Ransomware, the limits of prevention, and active defense

We’re almost halfway through 2021, and there seems to be a ransomware resurgence.

Or that’s what the headlines will have you believe.

On the contrary, the opposite might be true.

According to a Sophos survey, ransomware attacks seem to have gone down in 2021. Only 37% of the organizations surveyed have said they experienced a ransomware attack in 2021 compared to 51% in 2020.

So why does it feel like ransomware attacks have gone through the roof? The answer emerges when you look at the victims – high-profile targets.

Here are some headlines from the last couple of months:

Ireland’s Health Services hit with $20 million ransomware demand

The Conti ransomware gang attacked Ireland’s publicly funded healthcare system. The Irish Health Service had to shut down all of its IT systems. The attack disrupted COVID-19 testing, crippled diagnostic services, and forced hospitals to cancel appointments.

Ransomware attack leads to shutdown of major U.S. pipeline system

Colonial Pipeline, one of the biggest fuel pipeline operators in the US, had to shut down its entire network following an attack by the DarkSide ransomware group. The attack resulted in gas price increases, panic buying, and supply shortages. The company paid a 75 bitcoin ransom which was worth $5 million when we wrote this.

Axa division in Asia hit by ransomware cyber attack

One of Axa’s businesses in Asia got hit by Avaddon ransomware. 3TB of sensitive data was stolen, including customer medical reports (exposing their sexual health diagnosis), copies of ID cards, bank account statements, claim forms, payment records, contracts, and more. The attack impacted IT operations in Thailand, Malaysia, Hong Kong, and the Philippines.

Toshiba subsidiary confirms ransomware attack

A European subsidiary of Toshiba was the victim of a ransomware attack. Sources inside the company believe DarkSide is behind it, but there was no confirmation when this post was published. 740 GB of data, including passports and other PII, was stolen. The company had to sever network connections between Japan and Europe to stop the spread of ransomware.

US cyber insurance major CNA Financial hit with ransomware

One of the biggest players in the cyber insurance space (yeah, we see the irony) suffered a ransomware attack that affected operations for three days. The company was forced to shut down parts of the network to limit the spread and contain the damage. Although the company did not disclose if data was stolen, it’s a pretty big deal. A compromise could potentially help adversaries determine which companies had applied for or acquired cyber insurance, the scope of coverage, and the limits of deductibles.

Acer hit with $50 million ransomware demand

Ransomware operation REvil breached computer giant Acer resulting in the largest known ransomware demand. Images leaked by the ransomware operators revealed that they had access to some of the company’s financial spreadsheets, bank balances, and bank communication.

Big targets, bigger payouts

Ransomware gangs are now going after meaty targets. After all, why rob a person when you can rob a bank where everyone keeps their money?

It’s no surprise then that the financial impact of ransomware has more than doubled from US$761,106 in 2020 to US$1.85 million in 2021.

According to Coveware, ransomware demands are up 43% so far in 2021.

The common thread

So aside from being meaty targets, what else is common between ransomware victims these days? They all make significant investments in cybersecurity.

Look at the scale of these companies. They have large security teams, a bevy of infosec consultants at their disposal, and all the cool tools to defend – endpoint detection and response, DLPs, SIEMs, cloud SIEMs, SIEMs that are also UEBA. You get the drift.

Then why do they suffer these ransomware attacks?

Different folks will give different answers to these questions. Media outlets will not move beyond the sensational headlines, consultants will say there aren’t enough skilled folks in the company, EDRs will say there’s not enough endpoint coverage, SIEMs will say data ingestion from critical segments might be missing, the OT folks will say it’s hard to defend non-IT assets, deception vendors will say there are no decoys/honeypots!

Essentially, anyone who has a horse in the race is going to give one-dimensional answers.

Here’s the thing though; the companies that suffer these breaches are pretty good at cybersecurity. More often than not, they operate at the cutting edge.

The answer to why they get hit by ransomware is more nuanced. It’s because there are limits to prevention.

Active defense and ransomware

If you happen to be one of the most frequently targeted companies, it’s only a matter of time before you’ll get breached despite having the best preventive controls in place.

Why? Because anything preventive assumes the threat to be static. With ransomware, the threat is evolving. The boring bits of ransomware have been automated, there are dedicated ransomware services (REvil allegedly made $100 million in 2020), and there are human adversaries behind the ransomware that are constantly cooking up new and novel ways of compromising their targets.

Further, most solutions to security problems take a siloed approach. Want to defend endpoints? Cover them with an EDR. More visibility? NTA. Malicious behavior? UEBA. Ransomware doesn’t discriminate. It doesn’t just go after your endpoint or server zone. Once it gets in, it just goes after everything.

Prevention doesn’t always work because ransomware is a moving target.

Businesses need a different approach for dealing with it – Active defense.

Why active defense for ransomware?

Ransomware is capable of interacting with all parts of your IT environment. Focussing your efforts on just one part of it will have diminishing returns. Dealing with something like ransomware demands a holistic approach. Your strategy needs to cover critical areas of the environment to be effective.

‘Active Defense‘ helps you do that. The approach is use case-driven and balanced in its outcome. You can pick the use case (in this instance, ransomware) and focus on where you want to be most effective (e.g. DMZ, Active Directory, critical server segments, privileged user accounts, privileges workstations, etc.)

Active defense in action

What we’re recommending isn’t something experimental. Forward-thinking security teams are building dedicated deception-based active defense programs, in some cases around specific risks like ransomware.

We have an insurance customer that has done this. They already had a firewall, network segmentation, anti-virus, EDR, and SIEM when they deployed Smokescreen. They were concerned about ransomware (rightly so).

The idea of planting decoy file shares in key segments was adopted as the primary strategy to detect ransomware in the lateral movement phase. In the event of a detection, the organization’s internal incident response process would kick in.

The goal was to detect ransomware spreading on the network, quickly understand the nature of ransomware, and allow established incident response processes to contain the threat.

The security team planted network decoys in the DMZ and DC. The hypothesis behind this decision was that assets in the DMZ were at a high risk of infection and lateral movement activity would likely be recorded in those segments.

The decoys themselves were projecting a diverse set of network services ranging from decoy SMB file shares to FTP servers to SSH servers and decoy applications.

Sure enough, the company was hit by a ransomware attack. The incident started a little after midnight and a minute later, Smokescreen had raised a detection. Smokescreen was the first security control to raise an alarm.

Investigation revealed that all decoys masquerading as file shares had been encrypted within the DMZ segment. The decoy files hosted on these file shares had been encrypted and renamed, which allowed for easy identification of the ransomware strain.

Root cause analysis further revealed that the lateral movement phase of the ransomware attack was detected by Smokescreen less than a minute after it began encrypting assets.

Why do you think the security team at this insurance company was able to avert a ransomware breach? Sure they had our active defense solution, but more importantly, they had the foresight to think what an attacker would possibly do and then build defenses that would intercept those attacks.

That’s Active Defense in action.

Closing thoughts

Building a dedicated defense strategy around ransomware is a worthy goal to have in 2021.

Ransomware is industry-agnostic and affects all parts of your network. Today, it is the one singular threat that can completely disrupt operations and bring business to a grinding halt.

Having the ability to detect ransomware early in the attack lifecycle can be instrumental in limiting its spread and impact.

Active defense gives you the ability to do this without investing in expensive tooling, adding headcount, or making changes to your network.

We’re going to leave you with a playbook of active defense strategies that can help you detect over 40 ransomware techniques.

Playbook – The Top 40 Ransomware Techniques and How to Mess With Them

Remember, you don’t have to implement everything. But implementing even some of it can help you control and reduce the attack surface available to ransomware.