March 15, 2022 HAWKEYE

How to Detect Ransomware Early

The proliferation of ransomware attacks in the past decade has brought many challenges to companies and cyber security teams worldwide. What started as simple ransomware attacks that a knowledgeable person could reverse has now exploded into a large industry with attackers reaping large profits with advanced forms of ransomware that is impossible to reverse.

Common Ransomware Attack Behavior

There are hundreds of different ransomware strains being used in the deployment of a ransomware attack. Each strain has different capabilities, uses different encryption techniques, and exhibits different behavior when executed. However, common indicators can be found with each ransomware strain since the underlying actions that lead to a ransomware execution are the same.

The ransomware attack cycle is comprised of 5 stages of the attack starting from the initial point of entry, reconnaissance inside the network environment, lateral movement, data exfiltration, and malware execution with the sole purpose of data encryption.

Ransomware attacks are advanced forms of cyber-attacks and are usually performed by a skilled group of hackers. Consequently, ransomware attacks are often dubbed as APTs or Advanced Persistent Threats, a form of cyber-attacks that incorporate advanced innovative ways and methods to compromise a target.

Research conducted on ransomware attacks shows that the average time from the initial point of entry to ransomware execution is around 5 days. This emphasizes the need for the capability to detect the attack early in its stages and prevent the worst-case scenario.

Prerequisites to an Effective Defense

Awareness regarding the security of information systems has increased in the past decade and has contributed to an increased global effort in fighting against cyber-attacks. To add, new standards and regulations have been enacted to drive the improvements in information security standards. This has dramatically improved organizations’ ability to detect and respond to various cyber-attacks, especially ransomware.

The main prerequisite to an effective defensive strategy against ransomware is a skilled cyber security team that can provide support on a 24/7 basis. Additional hiring of cyber security staff that performs threat hunting activities is also considered to be crucial. The 24/7 cyber security staff responds to all security alarms generated by security tools and threat hunters seek to find threats actors that are unidentified. All staff needs to act quickly in their day-to-day tasks to keep an organization safe. Additionally, following cyber security best practices and creating an environment that slows down attackers (e.g., network segmentation) significantly increases organizations’ chances of successfully defending against ransomware.

Early Ransomware Detection Points

To detect a ransomware attack early, cyber security teams need to focus on the beginning stages of the attack. However, it is best to implement monitoring and analysis at every stage of the attack to prevent the ransomware’s end goal of data exfiltration and encryption.

Employee Awareness and Phishing Protection

The most common entry point in ransomware attacks is credentials compromise. Attackers usually accomplish this by sending phishing emails and tricking users into submitting usernames and passwords to fake websites. Additional phishing methods include sending emails with malicious attachments that compromise a corporate computer by allowing the attacker to establish access.

To decrease the attack vector of attackers, organizations should deploy a comprehensive email security solution that will filter out most of the malicious emails. An additional measure for preventing a successful phishing attack is employee Security awareness training which educates the employees on safe email communication practices.

Logging, Analytics, Correlation of Events of Interest
Indicators of Compromise and MITRE ATT&CK

Another prerequisite for effective ransomware detection is logging of events that are of security interest and that can reveal a ransomware attack is ongoing. MITRE ATT&CK mapping of events being triggered that are commonly attributed to ransomware is a great way to quickly identity potential areas of concern.

Certain ransomware attacks include steps such as disabling an endpoint protection software or any anti-virus software that is present on the machine. Cyber security teams should have an alarm mechanism in place to detect any disablement of security software, which is why these logs need to be analyzed and the team alerted on any such occurrence.

Monitoring and logging of Windows Active Directory logs is another important event. Before a ransomware trigger, attackers perform reconnaissance actions and often leverage the Active Directory to discover all assets in a network. Attackers tend to query and enumerate all machines that are part of the Active Directory to target and infect the machines with ransomware.

Organizations only have one effective option in situations where a ransomware attack is successful, and that is using the backed-up version of the encrypted data. This situation often entails large financial loss for an organization since recent data is lost and the cost of recovery efforts can be enormous. But even so, many ransomware attacks include the efforts of backups and volume shadow copies deletion, rendering an organization completely helpless and without options, except paying the ransom. Therefore, every organization should have enabled logging of any backup deletion events that can indicate a ransomware attack is ongoing.

Threat Hunting and Compromise Assessment

After an attacker gains access, performs reconnaissance activities, deletes backups, and enumerates all targets, the next steps usually involve the initiation of an external connection towards a Command & Control server. Logging of network traffic, including web traffic is important to detect malicious connections. However, this is often not enough since most of the detections surrounding these malicious connections lack context. This is where experienced threat hunters leverage their skills and hunt for additional context within the environment. Threat hunters can perform hunting activities for all ransomware techniques and indicators in an environment, thus identifying and preventing the attack early, before the attackers gain a large foothold in the environment.

Most ransomware attacks have a similar pattern of behavior. Even though hundreds of different strains are seen in the wild, all use similar techniques to achieve the end goal. Therefore every organization should be aware of the common ransomware behavior and enable their cyber security teams to identify and stop ransomware attacks. Proper knowledge, along with logging and detection mechanisms, and a skilled cyber security team are most necessary for effective protection.

, , ,


We welcome you to contact us for more information
about HAWKEYE - SOC As A Service.