As data exfiltration threats and bigger ransom requests become the norm, security professionals are advancing from the basic “keep good backups” advice.
Ransomware became deadly in 2020.
Healthcare facilities were attacked at an alarming rate, including one incident in Germany that lead to a patient death when an attack locked critical systems and a woman needing critical care was turned away. She died after she had to be taken to another city for treatment.
Ransomware is now one of the fastest-growing threats in cybersecurity, with damages predicted to cost $20 billion globally by 2021, up from $354 million in 2015.
But if you work in infosec, you probably knew that. We’re not here to tell you ransomware is a problem. But we are here to examine what security teams are doing to defend against it, and what techniques are emerging as best bets to mitigate ransomware.
Frankly, the current landscape isn’t great, according to Azeem Aleem of technology services firm NTT Ltd. Ransomware attacks are more aggressive and diversified than ever before – and they use multiple attack vectors. There is an entire industry now dedicated to selling ransomware on the black market (ransomware as a service), which lowers the barrier for criminals to enter, and means more attackers are getting into this very profitable business.
“Defense is struggling,” says Aleem. “Some ransomware groups are teaming up with other threat actors, where the initial compromise is performed by commodity malware and then they provide access to a secondary threat actor operating ransomware as a service.”
But just as criminal techniques get better, so must defense strategies.
“Ransomware defense needs to continue to evolve, but since we won’t ever be able to evolve as fast as the attackers and industry – and the collective commerce world won’t ever be as nimble as a well-orchestrated group of determined adversaries, we have to think differently,” adds Chris Roberts, hacker in residence with Semperis.
Here’s a look at what security teams are turning to now to wrestle the behemoth ransomware threat.
Detection technology seeks different behavior
Early ransomware defenses were initially around signature-based detections, which worked well for specific ransomware attacks after being identified, according to Mike Schaub, information security manager at CloudCheckr. But with new kinds of ransomware cropping up that behaves differently today, there is now a need for new kinds of detection.
“These include better behavioral or heuristic analysis, or the use of canary or bait files for better detection early on of an attack layered with protections of the files themselves — such as backing up files before a suspicious process encrypts them, whitelisting encrypting processes,” he says.
While classic cryptoransomware simply locked up access to systems, it’s now trendy for ransomware attackers to also threaten victims with data theft and doxxing.
“Extortion through not only the encryption, but copying of data and threatening to leak it if a ransom isn’t paid,” says Schaub. “This threat of exfiltration has different behaviors to look for in ransomware defense.”
Hunt and prevent
Semperis’ Roberts says another emerging technique stresses proactive and predictive defense work.
“Ransomware defense needs to evolve from reacting to things, to predicting them and then anticipating risk.”
This “hunt and prevent” compared to the old “detect and respond” strategy has more security teams placing resources into ransomware research, threat hunting, and adversarial simulation, says David Shear, threat data governance manager with Vigilante.
“The future of ransomware defense will no longer be simply scanning for vulnerable endpoints and adding ransomware detection to your endpoint protection – but a more thorough searching through your networks to detect anomalous activity – and simulating the ransomware adversaries you hope to defend against,” he says.
NTT’s Aleem says traditional controls around a signature based framework leads to a lack of visibility into today’s ransomware threats. Relying on the traditional tools, like endpoint detection and response (EDR) can only detect about 1% of advanced attacks.
“You’ll be breached,” he says. “What organizations need is to move from a reactive to a proactive and predictive strategy using threat intelligence. To do this, they need full visibility of the threat surface to detect threat patterns in their networks.”
Aleem recommends mapping tactics, techniques, and procedures currently used by ransomware groups to understand their strategy, the time it takes them to deploy the ransomware, and how much time an incident response team has to discover, escalate, and remediate.
Striking a deal
As cyber insurance becomes more popular (and ransomware’s proliferation has something to do with that), companies are getting more comfortable paying ransoms, and ransomware operators are becoming more comfortable asking for bigger payouts, and sometimes some negotiation on the price tag.
Kurtis Minder, CEO, GroupSense, a digital risk protection services company that conducts dark web reconnaissance and provides threat-actor negotiation services ransomware victims, cautions that companies need more intelligence about attackers before they can make an informed judgment on whether to pay a ransom in the first place. “And if they decide to pay, they need an experienced ransomware negotiator — otherwise they risk making the problem worse by angering the threat actor,” he says.
“If you were taken hostage in a bank robbery, you wouldn’t want the branch manager negotiating your release – you’d want an FBI crisis negotiator. The same is true for ransomware negotiation.”
(continued on page 2 of 2: boning up on fundamentals)
Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio