Written by: Juan Carlos Vasquez and Joseph R. Salazar
Many reports about ransomware issues only cover recommendations around patching, backing up, user awareness, or compensating for legacy technologies such as IDS. However, they omit active defense-oriented approaches or techniques that genuinely provide the ability for early detection to respond and contain threats automatically to limit the damage. This article covers the change in how ransomware attackers are operating, the challenge of reducing dwell time, and how advanced deception technologies can help. The Attivo Networks® ThreatDefend Platform® and its partner integrations give organizations the means to minimize the detection gap that can be the difference between a massively compromised network or just sacrificing the primary source of the attack while understanding the attacker’s intentions.
The Current State of Ransomware Attackers
Microsoft and FireEye recently published excellent intelligence reports describing how criminals have changed their ransomware tactics. Traditionally, they indiscriminately infected any asset they could reach on the network, encrypting the data on as many systems as they can to maximize a payout. Now, attackers have recognized they can demand more substantial amounts by targeting and directing their attacks at critical systems that support the business production chain (DCs, ERPs, file and database servers, OT environments, POS, etc.).
Once they establish a foothold within the infrastructure, adversaries focus on scanning target networks and identify critical systems to gain privileged access so they can deploy the ransomware to the best effect.
Figure 1: Comparison of indiscriminate vs. post-compromise ransomware approaches
As threat actors conduct internal reconnaissance and gain a foothold online, the adversary moves laterally before “launching” the ransomware (e.g., Doppelpaymer, Ryuk ). They are better positioned for their attacks on critical targets and can negotiate or “extort” from a better position.
Figure 2: “Human” operated ransomware attacks
In this context, the concept of “breakout time” mentioned in the recent CrowdStrike 2020 Global Threat Report becomes relevant. This new metric in cybersecurity measures how quickly adversaries can progress from the initial intrusion into an environment until they move laterally through the victim’s network towards their final objective. This metric is essential for defenders since it establishes the parameters of the continuous race against attackers. The faster the defenders can respond, the higher the chance of minimizing any potential cost and damage the attackers inflict. The report mentioned above indicates that the average breaking time for all observed intrusions increased from an average of 4 hours and 37 minutes in 2018 to 9 hours in 2019. Some analysts ascribe this increase to the attackers taking more time to learn the network before breaking out.
In the same report, CrowdStrike continues to encourage security teams to strive to meet the 1-10-60 rule: detect threats in the first minute, understand them in 10 minutes, and respond in 60 minutes, and to achieve this metric requires the correct technologies.
The FBI said during the recent RSA Conference 2020 that between January 2013 and July 2019, victims made ransoms payments totaling $144.35 million. The “Ryuk” ransomware was the highest-grossing variety, generating approximately $61 million between February 2018 and October 2019.
The consulting firm Deloitte recently published a report discussing a ransomware incident that affected the city of Pensacola, Florida, at the end of 2019. Evidence showed how the attacker managed to establish a presence by taking advantage of exposed RDP services, moving laterally, extracting information from internal servers, and finally download the necessary tools before detonating the “Maze” ransomware. The attacker managed to compromise 27 systems within a short period, according to the analysis.
The asymmetry of cyberattacks does not favor defenders, especially when the adversary takes the time to study the victim’s assets in more detail to identify the “juiciest” targets before releasing ransomware.
Fig 3. Chronology of the attack on the City of Pensacola.
FireEye Mandiant, in its recent report M-Trends 2020 report, found that globally, companies improved the average time to detect cyber-attacks after the initial compromise. This metric, better known as the dwell time, decreased in 2019 to 56 days compared to 78 days in 2018. It also reported that organizations faced more disruptive attacks, with 43% of incidents involving destructive elements such as ransomware. This rise may be one reason for the drop-in dwell times, as ransomware attackers want victims to discover the malware quickly, compared to espionage threats such as APTs who desire to remain undiscovered.
Fig 4. Historical Global Dwell Time by FireEye Mandiant
The Value of Deception in Advanced Defense Strategies and the Problem of Ransomware
Numerous reports from various sources provide a practical understanding of deception technology’s ability to provide early detection of in-network threats activities, including network and Active Directory reconnaissance, lateral movement, and ransomware mitigation. While analysts acknowledge that traditional prevention solutions such as EDR, NAC, and firewalls have a role, they have limited effect inside the network.
Organizations have often ignored scanning activities within the network as typical background behavior. Analysts and administrators have overlooked reconnaissance due to the lack of visibility, but nowadays, with today’s observed campaigns, early detection of such activities becomes vital to reduce the impact of a breach. The difference for the business is in minimizing dwell time by quickly detecting the first signs of a threat or intrusion and avoiding a massive spread that compromises the entire organization.
A recent report from Enterprise Management Associates (EMA) reports a 91% reduction in dwell times for users who make use of deception technology.
The Challenge of Ransomware and the Immediate Value of Deception
The first ransomware or related malware infection often begins with an unsuspecting user opening an email attachment carrying a malicious payload. The malware attacks the victim’s system, encrypts or compromises files on the host, including those on mapped file shares, then spreads to other hosts, if possible.
Through proprietary technology, the Attivo Networks® ThreatDefend® platform natively fights ransomware and related malware with a combination of BOTsink® deception server and the ThreatStrike® component of the Endpoint Detection Net suite of products. It does this by deploying decoy systems, including network file servers, and adding a series of fake artifacts on endpoints, including credentials and “mappings” to fake file shares.
Since the malware or ransomware will generally attack local and network files, they will engage with assets stored on the BOTsink fake file server through the decoy mapped shares. Any interaction immediately triggers an alert but also initiates the ransomware mitigation. The decoy environment continuously feeds the ransomware data while rate-limiting the connection, thereby delaying the attack as it encrypts useless data. This delay gives the analyst or incident response team time to react manually or automatically, while also slowing down the activity of the attacking host. Where it usually only takes a few seconds for an infected host to encrypt target files, this activity now takes minutes or even hours.
This ability drastically delays the attack and interrupts its spread. The Incident Response Team gains additional time to respond to and eradicate the threat, minimizing the range and damage of ransomware. The analyst also has a unique advantage of employing a sinkhole to capture Command and Control communications. This capability can be useful to gather critical information on the malware’s control infrastructure, identify any polymorphic activity, and aid in completely eradicating the threat while gaining an understanding of threat behavior for further forensic analysis (domains / URLs, additional payloads, etc.).
Fig 5. Attack visualization showing the source of the ransomware infection
The Attivo Networks ThreatDefend platform gives visibility and detection of ransomware activities before it can spread. Organizations gain comprehensive detection early in the attack cycle, from the reconnaissance phase, to lateral movements, to the exploitation itself during the attack, empowering the defender and eliminating the attacker’s advantage. Unlike legacy technologies based on the outdated concept of honeypots, Attivo’s award-winning technology provides the analyst with the full picture of an attack. By correlating activities – including the ransomware phase – and providing the context within the network for each step of the attack, it allows security teams to make decisions intelligently with actionable alerts, without using any agents or impacting production. The ThreatDefend platform integrates with many security solutions to accelerated incident response with automatic blocking, isolation, and threat hunting, allowing organizations to reduce dwell time and respond to attacks quickly.
1) Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT https://bit.ly/2IgyzOQ
2) Deloitte Executive Summary of Pensacola City – https://www.cityofpensacola.com/DocumentCenter/View/18879/Deloitte-Executive-Summary-PDF
3) FireEye Mandiant M-Trends 2020 – https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html
4) 2020 CrowdStrike Global Threat Report – https://www.crowdstrike.com/resources/reports/2020-crowdstrike-global-threat-report/
5) Ransomware Mitigation System | Patent granted to Attivo Networks: 10509905 – https://patents.justia.com/patent/20190073475
6) Ransomware victims are paying out millions a month. One particular version has cost them the most – https://www.zdnet.com/article/fbi-ransomware-victims-have-paid-out-140-million-one-version-has-cost-them-the-most /
7) Case Studies of Detection and Defense against ransomware from Attivo Networks:
8) Human-operated ransomware attacks: A preventable disaster – https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
9) They Come In The Night: Ransomware deployment trends – https://www.fireeye.com/blog/threat-research/2020/03/they-come-in-the-night-ransomware-deployment-trends.html
10) France warns of new ransomware gang targeting local governments – https://zd.net/2QsWzCU