It looks like we are on the verge of another crisis caused by ransomware attacks and the proliferation of Ransomware as a Service model that allows even relatively newbies to get into the big game. Every week, the media are full of headlines that a well-known Enterprise or government organization has become another victim of an attack, the systems were locked, and sensitive data was stolen. These organizations most likely had everything they needed for timely ransomware detection, but in some ways the attackers outplayed the security team.
The crisis that we mentioned earlier is not even related to the number of attacks, which is steadily growing due to the increase in the number of RaaS affiliates, but to data theft before encrypting files. According to the report released by Coveware in November 2020, in the third quarter, cybercriminals successfully exfiltrate data in about half of their attacks. And this is twice as much as in the previous quarter. Another interesting figure in the report is the average ransom payment, which has already exceeded $230,000.
Ransomware attacks became a problem in the mid-2000s when cybercriminals switched from simple Screen Lockers, which were easily bypassed by advanced users, but still made a good profit, to encrypting files, which without a decryption key is almost guaranteed data loss. In the early 2010s, the first ransomware worm appeared, and after a few years, cybercriminals started massive spam campaigns targeted mainly at non-corporate users, but the ransomware detection capabilities of companies were mostly sufficient not to feel the threat. In 2016, the first Ransomware as a Service appeared, which was still intended for attacks on individuals. In May 2017, the WannaCry outbreak showed the world that organizations can be a great target and that recovering from a ransomware attack is very expensive. NotPetya only confirmed this, and soon the big players switched completely to attacks on organizations in order to get to the backup servers and encrypt as many key systems as possible without the possibility of recovery. At the end of 2019, Maze RaaS affiliates began to steal data after infiltrating the organization’s network, which they then posted on a specially created resource in order to put pressure on victims and force them to pay a really huge ransom amount. This quickly became popular, and as we can see from the report, cybercriminals now steal data in every second attack.
Until recently, cybercriminals have played relatively fair, and in the event of a ransom, they have provided some kind of evidence that the data has been deleted. But there is no honor among thieves, and now there are more and more cases when adversaries do not delete data after receiving a ransom payment. On at least a few occasions, Sodinokibi ransomware affiliates have repeatedly demanded money to delete files after the encrypted systems were restored. But this is not the only RaaS with “corrupted” affiliates. Attackers behind Netwalker and Mespinoza were also seen not deleting files, as confidential information was published on their “sites” due to some “technical glitches” after receiving a ransom. The group behind Conti ransomware tried to trick victims by sending them fabricated evidence of data deletion.
We should also mention the pioneer of file stealing, Maze RaaS and their affiliates. According to the report, there have been cases where affiliates made public data available before informing the victim of their abduction. Maze operators are known to weed out affiliates who violate their rules, and some of them, as in the situation with Sodinokibi, try to re-obtain the ransom from the attacked companies or try to sell data on the DarkNet. The situation is aggravated by the fact that a large number of security solutions provide ransomware detection, and attackers cannot encrypt a sufficient number of systems. But they have all the stolen data from such half-failed attacks, and they are trying to get at least some profit in any way.
Of course, ransomware attack detection is crucial for continuous cyber defense, and you can implement this using the tools that your organization already has. Despite the fact that a unique ransomware binary is compiled for each attack on an organization, some antivirus solutions will be able to recognize and neutralize it. There are many different rules for SIEM and NTDR solutions that can identify anomalies indicating a ransomware attack. But it is equally important to detect a threat as early as possible because file encryption is already the final stage of an attack when sensitive data is already in the hands of cybercriminals. To penetrate the organization’s network, ransomware gangs can brute force RDP connections, purchase compromised credentials on the DarkNet markets, use good old phishing, or exploit known vulnerabilities. After penetration, attackers seek to gain access to Active Directory (from where it is easiest to centrally infect all workstations) and back up servers to delete all backups collecting all the sensitive data they can find along the way. So far, the group notorious for using Ryuk ransomware is considered the champion. They have managed to encrypt systems within five hours after penetrating the network.
Unfortunately, there is no solution that will provide 100% protection against such cyber attacks, but it is possible to significantly increase ransomware detection capabilities of security platforms existing in your organization. Every month, the Threat Bounty Program developers and SOC Prime Content Team publish to Threat Detection Marketplace dozens of SOC content items that help detect techniques, tools, and suspicious activity, which may indicate an active phase of a ransomware attack. After all, it is important not only to detect ransomware binaries and their behavior but also a variety of tools and exploits used by cybercriminals during reconnaissance and lateral movement. These rules have translations for multiple platforms, including the most popular SIEM and NTDR solutions. As of this writing, Threat Detection Marketplace supports 20+ platforms, including Azure Sentinel, Chronicle Security, Humio, Corelight, Sumo Logic, the Elastic Stack, Carbon Black, CrowdStrike, Logpoint, RSA NetWitness, ArcSight, Splunk, QRadar, Apache Kafka ksqlDB, Microsoft Defender ATP, and Sysmon. We are continuously adding new supported platforms and integrations, so if you cannot find the platform you are using on this list, reach out to firstname.lastname@example.org to prioritize the development of this integration.
You can check the available content via this link, or find rules for specific tools and ransomware strains on the Content page at Threat Detection Marketplace.
We’ve recently released the Continuous Content Management (CCM) module supporting Azure Sentinel and the Elastic Stack to stream SOC content directly to your SIEM instance and help you automate your ransomware detection capabilities. Here you can watch the recording of the live presentation of the CCM module advantages. The support for other platforms is coming shortly. With the CCM module, you can not only automate the search and installation of the required SOC content, but also timely update the rules that you have already deployed, and add these updates to your SIEM instance on the fly.
To take advantage of the CCM module, you can buy it as a separate license or as part of the Universe subscription tier with no additional costs. Still, you have one more option to try it for free by requesting a 14-day Free Trial. Sign up for Threat Detection Marketplace to empower your threat detection and response capabilities.