The Ransomware War

The effectiveness of ransomware is increasing – due in part to the use of the non-federalized form of payment known as cryptocurrency, but more so due to the effective and dynamic nature of the initial attack vector used in a ransomware campaign.  The sophistication of the tools being used, as well as attack strategies that prey on poor cyber hygiene practices, are the core components that can bring an organization to a screeching halt and result in defeat for cyber defenders.

Ransomware, at the core, threatens the reputation and operations of a business by denying service consumption and access to assets. Taking it up a notch, threat actors may foster further damage and exploitation by publicly exposing data or leaking critical, sensitive information to public warehouses. Corporations and government organizations alike must take a militant approach to secure their infrastructure if they wish to remain viable and should consider an approach to managing ransomware threats that is akin to campaigns of war.

The battleground

On the offensive, cyber attackers gain the knowledge necessary to penetrate an organization’s landscape using techniques such as phishing and social engineering. Once inside, threat actors begin searching for vulnerabilities to gain access to assets, hunt for valuable organizational data, and ultimately encrypt data that they believe is valuable and hold it ransom for a substantial payout.

On the defensive, cybersecurity professionals will use security awareness training, institute policies and procedures for cyber hygiene and data backup strategies, and deploy privileged access management (PAM) and endpoint cybersecurity tools.

The war is won either by hackers receiving their ransom or the infrastructure team successfully thwarting their attack. Let’s take a closer look at the battle strategies.

Offensive strategy

An organization’s entire IT/OT infrastructure is susceptible to ransomware attacks, from the routers and switches that pass data all the way to the endpoints in which the application transactions occur. Organizations must consider that an attacker is not a lone individual sitting in a basement eating delightful chips hoping to score a single, random incident, but rather a team of cyber engineers working together to find the greatest-valued assets at the largest companies, to get the largest payoffs. Crowdstrike has described the most efficient technique of targeted ransomware deployment as “Big Game Hunting,” the art of targeting institutions that are likely to pay high ransom due to the criticality of services.

To deter detection, cybercriminals leverage ransomware-as-a-service (RaaS) tools, which highly morph their signatures to keep the execution footprint from being detected by anti-virus scanners looking for static signature executables or programs that exhibit common patterns. To assist in the attack’s impact, ransomware tools look to hunt and destroy backups stored on local devices, making the option of recovery that much more difficult. But, bottom line, it all starts with the encryption of files to remove access from the organization.

Defensive strategy

Security awareness and training are at the cornerstone of creating the best defensive strategy for an organization. Increasing employee awareness of how cybercriminals use phishing and social engineering to obtain the vital information that will allow them to gain access and then move laterally throughout the organization, to encrypt and hold valuable assets for ransom, is the most effective defense. Beyond educating a human firewall, maintaining proper cyber hygiene is the most effective way to ensure proper policies and procedures are implemented across the organization to minimize the impact of a ransomware attack.

Several policies can be immediately instituted to increase the likelihood of surviving a ransomware attack.

• Separate the backup of critical data from the physical access of the asset in question. If the ransomware application can’t remove it or destroy it via encryption, then it is a viable path to recovery.
• Utilize endpoint security tools that enforce the restriction of file read, write, and modify access to unknown applications. This defeats the ability of unknown applications to encrypt or write new data in new locations.
• Remove local administration abilities to elevate privilege.
• Deploy tools that enable accurate threat detection and IOC awareness. Such threat intelligence will give IT/OT organizations time to evaluate the potential threat, investigate, and mitigate the damage effectively.

Merlin Cyber has solution offerings that can help implement these strategies. Cyber Observer, our cyber hygiene solution, manages and monitors the hygiene in an organizational environment to determine if policies are being effectively enforced in real-time. Incorporating the combination of CyberArk for PAM and VMware Carbon Black EDR for file-level access control delivers the essential components which mitigate much of the effectiveness of ransomware attacks. These solutions stop bad actors from elevating privilege and thwart them from encrypting files. Lastly, Darktrace’s sophisticated AI/ML engine can detect and stop actors trying to identify vulnerabilities and laterally move across an organization.

Final thoughts

Ransomware strategies are becoming more effective as threat actors consider the landscape of the targeted organization and the preventative nature of the tools which may be available to detect the campaign. IT/OT organizations must take a serious approach to their infrastructure and limit their exposure to vulnerabilities by employing strict cyber hygiene practices to limit elevated privilege and file management control to prevent unauthorized and unintentional writes at the endpoint. Defense teams must also evaluate how vulnerable a backup is based upon live data’s proximity to the archived backup asset.

Merlin’s solution offerings can be combined to create a strong defense to the dynamically changing attack strategy of the Ransomware War.