In a recent blog post we discussed how today’s more complex RansomOps attacks are more akin to stealthy APT-like operations than the old “spray and pray” mass email spam campaign of old, and how  there are multiple players from the larger Ransomware Economy at work, each with their own specializations. 

These players include the Initial Access Brokers (IABs) who lay the groundwork for a ransomware attack by infiltrating a network and moving laterally to maximize the potential impact from the ransomware payload, and the Ransomware-as-a-Service (RaaS) operators who provide attack infrastructure to affiliates who actually carry out the attack.

We also discussed how the average ransomware attack proceeds in seven distinct phases: An attack attempt delivers the ransomware payload after an employee clicks on a phishing email or visits a malicious website; the ransomware installs itself onto the employee’s machine and runs its malicious code; as part of its startup process, the ransomware phones back to its attackers via a command and control (C&C) server for the purpose of receiving instructions. 

Once it’s obtained its marching orders, the ransomware goes about stealing access to credentials so that it can infiltrate even more accounts and devices; the ransomware uses those compromised accounts and devices to discover files with certain file extensions that it’s capable of encrypting; at that point, the ransomware moves laterally across the network to compromise even more accounts and devices.

Finally, the ransomware acts on its objectives by activating its encryption routine on local and network files and then displaying its ransom note to the victim. This level of compromise puts RansomOps attackers in a position where they can demand even bigger ransoms, and RansomOps techniques also commonly involve multiple extortion techniques. 

These include using double extortion where the attackers first exfiltrate a victim’s sensitive files before launching the ransomware encryption routine. The logic is that the attackers can use that stolen information to threaten noncompliant victims with the possibility of a data leak. This can take the form of ransomware actors putting additional pressure on victims to pay the ransom despite the availability of working data backups. 

Or it can involve ransomware attackers demanding two ransoms, one for a working decryption utility and another for the attackers’ word that they deleted their victims’ stolen information from their servers (as if the word of a ransomware group ever meant anything anyway).

Some groups have taken things a step further. In mid-September, for instance, Bleeping Computer reported that the Grief ransomware gang had begun threatening to delete a victim’s decryption key if they elected to hire someone to help them negotiate the ransom demand down. This came on the heels of the Ragnar Locker group threatening to publish a victim’s data if they notified the FBI or local law enforcement about an infection, per ThreatPost.

How Organizations Can Protect Themselves Against RansomOps

It’s possible for organizations to defend themselves at each stage of a ransomware attack. In the delivery stage, for instance, they can use malicious links or malicious macros attached documents to block suspicious emails. Installation gives security teams the opportunity to detect files that are attempting to create new registry values and to spot suspicious activity on endpoint devices. 

When the ransomware attempts to establish command and control, security teams can block outbound connection attempts to known malicious infrastructure. They can then use threat indicators to tie account compromise and credential access attempts to familiar attack campaigns, investigate network mapping and discovery attempts launched from unexpected accounts and devices.

Defenders can flag resources that are attempting to gain access to other network resources with which they don’t normally interact, and discover attempts to exfiltrate data as well as encrypt files. Remember, the actual ransomware payload is the tail end of a RansomOps attack, and there are weeks or even months worth of detectable activity prior where an attack can be arrested before there is serious impact to the targeted organization.

But most organizations can’t do this on their own. They need the right solution to perform these threat hunting tasks for them. That’s why Cybereason designed its anti-ransomware platform to combine both Indicators of Compromise (IOCs) and Indicators of Behavior (IOBs). The former can help to keep organizations safe against known ransomware campaigns, while the latter can help security teams to visualize and stop even those attack attempts that no one has seen before. 

The Cybereason operation-centric approach is undefeated in the fight against ransomware because it detects RansomOps earlier in the attack sequence based on rare or advantageous chains of malicious behavior. Cybereason delivers the best prevention, detection and response capabilities available to thwart ransomware attacks:

• • Anti ransomware prevention and deception: Cybereason uses a combination of behavioral detections and proprietary deception techniques surface the most complex ransomware threats and end the attack before any critical data can be encrypted.
  • Intelligence-Based Antivirus: Cybereason blocks known ransomware variants leveraging an ever-growing pool of threat intelligence based on previously detected attacks.
  • NGAV: Cybereason NGAV is powered by machine learning and recognizes malicious components in code to block unknown ransomware variants prior to execution.
  • Fileless Ransomware Protection: Cybereason disrupts attacks utilizing fileless and MBR-based ransomware that traditional antivirus tools miss.
  • Endpoint Controls: Cybereason hardens endpoints against attacks by managing security policies, maintaining device controls, implementing personal firewalls and enforcing whole-disk encryption across a range of device types, both fixed and mobile.
  • Behavioral Document Protection: Cybereason detects and blocks ransomware hidden in the most common business document formats, including those that leverage malicious macros and other stealthy attack vectors.

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere – including modern RansomOps attacks. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

About the Author

Cybereason Security Team

The Cybereason Security Team champions cyber defenders by providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere.

All Posts by Cybereason Security Team