Beating Ransomware in the Midgame: Detection Best Practices in 2022
What is Ransomware?
Ransomware (ransom + malware) is a form of malware designed to allow malicious actors to extort money from an organization. This is accomplished by using a variety of encryption techniques that lock an organization's files to then force the organization to pay for the key to unlock the data.
Ransomware attacks have become increasingly common with attackers targeting organizations with weak security practices. In fact, a recent survey revealed that 85% of organizations have fallen prey to ransomware in the past five years. And this crime pays: The predicted global cost of ransomware attacks has climbed steeply with a more than 4x increase between 2017 and 2021 to an estimated $20 Billion, and may be up to 265 Billion by 2031. Indeed, modern ransomware attacks are so profitable that criminal groups like BlackByte, Conti, and REvil are continually developing new and innovative ways to systematically attack organizations while simultaneously increasing the difficulty of detection and prevention. These tactics have included the use of encrypted protocols to obscure actions such as exploitation, data gathering, and the exfiltration of data for the purposes of extortion.
Unlike early ransomware attacks that focused on targets of opportunity, modern ransomware attacks leverage detailed playbooks that rapidly take advantage of new vulnerabilities to gain access to their victims' networks. One prominent example is the speed with which the BlackByte ransomware gang began leveraging the Proxy-Logon and Proxy-Shell vulnerabilities as part of their standard attack playbook. The adaptability of these criminal groups and their ability to bypass traditional perimeter defenses serves to underscore the necessity of midgame detection techniques.
Ransomware Prevention Best Practices
Preventing ransomware attacks within organizations requires investment in security tools such as NDR, EDR, firewalls, and SIEM, in addition to good operational security practices and procedures. While attackers are quick to leverage new vulnerabilities and attack avenues, there are a wide variety of compensating controls that security-conscious organizations can leverage to make an attacker's job more difficult.
No security posture is foolproof—skilled and dedicated attackers with enough time and money can gain access to any environment. However, as with most criminal organizations, ransomware operators are focused on making money, which means picking easy targets for rapid paydays. Every step an organization takes to increase the difficulty in conducting a successful attack decreases the likelihood of attacks by ransomware operators.
Organizations looking to reduce the likelihood of a ransomware attack must constantly evaluate their security posture with an eye toward the changing threat landscape and evolving attacker and defender toolkits. Given the level of adaptivity, attackers have shown it is critically important to extend visibility and security practices to include the midgame. The midgame is where attackers have the most freedom of action and security teams have traditionally had the least visibility.
Some of these best practices include:
Continual User Training. This has demonstrable results, preventing users from becoming complacent about security. Continual training should cover topics including:
Identifying malicious emails
Validating the source of documents before opening
Do not click on unknown links
Avoid disclosing personal information both in business communications and on social media
Do not use USB sticks to transport data in and out of the workplace
Evaluating Security Practices and Procedures. As organizations evolve their security posture it is critical to avoid becoming complacent, this requires organizations to constantly re-evaluate their security practices and policies to adapt to organizational and threat landscape changes. Particular points of interest include:
Security controls, such as:
Least User Privilege controls should apply to employees and partners. Security teams should consider the ability to access organizational data, but also the level of user permissions on local machines and network resources
Disable macros and scripts for office documents
Disabling PowerShell scripting, or leveraging script signing and Microsoft Best Practices
Regular and rapid software updates and patches
This should include updates to operating systems such as Windows and Linux, as well as 3rd party applications
Deploy and properly maintain security tools including:
Antimalware tools such as antivirus or endpoint eetection and response (EDR)
Network detection and response (NDR)
Logging data to a SIEM
Email filtering and attachment malware scanning tools
Keep regular backups of all critical data including disconnected cold storage backups
Following vendor best practices:
Security vendors typically recommend configuration options that optimize their tools to defend against ransomware
A shortlist of some of the most common vendors' recommended practices can be found at the bottom of this blog
Combating Ransomware in the Midgame
Modern ransomware is now carried out in a three-part playbook: opening (initial access), midgame (post-compromise), and endgame (extortion cycle). Each stage of the playbook consists of a variety of techniques designed to allow attackers to evade security measures and compromise then gain control over additional assets.
Initial access is where attackers gain a foothold through a wide range of techniques including phishing, exploitation, and drive-by downloads.
Security controls for this phase include firewalls, EDR, email filtering, etc. These tools and controls are designed to prevent the attacker from gaining a foothold in the environment.
The midgame begins when the attacker has compromised at least one device and begins pivoting through the target infrastructure. This is where attackers have the most freedom of action. Attackers will begin reconnaissance of the target network, stealing usernames, setting up persistence mechanisms, and compromising additional systems.
Security policies for this stage include least-privilege user and device permissions, limiting or disabling PowerShell, and device posture assessment tooling. Network architectures should include segmentation and monitoring with security tooling including EDR, NDR, East/West focused IDS, and NAC.
The extortion cycle begins with the launch of the ransomware. At this stage, the attacker has launched their final assault on the target organization. Rapid response at this stage may minimize the damage however it is highly unlikely that mitigation efforts will be entirely successful.
Backups, both online and offline, are critical to the success and speed of recovery operations. Backups should be performed as frequently as possible with regular cold storage backups. This ensures that if the attacker compromises one set of backups, cold storage backups are available to restore from.
How NDR Aids in Ransomware Mitigation:
Preventing attackers from gaining a foothold in an environment is not always possible, but network detection and response (NDR) empowers defenders with the ability to interrupt intruders during the midgame—before they do real damage. NDR is designed to monitor network traffic patterns and protocols that attackers leverage during the midgame such as Powershell, WMI, MS-RPC, and more.
Even with network monitoring capabilities, decryption is increasingly important for detecting attacks that leverage encrypted protocols. NDR solutions with decryption capabilities provide in-depth monitoring with the historical data needed to detect abuse of protocols such as NTLM and Kerberos, which greatly increases the ability of defenders to detect and respond to the malicious activity starting at initial access, through the midgame, and into the extortion phase of the attack.
By monitoring raw network traffic feeds NDR can identify ransomware actors in the midgame and avoid the difficulties associated with traditional security controls like IAM, SIEM, and EDR. NDR helps defenders uplevel their detection capabilities in critical areas by:
Identifying and alerting on internal reconnaissance and enumeration behaviors
Spotting lateral movement techniques that lead to the compromise of domain controllers and data services
Spotting the exploitation of vulnerable internal services such as PrintSpooler, even when the exploit occurs over encrypted protocols
Isolating intruder and malware C&C, even in noisy DNS traffic
Identifying data staging for exfiltration and encryption activity indicative of ransomware
This blog was first posted by James Munos of ExtraHop. Corr-Serve is an authorised distributor of ExtraHop. To find out more or discuss your organisation's ransomware concerns, please reach out to one of our experts.