#TECH: Safeguarding businesses from ransomware attacks

It is important for companies to understand the growing ransomware risks and how to keep their businesses safe


RANSOMWARE attacks are increasing globally and it is important that businesses understand the growing risks and how to keep their businesses safe from the financial and reputational impact of these insidious attacks.

Data from the National Security Council (MKN) shows that 3,836 cyber incidents were reported involving, among others, intrusion (31.5 per cent) and malware attacks (53.19 per cent) up to Nov 30 last year.

Sophos, a global leader in next-generation cybersecurity, in its Sophos 2021 Threat Report, flags how ransomware and fast-changing attacker behaviours, from advanced to entry level, will shape the threat landscape and IT security in 2021.

There are three key trends that will shape the threat landscape and IT security this year. The full report can also be downloaded at www.sophos.com/threatreport.

RANSOMWARE TREND

Firstly, the gap between ransomware operators at different ends of the skills and resource spectrum will increase.

The high end, the big-game hunting ransomware families, will continue to refine and change their tactics, techniques and procedures (TTPs) to become more evasive and nation-state-like in sophistication, targeting larger organisations with multimillion-dollar ransom demands.

Sophos also anticipates an increase in the number of entry level, apprentice-type attackers looking for menu-driven, ransomware-for-rent, such as Dharma, that allows them to target high volumes of smaller prey.

Another ransomware trend is "secondary extortion", where alongside the data encryption, the attackers steal and threaten to publish sensitive or confidential information if their demands are not met.

In 2020, Sophos reported that Maze, RagnarLocker, Netwalker, REvil and others used this approach.

NEED FOR SERIOUS ATTENTION

Secondly, everyday threats such as commodity malware, including loaders and botnets, or human-operated Initial Access Brokers, will demand serious security attention.

Such threats may look like low-level malware noise but they are designed to secure a foothold in a target, gather essential data and share data back with a command-and-control network that will provide further instructions.

If human operators are behind these types of threats, they will review every compromised machine for its geolocation and other signs of high value, and then sell access to the most lucrative targets to the highest bidder, such as a major ransomware operation.

For instance, in 2020, Ryuk used Buer Loader to deliver its ransomware.

"Commodity malware can seem like a sandstorm of low-level noise clogging up the security alert system. From what Sophos analysed, it is clear that defenders need to take these attacks seriously because of where they might lead. Any infection can lead to every infection.

"Many security teams will feel that once malware has been blocked or removed and the compromised machine cleaned, the incident has been prevented," said Sophos' principal research scientist, Chester Wisniewski.

"They may not realise that the attack was likely against more than one machine and that seemingly common malware like Emotet and Buer Loader can lead to Ryuk, Netwalker and other advanced attacks, which IT may not notice until the ransomware deploys, possibly in the middle of the night or on the weekend.

"Underestimating 'minor' infections could prove very costly."

ABUSE OF LEGITIMATE TOOLS

The third trend saw an increasing abuse of legitimate tools, well-known utilities and common network destinations to evade detection and security measures as well as thwart analysis and attribution.

The abuse of legitimate tools enables adversaries to stay under the radar while they move around the network until they are ready to launch the main part of their attack, such as ransomware.

For nation-state-sponsored attackers, there is the additional benefit that using common tools makes attribution harder.

"The abuse of everyday tools and techniques to disguise an active attack featured prominently in Sophos' review of the threat landscape during 2020.

"This technique challenges traditional security approaches because the appearance of known tools doesn't automatically trigger a red flag. This is where the rapidly growing field of human-led threat hunting and managed threat response really comes into its own," said Wisniewski.

"Human experts know the subtle anomalies and traces to look for, such as a legitimate tool being used at the wrong time or in the wrong place. To trained threat hunters or IT managers using endpoint detection and response (EDR) features, these signs are valuable tripwires that can alert security teams to a potential intruder and an attack underway."

The combination of these changing attacker behaviours and remote and/or hybrid working environments due to the global Covid-19 pandemic is signalling an urgent need for organisations to prioritise IT security.

However, with limited IT resources available for some companies, this has led to increased demand for managed detection and response (MDR) services.

Traditionally, these vendors will simply notify their partners of attacks or suspicious events. Yet, detection alone is not enough.

SOPHOS' APPROACH

Backed by a team of elite experts, Sophos provides targeted actions on behalf of its customers to neutralise even the most sophisticated threats via its Managed Threat Response services (Sophos MTR).

MTR is customisable with different service tiers and response modes to meet the unique and evolving needs of organisations of all sizes and maturity levels.

Related Articles