result. In a study covered by Help Net Security, for example, 61% of respondents indicated that they had suffered a ransomware attack in 2020—20% higher than the proportion of organizations that reported an attack the previous year.

Those organizations lost an average of six working days because of those attacks, with more than a third (37%) reporting that the downtime lasted at least a week. Approximately the same number (34%) admitted that they never saw their data again despite having ultimately paid the ransom.

This highlights the need for organizations to defend themselves against ransomware through proactive prevention measures. Data backups and employee security awareness training can go a long way in that regard, but to ensure they are not victims of a ransomware attack, organizations need to coordinate these defensive measures with other elements of their information security program to assure these attacks can be thwarted everytime.

That explains why organizations need to invest in creating a Security Operations Center (SOC). As noted by EC-Council, a SOC team is responsible for identifying potential threats, investigating incidents and implementing appropriate security tools and solutions. These functions help organizations to minimize network downtime and ensure business continuity in the event of a digital attack such as a ransomware infection.

SOCs are advantageous in that they give organizations the personnel they need to proactively block ransomware attacks. One of the ways they do this is by providing organizations with a centralized approach to their digital security.

In the case of a ransomware attack, for instance, organizations can look to their SOC team to identify and wipe affected computers, activate data backups as well as notify communications and legal personnel. They can thus help to prevent data loss, maintain customer trust and reduce the potential losses that organizations could suffer in a security incident such as one involving ransomware.

That doesn’t happen automatically, though. Organizations need to make sure that their SOC team is prepared for digital threats as dynamic and sophisticated as modern ransomware. The way to do that is to focus on their human capital.

As we explained in a recent whitepaper:

The mature SOC is the SOC that puts the human in the center, coordinated with other humans, at scale and running efficient processes. When that’s true, tools that help get used more and tools that fail get eliminated, no matter how special their one-of-a-kind features may be.

Organizations should also consider enhancing their SOC capabilities with an effective EDR (Endpoint Detection and Response) and/or XDR (Extended Detection and Response) solution deployment to strengthen their threat detection capabilities. They could certainly consider looking to other solutions like SIEM and SOAR as a means of achieving some aspects the functionality that EDR/XDR offer, but these solutions are not designed to provide the necessary correlations across the network required to end attacks at the earliest stages, adding more complexity and investigation tasks for the SOC team.

Given the advent of XDR, why bother with separate solutions like SIEM and SOAR that cannot provide the required context around threats? Analyst firm ESG found that most security teams are already considering replacing their functionally limited SIEM and SOAR tools with an integrated XDR platform that includes much of the functionality of those solutions in addition to providing the deep context and threat correlations. This decision can save organizations precious time and money in the fight against ransomware.

Prevention Capabilities are Key

The best ransomware defense for organizations is to focus on preventing a ransomware infection in the first place. Organizations need visibility into the more subtle Indicators of Behavior (IOBs) that allow detection and prevention of a ransomware attack at the earliest stages. Cybereason delivers operation-centric ransomware protection via multi-layered prevention, detection and response. 

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed