May 12, 2021 | 4 minute read
Ransomware actors are known to innovate on a regular basis, and these past few years have seen an acceleration in the evolution of tactics and techniques designed to make the attacks more effective.
Recently, ransomware developers have been particularly focused on finding new ways to compel non-compliant victims to pay. That effort gave rise to double extortion, a technique employed by many ransomware strains in which the attackers first exfiltrate a target’s sensitive information before launching its encryption routine.
The attackers then threaten to publish the data publicly if the ransom demand is not met by the stated deadline. Data backups can nullify the need for a decryptor to recover the encrypted files, but data backups can’t prevent a nefarious attacker from publishing a victim’s information on the web, which means that defending against ransomware attacks requires a robust prevention strategy.
Attackers have also gotten more creative in how they announce a ransomware infection. Sometimes that involves using media other than a digital ransom note to inform victims that they’ve been infected. The Egregor Ransomware gang recently attracted the attention of Bleeping Computer when it abused all of the local printers on an infected network to repeatedly print out copies of their ransom note. So too did the DoppelPaymer Ransomware group when it began calling victims to demand that they pay up, as the FBI warned in December 2020.
Other times, ransomware attacks focus on a targets’ customers instead of the victims themselves. Those responsible for the Clop Ransomware made headlines in March 2021 when they began contacting victims’ customers via email, for instance. The attackers informed the customers that they had stolen their personal and financial information. At that point, they urged them to “[c]all or write to this store and ask to protect [their] privacy.”
The innovations discussed above are helping to fuel a surge in ransomware attacks, and many organizations are feeling the pressure as a result. In a study covered by Help Net Security, for example, 61% of respondents indicated that they had suffered a ransomware attack in 2020—20% higher than the proportion of organizations that reported an attack the previous year.
Those organizations lost an average of six working days because of those attacks, with more than a third (37%) reporting that the downtime lasted at least a week. Approximately the same number (34%) admitted that they never saw their data again despite having ultimately paid the ransom.
This highlights the need for organizations to defend themselves against ransomware through proactive prevention measures. Data backups and employee security awareness training can go a long way in that regard, but to ensure they are not victims of a ransomware attack, organizations need to coordinate these defensive measures with other elements of their information security program to assure these attacks can be thwarted everytime.
That explains why organizations need to invest in creating a Security Operations Center (SOC). As noted by EC-Council, a SOC team is responsible for identifying potential threats, investigating incidents and implementing appropriate security tools and solutions. These functions help organizations to minimize network downtime and ensure business continuity in the event of a digital attack such as a ransomware infection.
SOCs are advantageous in that they give organizations the personnel they need to proactively block ransomware attacks. One of the ways they do this is by providing organizations with a centralized approach to their digital security.
In the case of a ransomware attack, for instance, organizations can look to their SOC team to identify and wipe affected computers, activate data backups as well as notify communications and legal personnel. They can thus help to prevent data loss, maintain customer trust and reduce the potential losses that organizations could suffer in a security incident such as one involving ransomware.
That doesn’t happen automatically, though. Organizations need to make sure that their SOC team is prepared for digital threats as dynamic and sophisticated as modern ransomware. The way to do that is to focus on their human capital.
As we explained in a recent whitepaper:
The mature SOC is the SOC that puts the human in the center, coordinated with other humans, at scale and running efficient processes. When that’s true, tools that help get used more and tools that fail get eliminated, no matter how special their one-of-a-kind features may be.
Organizations should also consider enhancing their SOC capabilities with an effective EDR (Endpoint Detection and Response) and/or XDR (Extended Detection and Response) solution deployment to strengthen their threat detection capabilities. They could certainly consider looking to other solutions like SIEM and SOAR as a means of achieving some aspects the functionality that EDR/XDR offer, but these solutions are not designed to provide the necessary correlations across the network required to end attacks at the earliest stages, adding more complexity and investigation tasks for the SOC team.
Given the advent of XDR, why bother with separate solutions like SIEM and SOAR that cannot provide the required context around threats? Analyst firm ESG found that most security teams are already considering replacing their functionally limited SIEM and SOAR tools with an integrated XDR platform that includes much of the functionality of those solutions in addition to providing the deep context and threat correlations. This decision can save organizations precious time and money in the fight against ransomware.
The best ransomware defense for organizations is to focus on preventing a ransomware infection in the first place. Organizations need visibility into the more subtle Indicators of Behavior (IOBs) that allow detection and prevention of a ransomware attack at the earliest stages.
Cybereason delivers fearless ransomware protection via multi-layered prevention, detection and response, including:
• Endpoint Controls: Cybereason hardens endpoints against attacks by managing security policies, maintaining device controls, implementing personal firewalls and enforcing whole-disk encryption across a range of device types, both fixed and mobile.
• Intelligence Based-Antivirus: Cybereason block known ransomware variants leveraging an ever-growing pool of threat intelligence based on previously detected attacks.
• NGAV: Cybereason NGAV is powered by machine learning and recognizes malicious components in code to block unknown ransomware variants prior to execution.
• Fileless Ransomware Protection: Cybereason disrupts attacks utilizing fileless and MBR-based ransomware that traditional antivirus tools miss.
• Behavioral Document Protection: Cybereason detects and blocks ransomware hidden in the most common business document formats, including those that leverage malicious macros and other stealthy attack vectors.
• Anti-Ransomware and Deception: Cybereason uses a combination of behavioral detections and proprietary deception techniques surface the most complex ransomware threats and end the attack before any critical data can be encrypted.
Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.
The Cybereason Security Team champions cyber defenders by providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere.All Posts by Cybereason Security Team