Three Questions to Ask about Ransomware Preparedness

Ransomware operations, or RansomOps, have evolved dramatically over the last few years, growing from a small subset of mostly nuisance attacks to a mature business model specialization and an increasing pace of innovation and technical sophistication. 

RansomOps involve highly targeted, complex attack sequences by sophisticated threat actors that are much more intricate and akin to the stealthy operations conducted by nation-state threat actors. RansomOps are typically "low and slow" attacks that can take weeks to months to quietly spread through as much of the targeted network as possible before the ransomware payload is ever delivered.

These types of operations are unlike commodity ransomware attacks of the past that were basically random spray-and-pray attacks through mass SPAM campaigns that rely on tricking a target into clicking on a malicious link or opening a tainted document. These attacks mainly targeted individuals for small ransom amounts, where ransoms are clearly whaling expeditions focused on big game targets.

Several factors have contributed to the success of RansomOps, resulting in a significant surge in ransomware attacks with multi-million dollar ransom demands. We have entered a ‘gold rush’ era in the cybercrime world, with a good portion of the illicit funds generated being invested back into further improving attack operations. 

Take the third quarter of 2021 as an example: Help Net Security shared the results of a report where researchers found that global ransomware attacks increased 148% during that three-month period. Overall, 190.4 million ransomware attacks occurred in Q3 2021. 

That’s almost more than the 195.7 million ransomware attacks logged during the first three quarters alone. Looking ahead for the rest of the year, the information security news website noted how ransomware attacks were expected to reach 714 million by the end of 2021, a staggering 134% year-over-year increase.

A joint report issued by the United States, Australia and the United Kingdom in early February of 2022, and published by the Cybersecurity and Infrastructure Security Agency (CISA) specifically called out the increasing complexity observed in ransomware operations: “Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally.”

These findings highlight the need for organizations to think strategically about their ransomware defenses going into 2022. Towards that end, here are three questions you should be asking your cybersecurity teams in order to avoid being the victim of a successful ransomware attack:

Can We Detect Ransomware Attacks Beyond the Endpoint?

The question here is one of visibility, context and correlations. The reality is that other approaches to threat detection and response are limited in their ability to defend against ransomware–take Endpoint Detection and Response (EDR) solutions for example. 

EDR might provide greater visibility over endpoint devices than traditional antivirus and antimalware solutions, but it ignores the fact that many complex RansomOps attacks don’t necessarily start at the endpoint, they can be initiated through vulnerable applications, misconfigured cloud deployments, unpatched devices and other vectors that make up today’s distributed networks.

How Quickly Can We Mount a Quick Response?

Ransomware attacks require a swift response, which requires actionable context and correlations, something that tools like SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation and Response) were supposed to solve for, but were never able to effectively deliver on. 

SIEM solutions require a data lake structure and cloud analytics to centralize event information, but they don’t provide the necessary context and correlations across the available event telemetry to allow for an autonomous response. Even with reliable data sources, however, many SIEMs generate too many false positives and alerts, complicating the process of responding to actual threats in a timely basis.

The issue is that event correlation requires manual processes that create operational inefficiencies, takes up analysts' time, and prevents security teams from launching a quick response. Organizations therefore need to automate their response capabilities so that they can react as quickly as possible, which is what SOAR tools were supposed to provide but have struggled to actually deliver.

In practice, analysts still need to manually intervene and sift through all the “well organized noise” provided by their SOAR solution in order to actually find the “signal.” Without the necessary correlations and context required for an analyst to understand what all the telemetry means, SOAR cannot effectively coordinate a response across a diversified network and multiple security tools. Thus, there is no option with SOAR solutions to effectively automate responses to ransomware attacks without requiring manual analyst intervention.

Did We Stop the Malicious Operation or Just an Activity?

Once a ransomware attack has been detected and an initial response determined, analysts need to understand if they are actually disrupting the larger RansomOp or just one aspect of the attack. Blocking ransomware on an endpoint is one thing, but it does not prevent the malicious actors from maintaining network access for the purpose of conducting a follow-up attack.

For example, blocking ransomware on an endpoint does not address issues like compromised credentials, does not address persistence on the network, and does not guarantee the attackers are not also living-off-the-land or committing in-memory attacks. Hence the need for organizations to work with a solution that can allow them to identify and end the entire RansomOp. 

That’s where Extended Detection and Response (XDR) solutions can be a game changer for Defenders. An AI-driven XDR solution can quickly assimilate and correlate telemetry from across multiple network assets to reveal the entire attack sequence from root cause across every affected device, system, application and user. 

XDR allows Defenders to move response efforts further to the left on the attack timeline, as well as the opportunity to intercept a malicious operation proactively by leveraging Indicators of Behavior (IOBs), the chains of behavior that surface attacks earlier and enable faster remediation–a key advantage of an AI-driven XDR solution. 

An AI-driven XDR solution detecting based on IOBs can allow defenders the ability to quickly identify and end all associated malicious activity, even when that activity consists of otherwise benign behaviors that one would expect to see on the network. Where the ransomware payload is the end of an attack, RansomOps involve weeks or months of detectable activity from initial ingress, later movement, establishing command and control and more.

An Operation-Centric Approach to Defeating RansomOps

The combination of increased visibility across siloed network assets to produce context-rich correlations based on chained attacker behaviors is at the heart of an AI-driven XDR solution. It also represents the opportunity for paradigm shift in how we can collectively reverse the adversary advantage and return the high ground to the Defenders.

This operation-centric approach also provides Defenders the ability to predict, detect and respond to other types of cyberattacks across the entire enterprise network earlier and to remediate faster to protect endpoints, identities, cloud, application workspaces and more.

And this is why Cybereason is the only security provider that remains undefeated in the fight against ransomware, protecting organizations from threats like the DarkSide Ransomware that shut down Colonial Pipeline, the REvil Ransomware that disrupted meatpacking giant JBS and IT services provider Kaseya, the LockBit Ransomware that struck Accenture, and every other known ransomware family.

Cybereason is dedicated to teaming with Defenders to end ransomware attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about the Cybereason Predictive Ransomware Protection solution, browse our ransomware defense resources, or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed