Raj Samani at McAfee Enterprise argues that an innovative mindset is needed in addition to technological defences, if organisations are to defend themselves against cyber-crime
Over the past year, we’ve seen security threats evolve in complexity and increase in volume. Cybercriminals were quick to pivot their tactics and effectively take advantage of the pandemic, and as a result, enterprises found themselves victim to more opportunistic COVID-19 related campaigns, alongside a whole host of new bad-actor schemes.
In recent months, ransomware attacks have played a dominant role in the cybersecurity landscape. Whilst the focus will be on individual statistics, the recent deluge of victims and the subsequent impact has brought the discussion of ransomware to the mainstream.
The rise of Ransomware-as-a-Service
A key ransomware trend that we’re currently seeing is the rise in Ransomware-as-a-Service (RaaS), supporting a wider eco-system of players in this criminal enterprise. In Q1 2021, we observed the growth in variants leveraging this eco-system with affiliates targeting more lucrative organisations and companies. Most of these larger, targeted victims received a custom created variant of the ransomware family at a low volume. The use of these affiliates allow adversaries to gain entry to an environment and identify the pain points that often drive higher ransomware payments.
In terms of specific ransomware groups, attention turned to DarkSide in Q2 2021. However, there are many other groups that should be viewed with equal concern. In Q1 2021, REvil was the most detected ransomware, followed by the RansomeXX, Ryuk, NetWalker, Thanos, MountLocker, WastedLocker, Conti, Maze and Babuk strains. Equally claims that DarkSide had ceased operations appears to be short lived with the rise of Black Matter.
Decoding ransomware techniques and solutions
Disrupting a ransomware attack, particularly those which leverage skilled affiliates capable of breaking into organisations, is critical. There are multiple opportunities to disrupt the activity, from the moment when adversaries gain access to the environment, establish the necessary access to systems, and ultimately execute the payload – in other words encrypt the environment.
Whilst this is an oversimplification, since certain threat actors may introduce additional steps such as exfiltrate data, understanding the tools and tactics typically used is crucial. For example, common initial entry vectors remain. Therefore, the first opportunity to disrupt the attack will be to understand common entry methods is critical, such as spear phishing, the use of RDP, and compromising unpatched systems.
One of the most common methods is the use of RDP (Remote Desktop Protocol) that provides threat actors initial access to a targeted organisation. While there are a number of solutions out there to prohibit or restrict RDP, it’s vital that these are enforced, but also actively monitored to determine whether the controls have been bypassed.
Much has been made of Endpoint Detection and Response solutions, and such solutions can be critical in performing real time searches across all managed systems to see what is happening at that exact moment. The solutions keep track of a history of inbound and outbound network connections and can detect potential attempts at exploitation.
Actionable threat intelligence
Threat intelligence technology is also a key way to tackle ransomware threats. Businesses and organisations can use the technology to proactively learn from previous breaches, but also critically understand whether a given threat campaign is targeting a specific geography or sector that warrants additional investment.
Such insights can also be used to prioritise threat hunting using the most relevant indicators, predict the types of campaigns that will be launched against the organisation in the future, and pre-emptively improve overall defensive countermeasures.
The reality of ransomware, or indeed any threat, is that there is no single product or technology that can act as a silver bullet. Whilst EDR solutions can be critical to identify whether there is unauthorised activity within the environment, it is ineffective if alerts are ignored. Subsequently, it is imperative that the deployment of any controls are rigorously tested and responses are tested to ensure they are done in a timely manner.
To support this approach to security, businesses looking to bolster their defences should build an open, flexible architecture that can adapt as needed without the need for bolt-on security. In this way, they can achieve complete data and enterprise protection capabilities, underpinned by a, proactive and open security architecture.
Despite efforts to mitigate the risks, ransomware is not going away anytime soon. The tactic is too profitable and effective for cybercriminals. However, to cut down the number of successful ransomware or digital extortion attacks, organisations should be sure to determine their ability to detect and respond to such attacks.
Further, and whilst this may be unpopular, they should determine the steps they would take in the event they are indeed compromised. What is the position to pay? Will the cyber insurance policy cover such an attack? Understanding these, and determining the position before compromise is critical.
Digital threats are now part and parcel of our society and there is no doubt that threat actors are innovating, which affords their ability to demand millions from victims. Such innovation demands evolving the defensive mind set – whilst simply installing a product or updating signatures important, it is not enough to stay secure.
Raj Samani is Fellow and Chief Scientist at McAfee Enterprise
Main image courtesy of iStockPhoto.com