This is the final installment of our ransomware blog series. We suggest reading "Understanding and Preventing Early Stages of Ransomware Attacks" and "Mid-Stage Ransomware Protection: Strengthening Security Against Privilege Escalation and Defense Evasion" before continuing on to this post.
As ransomware attacks progress into the later stages, attackers increasingly focus their TTPs on lateral movement, data collection, exfiltration, and disrupting operations through data encryption and destruction. With 70% of attacks resulting in sensitive data encryption and a five times increase in ransom bills over the last year (Sophos), the need to protect mission-critical data within federal agencies amidst mandates for improved efficiency is greater than ever. To effectively combat the advanced stages of ransomware attacks, agencies must focus their cybersecurity controls on identity and access management (IAM), Network Detection and Response (NDR), and data resiliency and recovery solutions from vendors like CyberArk, ExtraHop, and Veeam.
Stage 9: Lateral Movement (Day 5-7)
Attackers move laterally to spread across target networks using techniques like RDP, SMB/NTLM Relay, remote services, and pass-the-hash attacks.
- CyberArk PAM prevents lateral movement by enforcing strict privilege access controls, provisioning admin access, and restricting unauthorized system modifications, mitigating the risk of pass-the-hash and RDP attacks.
- Qualys proactively identifies and remediates system vulnerabilities facilitating lateral movement, automatically securing remote and internal network pathways.
Stage 10: Collection (Day 6-7)
Attackers collect and prepare data for exfiltration through sensitive data staging, clipboard data captures, and screen captures.
- Qualys EDR telemetry identifies processes enumerating large numbers of files, writing to atypical local paths, or invoking clipboard/screen-capture APIs.
- ExtraHop orchestrates network-level staging and exfiltration flags by detecting bulk SMB, RDP clipboard, or HTTP POST activity, automatically flagging unusual egress sizes/protocols.
Stage 11: Exfiltration (Day 7-8)
Attackers exfiltrate data via various channels like C2 channels, automated scripts, and web protocols.
- Qualys identifies nefarious exfiltration attempts through User Entity and Behavior Analytics (UEBA), automating rapid response and containment actions.
- ExtraHop continuously monitors C2 channel traffic by combining real-time network analytics, behavioral detection, encrypted traffic analysis, and automated threat intelligence integration to swiftly detect and respond to C2 channel activities.
Stage 12: Impact (Day 8+)
Ransomware attackers inflict damage and demand payment by executing encryption, data destruction, system shutdowns, and double extortion tactics, leaking stolen data if the ransom is unpaid.
- Veeam enhances protection by automating immutable backups of sensitive data across on-premises, hybrid, and multi-cloud environments, reducing the value and impact of attackers’ data collection attempts.
- Veeam secures and stores backup mission-critical data in tamper-proof, air-gapped repositories to prevent threat actors from exfiltrating, modifying, or deleting sensitive data.
- Veeam automates ransomware resiliency and rapid recovery:
- Comprehensively and efficiently restores mission-critical systems, machines, specific applications, or individual data files, giving granular control over ransomware recovery and ensuring operational resiliency for the agency.
- Automatically scans backup files for ransomware and other threats to prevent the reintroduction of compromised data during restoration.
The advanced stages of ransomware attacks pose significant risks to federal agencies, with attacks leading to an average system downtime exceeding three weeks and recovery costs averaging $3.58 million for impacted organizations (Sophos). To protect the mission, federal agencies must adopt comprehensive cybersecurity strategies by integrating CyberArk’s IAM, Veeam’s data resiliency and recovery, Qualys’ vulnerability management, ExtraHop’s NDR, and InfoSec Global Federal’s cryptographic posture management solutions. Integrating these solutions enables a cohesive defense to strengthen resilience, mitigate risk and potential impact, and ensure fail-safe ransomware recovery to effectively maintain national security.
