Ransomware Detection & Prevention
Ransomware is growing by 300% a year, with 75% of Ransomware attacks starting with a phishing email. They can severely impact organisations; leaving them without the data they need to operate. Telesoft has several approaches to help mitigate the risks of Ransomware for customers of our Managed Detection & Response services.
What is Ransomware?
Ransomware is an ever-evolving form of malware designed to encrypt files, rendering them and the systems that rely on them unusable. Malicious actors then demand a ransom in exchange for the decryption keys. Ransomware actors often target critical systems and threaten to sell or leak exfiltrated data if the ransom is not paid.
Malicious actors continue to adjust and evolve their ransomware tactics over time, and organisations need to be extra vigilant in maintaining awareness of ransomware attacks and associated tactics, techniques, and procedures.
During 2022 we saw a shift in the way that Ransomware campaigns operate as they moved to a Ransomware as a Service (RaaS) model. RaaS is a subscription-based model that enables affiliates to use pre-existing ransomware tools to execute ransomware attacks. Affiliates earn a percentage of each successful ransom payment.
Similar to Software as a Service (SaaS) services, RaaS users don't need to be skilled or even experienced. RaaS services, therefore, empower even the most novel hackers to execute highly sophisticated cyberattacks.
How does Ransomware Work?
Ransomware attackers can gain access to a victim’s network through a number of infection vectors. It can be hard to predict how a compromise will begin, as cyber criminals adjust their attack strategy depending on the vulnerabilities they identify. Here we break down the 5 common steps to a Ransomware campaign:
Ransomware can infect a system through several common vectors, including:
- Phishing Emails - The most common vector of infection, ransomware can be delivered as an attachment to a phishing email that appears to come from a trusted source.
- Malicious Websites - Visiting a website which has been compromised by an attacker can result in the automated download of ransomware onto a computer system.
- Software Downloads - Installing and running software which has been obtained from an untrusted source can result in the installation of ransomware.
- Remote Desktop Protocol (RDP) Attacks - Vulnerabilities in RDP and other remote access protcols can be exploited allowing attackers to gain access to company IT resources and deploy ransomware.
Steps to Protect against Ransomware
There are several best practices which organisations should follow to ensure they are doing all they can to protect themselves from Ransomware:
- Pro-Active Monitoring - Having eyes-on network security monitoring 24/7 is the single, most effective way to detect, isolate and mitigate ransomware.
- Backups - It is critical to maintain offline backups of important business data. Backup and Restore procedures should be conducted and tested regularly.
- Malware Protection - Ensure Antivirus installed on endpoints is properly configured, and always up to date.
- Public Facing Infrastucture Vulnerability & Configuration Assessments - All public facing infrastructure should be regularly scanned for vulnerabilities to limit your attack surface.
- Security Awareness - Phishing emails are one of the most common ransomware infection vectors. Ensuring your organisation has a comprehensive user awareness and training program in place can help staff to recognise phishing emails and other suspicious activity.
How can Telesoft’s Managed Detection & Response Services help?
Telesoft has several approaches to help mitigate the risks of Ransomware for our customers:
Network Level Detection
Telesoft’s Cerne IDS product can generate an MD5 and/or SHA256 hash of every file that traverses a network in real time, across physical & virtual networks at speeds up to 100Gbps.
File hashing uses cryptographic functions to generate a hash value from an input file and can be used to verify the integrity and authenticity of a file. Even the slightest change in the file will result in a different hash value. Our Cerne IDS is loaded with lists of tens of thousands of file hashes of known ransomware samples and is constantly updated with the latest via our Threat Intelligence Gateway service. If there is a match then the network traffic can be dropped if it’s deployed in-line, or our 24/7 team of analysts would be alerted, and remediation steps can be initiated with support from the customers IT and/or security teams.
24/7 Pro-Active Threat Hunting
Pro-Active Threat Hunting is a practice that involves actively searching for, and identifying potential threats before they cause harm to an organisation. When it comes to protecting against ransomware, threat hunting can help in several ways:
- Early Detection - Our analysts can identify signs of a ransomware attack in its early stages, before it has had a chance to spread and cause damage.
- Detection of Previously Unseen Ransomware - We analyse behavioural traits associated with ransomware such as anomalous, higher levels of Windows File Share/SMB activity, so are able to detect malicious behaviour even if a file hash or detection is not yet available for a particular strain.
- Improved Response - Our SOC analysts are carrying out threat hunts 24/7 and have a deep understanding of an organisations infrastructure, and security posture. This can help to minimise the impact of an attack and dramatically reduce the Mean Time To Detection (MTTD)
- Increased Awareness - If a new strain of ransomware is detected via a threat hunt, the Methods, Tactics, Techniques and Procedures can be documented and re-used.
There are several distinct indicators which our SOC analysts are looking out for:
- Anomalous Network Traffic Activity - Remote Desktop Protocol (RDP) sessions at unusual times, higher than normal levels of Windows Fileshare/SMB network traffic and more.
- Unusual Data Transfers - Anomalous transfers between internal systems, and possible data exfiltration to public IP addresses.
- Communications to known Command & Control Infrastructure - We have a comprehensive record of known Ransomware C2 infrastructure IP addresses and can detect network communications to/from those IPs.
- Behavioural Analysis - By combining network traffic telemetry with system & application event log data we can build up a picture of what is happening to a system at the network, application and user levels. Baselining normal behaviour allows us to target and investigate anomalies.
Security Awareness Training
Security awareness training for staff is critical when it comes to defending an organisation against ransomware. By educating employees about the dangers of ransomware, and how to avoid being a victim, organisations can significantly reduce the risk of being affected.
Here are a few ways Telesoft can help its Managed Detection & Response customers by enhancing staff awareness:
- Security Awareness Training Programmes - Awareness training helps staff to understand the threat posed by ransomware and the steps employees can take to protect themselves and their organisation. Bespoke for each customer, we aim to help staff identify phishing emails, know the tell-tale signs of malicious/compromised websites, properly handle suspicious emails and attachments and know the right process to follow to raise it for further investigation.
- Phishing Simulation Testing - By simulating a phishing attack, organisations can identify members of staff who are more vulnerable to scams. This information can be used to target further training to help them to be more cautious and understand the implications of clicking on a malicious link. Simulations also allow an organisation to assess how effective their security awareness training programmes are.
By educating staff and helping them to develop good cyber security habits, organisations can create an improved security culture and reduce the risk of a successful attack.