Read this paper and you will learn:
This ebook dives into everything from why detecting attacker activity and recon known as ransomOps is critical to stopping ransomware and many of the steps security professionals are taking to successfully slam the door on today’s ransomware tactics. We’ll share how customers utilizing Vectra MDR Services are able to detect active attacks almost immediately as well as some of the challenges, observations and recommendations that every organization should know.
One thing is for sure, the difference between success and failure when it comes to stopping ransomware comes down to response speed and quick action — let’s stop some ransomware!
As distasteful as it may be, ransomware gangs and their affiliates are running a business, and just like any other business — they exist to make money. They have an ROI mindset and just happen to be cashing in on the ability to reach systems and data that they can steal as quickly as possible, while charging you a hefty sum for the return of your own property.
This mindset drives many of the observations discussed throughout this ebook, while understanding the motivation that drives attackers is a key piece to any security strategy. When you know what drives attackers and can clearly identify the systems and data in an environment that would cause disruption if compromised — your organization will be in a good position to make it as difficult as possible for an attack to unfold.
Let’s see why tabletops can help bring this into focus, and how red teams can give an objective evaluation of current readiness.
Of course, the best outcome is to keep the ransomware gangs from ever gaining access to your environment. And while prevention is never foolproof, the ROI mindset can work to your advantage. In fact, you can dramatically reduce your risk by getting the basics of authentication hygiene and patching right.
This is because initial access by attackers most commonly occurs via an unpatched and DMZ-exposed vulnerability, an account without MFA or similar low-hanging fruit. Basically, if organizations miss some of the basic prevention methods — there’s no need for attackers to use sophisticated and time-consuming tactics to gain access.
The best outcome is to keep the ransomware gangs from ever gaining access to your environment.
The good news is that by enabling MFA (multi-factor authentication) on your VPN, IDP and other points of entry, you’ll make life more difficult for attackers who may just decide to knock on someone else’s door instead. The same goes for patch management — making sure patch practices span across your DMZ will help in turning away attacks. While no prevention strategy is foolproof, sensible investments in prevention will make it harder for attackers to get in.
Dialing in the basics will improve, but not eliminate, risk. There are a lot of reasons for this, but the truth is that it only takes one mistake in account setup, one missed patch, one user clicking on a link they shouldn’t…or one new 0-day in your VPN of choice (funded by the gobs of money pouring into the ransomware ecosystem) to break through. We’ve seen it all.
And when a ransomware actor gets into your environment — expect that they will move FAST. We have certainly responded to attacks that progressed slowly over several days, however; it’s not uncommon for the majority of an attack to occur in a single, after-hours evening. Remember, time is money for attackers with an ROI mindset. Whether giving defenders the least amount of time to respond or just playing the numbers game, we generally see few signs of attackers trying to stay below the radar. In fact, the global dwell time for ransomware attacks has dropped significantly over the last few years.
The good news for defenders is that speed makes the attack obvious with the right detection technology. As is the case with Vectra, we’ve seen critical hosts within two minutes of initial access. However, due to the speed of the attack progression, this also makes it crucial to be prepared to respond quickly and decisively in order to stop the threat prior to ransomware deployment.
Unfortunately, this ability to respond at speed isn’t limited to business hours. We’ve observed early-stage reconnaissance and lateral movement occurring at all hours, seemingly whenever the ransomware actor had some time. Sometimes it will be in the middle of the day, other times at night, on a weekend or even during a holiday. However, based on our observations, the final push to exfiltration and encryption is more likely to be in the middle of the night or on a weekend or holiday — when incident response capabilities are at their weakest.
Practically speaking, this means 24x7 monitoring is a must.
The first step in responding to a ransomware threat is to detect the adversary in your environment. It’s equally critical to know what you’ll do in various scenarios to stop the attack. How far are you willing to go? In one of our engagements, the attacker made it as far as the domain admin on the domain controller where the security team in play had to make a split-second decision to fully disconnect their systems from the internet in order to buy time for response. Fortunately, it worked for them.
As close as that team was to a ransomware attack unfolding, this scenario isn’t all that uncommon. It could be worth asking — if your organization were in the same situation, what would you do? Would this level of disruption be acceptable to the business? Would you be able to effectively respond without connectivity for your remote security staff? Are there other response options that you would have to buy?
We’ve seen rapid, decisive action under pressure be a key ingredient in successful response. Knowing and practicing your game plan before you need it could make all the difference.
Modern ransomware attacks (really ransomOps), don’t deploy the ransomware binary until the very end of the attack. This means that if you see the ransomware itself, you’ll most likely be too late.
This is a common misconception because to stop these attacks in progress, you’ll need to detect and respond to the steps that come BEFORE ransomware is deployed. The reality is that that you’ll almost certainly be operating without full knowledge of the adversary or their end game. In many cases, you’ll see a rapidly-progressing attack, and potentially some telltale signs in tooling or C2 infrastructure that allow you to make an educated guess about what’s happening.
Here, your response plans will need to focus on a more general class of intrusion and attack progression, then, understanding that the endgame is just a probability and not a certainty.
We’ve observed exploits used to gain initial access, and occasionally for lateral movement. But, as with most modern attacks, the focus is on credentials — admin and service accounts. In combination with admin protocols, these are the favored tactics for virtually all ransomware affiliates.
The intent, as in many attacks, is to get to domain admin on the domain controller to launch the final phase of the attack. From this vantage point, it’s easy to get access to the most valuable data. It’s also possible to deploy ransomware blazingly fast, using admin tools including GPO.
Due to the focus on credentials, it’s absolutely key to carefully monitor the use of all privileged accounts as we’ve seen this reliably be one of the most valuable attack detection signals.
Vectra analysts compiled user, process and security challenges that were common across different customer engagements.
Our teams work closely with security teams daily, responding to critical alerts generated by the Vectra AI-driven threat detection and response solutions. When we initially engage with customers, it is not obvious if a threat is ransomware. As alerts grow in severity, we’re able to gain additional clarity and context about the attack and determine if it is in fact ransomware. We have found an array of security tools and security practices that make it harder for adversaries to carry out successful ransomware campaigns and ultimately stop them with certainty. This includes.