Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Fraud Risk Management

8 Tips for Crafting Ransomware Defenses and Responses

Assume Hackers Retain Remote Network Access Until Proven Otherwise, Experts Warn
8 Tips for Crafting Ransomware Defenses and Responses
Nefilim ransom note (Source: SentinalLabs)

Ransomware-wielding attackers are increasingly doing much more than just crypto-locking systems with malware and demanding a payoff in return for the promise of a decryption tool.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

Too often, security experts say, organizations that discover a ransomware outbreak treat it as an isolated event tied to just a few endpoints. Instead, they say that all organizations that discover ransomware must assume that the attackers are still inside the network until proven otherwise and execute a prepared incident response plan to mitigate further damage.

Some ransomware attacks involve a smash-and-grab approach, with limited repercussions. But an increasing number of ransomware-wielding attackers are employing "big game" tactics, which means they gain remote access to a network, take their time to move laterally and escalate privileges, try to identify and exfiltrate sensitive data and only then deploy ransomware.

Here are eight tips for better crafting ransomware defenses and responses.

1) Identify Attackers' Ongoing Capabilities

For any attack that involves ransomware, the fallout can be much more extensive than simply dealing with the malware. And organizations that don't quickly see the big picture will struggle to recover as quickly and cost-effectively as they might otherwise be able to do (see: Ransomware + Exfiltration + Leaks = Data Breach).

That's why understanding not just what ransomware attackers did inside a network, but what they might still be capable of doing - inside the network, as well as by leaking - is an essential part of any incident response plan, security experts say.

So too is identifying how intruders got in - or might still get in - and ensure those weaknesses cannot be exploited again, says Alan Brill, senior managing director in Kroll's cyber risk practice.

"If you don't lock it down, it's very simple: You're still vulnerable," he tells Information Security Media Group. "If you lock down what you thought was the issue but you were wrong - it wasn't the issue - that they weren't just putting ransomware in your system but they've been in there for a month examining your system, exfiltrating data and lining up how to do the most damage when they launched the ransomware, you may not even know what happened."

2) Expect Data Exfiltration

With more attackers practicing data exfiltration, senior executives should put a plan in place for how they will respond to such a situation.

In the first six months of this year, Emsisoft's free ID Ransomware service, which helps ransomware victims identify the strain of ransomware used against them and identify potential decryption options, received 100,000 submissions. "Of those submissions … just over 11% related to attacks by the groups that overtly steal data, Emsisoft writes in a blog post.

Obviously, this is a broad-brush look at data exfiltration, because gangs don't do it all the time, and some attackers may simply be doing it on the sly. "All ransomware groups have the ability to exfiltrate data," Emsisoft says. "While some groups overtly steal data and use the threat of its release as additional leverage to extort payment, other groups likely covertly steal it."

From an extortion standpoint, stealing data gives an attacker more tools. Any organization that does not meet an attacker's ransom demands - almost always payable in bitcoins - may see the attacker bringing increased psychological pressure to bear by starting to leak stolen data (see: Crypto-Lock and Tell: Ransomware Gangs Double Down on Leaks).

3) Learn From Others' Mistakes

Victims' failure to successfully detect attackers inside their network and eject them in a timely fashion can have serious consequences. And victims must avoid assuming that because ransomware is involved, the crime gang wielding it might not still be camped out inside a network.

Last month, for example, the REvil gang began auctioning data from Canadian agricultural company Agromart Group, with an opening bid set at $50,000. The firm appears to have been hacked in late May and had about 22,000 files stolen, darknet monitoring firm DarkOwl reports.

Allegedly stolen emails posted by REvil to its data-leaking site, shared with ISMG by Emsisoft, include detailed conversations about how Agromart planned to respond to the attack and to potentially negotiate with the gang - suggesting that attackers were still inside the victim's network. Clearly, attackers' ability to eavesdrop on these types of communications gives them an edge on any negotiations.

4) Assume Attackers Still Have Access

Here's one strategy for better avoiding these types of scenarios: "Organizations should assume their perimeters will be breached and monitor their environments for signs of compromise," Brett Callow, a threat analyst at Emsisoft, tells ISMG.

Per the so-called "cyber kill chain" model, defenders may have multiple chances to spot suspicious behavior - and respond - before attackers do something really bad.

