Ransomware continues to strike businesses and governments globally, showing no signs of slowing down during the pandemic. In a recent report by Check Point, researchers found that the daily average of ransomware attacks have increased by 50% in the last three months.
2020 Ransomware Trends
While much of the focus is on the encryption aspect of ransomware, they’ve found that attackers are now exfiltrating large volumes of data before encrypting databases. Attackers are threatening to publish the data if their ransom demands aren’t met.
Emotet and Ryuk Ransomware Infection
This coincides with the rise of Emotet malware delivered through new phishing campaigns seen a few months ago, acting as a backdoor to download and execute payloads on a victim’s systems. Emotet has been linked to both TrickBot, an advanced malware affecting Windows machines, as well as Ryuk ransomware, a type of crypto-ransomware targeting enterprises. According to Check Point, Ryuk ransomware infections have been steadily rising since July 2020, attacking 20 organizations per week.
Learn more in Detect and Protect Against the Return of Emotet Malware.
Microsoft recently announced that they have “cut off key infrastructure” to disrupt new Trickbot infections and activations. The malware has been distributed widely through phishing campaigns leveraging current events as email topics, such as Black Lives Matters and COVID-19. According to The Washington Post, Microsoft won a court order to seize U.S.-based servers controlling a botnet, or network of computers infected by Trickbot. But Trickbot continues to operate on servers outside of the country, according to threat intelligence company Intel 471.
Paying Ransom May Result in OFAC Violations & Fines
According to the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), demand for ransomware payments has only increased during the pandemic due to attackers targeting systems that people rely on to continue conducting business online. The FBI reports a 147% annual increase in ransomware-associated losses from 2018 to 2019 (Internet Crime Report PDF).
OFAC issued a recent advisory (PDF) this month that cautions any companies that pay ransomware ransoms may be at risk of violating OFAC regulations – and subject to monetary fines. Their reasons include: any transaction with criminals could be used to fund illicit activity counter to U.S. national security; payments embolden attackers; and paying a ransom doesn’t always guarantee victims will regain access to stolen data.
Detecting Indicators of a Ransomware Attack
Identifying the different stages of an attack that can lead to ransomware infection is important to enable your team to detect attackers early and remediate incidents faster. As outlined in the MITRE ATT&CK framework, Blumira detects and alerts you to key attacker techniques/tactics used for initial access, credential access, execution, persistence, privilege escalation, lateral movement, exfiltration and more.
Below are attacks that can lead to a ransomware attack that Blumira detects, alerts and can help guide your team through incident response procedures:
Attack Stage: Discovery
In the early stages of an attack, an attacker is conducting reconnaissance during the discovery phase as they get to know your network, systems and applications better to help them understand how to launch an attack effectively. By detecting internal port scanning tools, Blumira can help alert you to an indicator of an internal attacker looking for vulnerable areas to attack and move laterally throughout your environment.
Attack Stage: Initial Access
Remote Desktop Protocol (RDP) is one of the top ways that remote attackers gain initial access to install ransomware. RDP is often used by businesses to allow users to remotely access files and applications on their local network. But when RDP ports are left open to the internet, it can allow anyone to access remote servers.
Blumira detects and alerts you to public IPs connecting to your internal network via RDP for early detection of malicious activity that can lead to ransomware infection.
Attack Stage: Credential Access (Brute Force)
Password spraying is when an attacker attempts to authenticate to your network or applications by typing in multiple usernames paired with a single password. It’s used by attackers to discover weak passwords that can be used to move laterally throughout your environment, while targeting systems and data with ransomware. Blumira can detect and alert you to password spraying, as well as provide security playbooks for step-by-step remediation.
Learn more in How to Test Your SIEM for Password Spraying.
Attack Stage: Credential Access (Brute Force)
Account lockouts can be the result of too many failed login attempts, potentially due to a forgotten password or malicious brute-force attack to gain entry to your systems to install ransomware. Blumira can detect common account lockouts, as well as two-factor authentication account lockouts. We also provide next steps for internal incident response procedures, such as blocklisting source IPs and reviewing your authentication logs.
Rouge Domain Admin Account Created
Attack Stage: Privilege Escalation
To get greater access privileges, attackers may attempt to create domain administrator accounts that allow them to deploy ransomware broadly across all servers, databases, storage systems, etc. Blumira can detect when a rogue domain admin account is created and notify you to disable it immediately.
Attack Stage: Exfiltration
Attackers are stealing data before ransomware infection to use as additional leverage for demanding money from victim organizations. Blumira detects data exfiltration via generic network protocols to alert you to an attacker’s actions. Our service also detects anomalous internal web traffic that may indicate attempts to exfiltrate data out of your environment.
Application Executable or Script (Dropping Malware or Ransomware)
Attack Stage: Execution
Attackers download and execute malicious files in order to install ransomware on your systems. Blumira detects when an application is dropping a new file or script onto a machine and notifies your team of potentially malicious executables that may not be allow-listed, and could present a threat to your organization. This visibility allows you to detect a ransomware attack early and respond quickly to block or contain it.
Best Security Practices to Help Defend Against Ransomware
Here are a few best security practices to help prevent, detect and respond to the many security events that can lead to ransomware infection:
Access Control – Practice least privilege by limiting access to applications and services to only those that need access to do their jobs.
Two-Factor Authentication – Add an additional layer of security to every login with a secondary authentication method (preferably a secure one that uses push notifications and an authenticator app, not SMS).
Secure Ports – RDP ports should never be allowed from public IP addresses, or left open to the internet. SMB (Server Message Block) connections should also not be allowed from public IPs, as they can allow attacks like EternalBlue (an SMB exploit) to occur, resulting in ransomware infection.
Backups – Back up your system separately, both locally and offsite, and keep copies in the cloud for redundancy.
Patch – Patch as frequently as you’re able to in order to protect against vulnerabilities and exploits used to gain initial access and install ransomware on your systems.
User Awareness – Create a culture of security and regularly train users to spot phishing attacks and protect against downloading malicious attachments, a popular avenue for ransomware infection.
Threat Detection – Faster detection leads to faster response times, which is key to detecting early attack indicators and ultimately, preventing ransomware infection. Learn more about automating detection and response with Blumira’s security platform, and how Blumira can help you prevent and detect ransomware infection.