Ransomware: How to Defend Against a Four-Decade Old Foe

The first documented attack[1] may have occurred back in the late 1980s, yet ransomware is still topping the list of cyberthreats faced by both organisations and individuals today.

An ever-evolving form of malware, ransomware is designed to encrypt data files until the victim pays a fee to the attacker. In some cases, attackers also threaten to release copies of the files publicly unless payment is made.

During the past 40 years, ransomware has been constantly evolving both technically and organisationally. The tactic has now matured to the point where ransomware-as-a-service (RaaS) providers offer access to tools that can allow people with little technical knowledge to launch attacks.

Recently, there has also been a sharp increase in the use of artificial intelligence (AI) tools as part of the ransomware development process. Cybercriminals are using tools such as ChatGPT to create code which is then used to mount attacks.

Detection techniques

Detecting ransomware attacks is challenging because the techniques and code being used is constantly evolving. In many cases threats only come to light when users discover they have lost access to their data because files have become encrypted.

Thankfully, there are a range of detection methods and tools that can assist in overcoming this challenge. For example, signatures and indicators of compromise (IOCs) can be incorporated into intrusion detection systems or network devices.

Threat intelligence sources can also allow a security team to prevent or block anomalies before they can cause harm within an organisation’s IT infrastructure. At the same time rigorous email screening can spot and remove malicious links or attachments before users are tempted to interact with them.

Security teams can also take advantage of the widely used MITRE ATT&CK Matrix. This resource contains details on more than 220 techniques that can be used to ward off ransomware threats.

The matrix is a globally accessible knowledge base of cybercriminal tactics and techniques based on real-world observations. It can be used to enhance, analyse, and test an organisation’s threat hunting and detection capabilities.

Prevention and mitigation strategies

As well as improving threat detection capabilities, security teams should also focus on putting in place a range of other prevention and mitigation techniques that can reduce the impact of an attack should one take place.

One key capability needed is being able to automatically isolate infected systems before the ransomware code can spread more widely throughout an IT infrastructure. This will limit the effect of an attack and reduce the number of files that become inaccessible.

IT teams should also have in place a process of regular data backups. If primary files become encrypted, backups will assist an organisation to get back up and running as quickly as possible.

Tasks such as deploying software patches as soon as they are released are also critical. This will reduce the chances of cybercriminals taking advantage of known vulnerabilities when mounting their attack.

Security teams should also consider deploying a Security Information and Event Management (SIEM) platform. This platform can provide real-time analysis of security alerts generated by applications and network hardware which, in turn, allows attacks to be neutralised as quickly as possible.

It can also be worth making use of a User Entity and Behaviour Analytics (UEBA) tool. These tools can automatically spot anomalous traffic or activity on a network that could be a sign of a ransomware attack.

Examples might include an unusual volume of successful authentications that shows someone appears to be logging in much more frequently than they normally do. The tool could also spot incidents where a user appears to be logging in from multiple locations at the same time, which could also signal a potential attack.

By making use of such tools and developing a comprehensive security strategy, organisations can be well placed to prevent ransomware attacks or quickly bring one under control should it occur. With the threats posed by ransomware showing no sign of easing, taking such steps now can help to prevent significant disruption and loss in the future.

[1] https://en.wikipedia.org/wiki/AIDS_(Trojan_horse)

Michael Bovalino, ANZ Country Manager, LogRhythm
Michael Bovalino
Michael Bovalino is the ANZ Country Manager at LogRhythm