"For example, Emotet, which is often used as a launchpad for attacks, may be present on a network for days, weeks or even months before being used to deploy ransomware," Callow says (see: Emotet, Ryuk, TrickBot: 'Loader-Ransomware-Banker Trifecta'). "This provides organizations with a window of opportunity during which the threat can be detected and neutralized before a ransomware attack takes place."

5) Move Quickly

Detecting such attacks quickly is the best way to blunt their impact.

To do so, organizations should watch not just for malware but also "any evidence of lateral movement and data exfiltration within the environment," says security firm Trend Micro in a teardown of recent attacks tied to the Nefilim gang. "An attack's point of entry may not be where the important data is found; therefore, threat actors would need to be able to move around within the environment (host-to-host) to get to the parts of the system where the juicier data is stored,” the report states. “Being able to identify unusual outbound traffic patterns for hosts (host-to-external) is equally important, as this represents potential data exfiltration.”

Finding attackers after they have compromised a network but while they're still conducting reconnaissance can be challenging - but it’s essential, says incident response expert David Stubley, who heads Edinburgh, Scotland-based security testing firm and consultancy 7 Elements.

"If organizations do more proactive analysis of their environments and find traces of compromised assets at an earlier stage, they are likely to put themselves on the front foot and deal with what is an annoying compromise before they're having to deal with a ransomware outbreak," Stubley tells ISMG.

Organizations cannot rely on anti-virus alone for protection, he says, because "if the attackers have got any savvy, they'll be using payloads that don't trigger the latest AV signatures. So there's a degree of likelihood that the exploit will successfully run, bypass AV and give them a period of time in which they won't be detected."

The nuances of how to best monitor any given organization will vary according to their infrastructure, but ideally "you should be looking for anomalous outbound traffic and odd events going on in your environment," Stubley says.

6) Monitor for Odd Events

“Odd events” may include the use of innocuous-looking living-off-the-land tactics, including binaries - aka LoLBins - that are normally part of an operating system but which attackers may have subverted, as security researchers at Cisco Talos have described in an analysis of WastedLocker ransomware tactics tied to a group called Evil Corp. According to news reports, one of the gang's latest victims was fitness wearables maker Garmin.

"The adversary behind these attacks is taking advantage of various 'dual-use' toolsets, such as Cobalt Strike, Mimikatz, Empire and PowerSploit to facilitate lateral movement across environments being targeted," the researchers say.

"These toolsets are typically developed to aid with penetration testing or red-teaming activities, but their use is often co-opted by malicious adversaries as well," they say. "Additionally, the use of native operating system functionality, and what are commonly referred to as 'LoLBins,' allows attackers to evade detection and operate under the radar until they are ready to activate the ransomware and make their presence known."

WastedLocker targets by industry sector (Source: Symantec, June 2020)

Defenses against these types of tactics may include malware detection tools, web scanning tools designed to detect malicious sites, next-generation firewalls and intrusion prevention systems and malicious binary detection tools. Other steps include using Snort alerts to more quickly block known attacks well as blocking users from connecting to known-bad IP addresses and domains, Cisco says.

7) Prepare a Secure Communications Channel

In light of attacks – such as the incident affecting Agromart - in which criminals were able to spy on victims' response, Vitali Kremez, chairman of threat-intelligence firm Advanced Intel in New York, suggests organizations prepare a separate, secure communications channel as well as a walled-off storage channel to store data related to any digital forensic investigation (see: Surviving a Breach: 8 Incident Response Essentials).

"Treat ransomware attacks as data breach incidents with the hypothesis that the attackers might still be inside the network," Kremez tells Bleeping Computer. "Therefore, victims should work from the bottom up, trying to obtain forensics evidence that validates or invalidates the hypothesis."

Identifying all of the ways attackers gained access, or might have gained access, enables breached businesses to strengthen their defenses.

8) Don't Restore, Rebuild

Effectively responding to incidents that involve ransomware requires much more than just wiping and restoring systems - if companies have backups safely stored offline - or considering whether to pay a ransom in return for the promise of a decryption key. "Post-incident, companies need to rebuild their networks and infrastructure rather than simply decrypting their data or restoring it from backups," Emsisoft's Callow says. "This is the only way to eliminate the possibility of a second attack."

When organizations see a ransomware outbreak, they may need to bring in disaster recovery processes, negotiate with attackers, tap digital forensics to identify gaps in defenses and work with cybersecurity experts to better lock down the network. But if data was exfiltrated, attackers could leak it at any time, requiring the organization to notify any individuals whose personal details were compromised to comply with data breach notification rules.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.