Back to BlogTop Security Threats: Detecting Ransomware Tactics
Ransomware is an extremely lucrative market, raking in an estimated $20 billion dollars by 2021, according to Cybersecurity Ventures, making it the fastest-growing type of cybercrime. Ransomware is a rather destructive type of malware that, once infected, can lock out users or encrypt a system’s files, demanding a ransom in exchange for regaining access.
Ransomware Targeting Small-to-Medium Businesses
Who’s getting infected? Pretty much anyone, but a recent survey of managed service providers found that 91% of attacks targeted small-to-medium sized businesses (SMBs), with ransomware as the most common threat. Primarily, software as a service (SaaS) applications are the top target, with attacks against Office 365, Dropbox and G Suite.
Ransomware can cause small to medium sized businesses to close down altogether – even if they attempt to pay the ransom. In one case reported by the NYTimes, a 10-person medical office closed down after they failed to recover their medical files from hackers, and another printing company with a few hundred employees shut down operations after a ransomware infection.
Unfortunately, handing over money in hopes of file decryption and business recovery rarely results in back-to-normal operations. Another survey found that 73% of small businesses hit by a ransomware attack paid out a ransom to attackers, but only 17% of those that paid were able to recover some of the company’s data.
LOLbin Tactics, Techniques & Procedures
What are LOLbins? It stands for “Living-Off-the-Land Binaries” and describes ways that attackers can hide their malicious behavior within a system and circumvent security defenses. LOLbins are also referred to as fileless malware or threats. Attackers can leverage non-malicious, legitimate executables and binaries within an operating system to attack an organization – without relying on malicious code or files, which can be easily detected by typical security tools.
According to our Director of Security Mike Behrmann, ransomware developers have deliberately adopted LOLbin tactics, techniques and procedures (TTPs) to achieve lateral movement. Ransomware developers have shifted from targeting single system ransoms to more broad targets, as they can extort far more money from a business than an individual.
They do this through malicious wormlike behavior, as seen in WannaCry, a global ransomware attack in May 2017 that spread itself through networks by infecting Windows computers and encrypting files, demanding a Bitcoin ransom in return for decryption. The attack resulted in over 300,000 infected computers.
Detecting Ransomware Attack Vectors With Blumira
The following detections can help bring visibility to your IT or security team on the type of attack vectors that could potentially lead to ransomware infection. Blumira’s platform automatically detects these findings and provides security recommendations for response and mitigation.
SMB Connections From Public IP
Windows Server Message Block (SMB) shouldn’t be allowed to connect from a public IP address, as they can leave organizations open to attacks like EternalBlue (MS17-010), which was exploited in the WannaCry global ransomware attack mentioned earlier. This Microsoft vulnerability affects unpatched Windows operating systems. By detecting an SMB connection early with Blumira’s automated detections, you can respond quickly to stop attackers from infecting your systems with ransomware.
RDP Connections From Public IP
Organizations should never allow public IPs to connect via RDP to your network, nor should it be used as a remote management protocol. Attackers can either brute force (attempt to log in with common username and password combinations) or buy stolen RDP credentials to gain access to your network and install ransomware on your systems.
In a Coveware report of Q4 of 2019, they found that RDP was the most common ransomware attack vector at 57.4% of infections, followed by email phishing (26.3%), software vulnerabilities (12.9%) and other (3.3%).
Click Above to Enlarge
Looking at Blumira’s internal honeypot data, we found an 85% increase in RDP attacks over time since December 2019, showing a marked uptick in access attempts from around the globe. Blumira can detect and alert your IT and security teams if there is a public IP connecting via RDP to your network, and we also provide easy-to-configure honeypots for customers to help them detect lateral movement.
In this example, we’ve made it easy and automated to respond to an RDP connection attempt by providing workflows that guide you through immediate remediation.
With one click, you can immediately block all source IPs connecting via RDP for the next seven days, using Blumira’s Dynamic Block List feature.
PowerShell Execution Policy Bypass
PowerShell execution policy determines which type of PowerShell scripts can run on the system. It’s often used by attackers and malicious software to execute code on a system without having administrative-level access. And that can include executing code to install ransomware on your systems – detecting this type of bypass can help you take action and prevent a potential ransomware attack.
Reconnaissance Scanning
By detecting source IPs running a port scanning tool against your network, Blumira can detect an attacker in the early stages of an attack. Scanning can indicate that an internal or external attacker is performing reconnaissance on your network and is looking for vulnerable areas to attack for lateral movement, according to our security analysts.
Automating Threat Detection & Response to Protect Against Ransomware
“Blumira provides expertise in understanding alerts, with additional context and viewpoints. With a limited staff, it’s important that someone has my back – Blumira’s team has a real commitment to its customers.” – Kevin Hayes, CISO, Merit Network
Blumira’s security platform has built-in detections to alert on important findings that may be indicators or lead to ransomware infection. Our easy-to-deploy solution provides automated threat detection and remediation, integrating with multiple firewalls, endpoint protection tools, Windows servers and other products to analyze and parse your logs for important security events. See how easy it is to set up Blumira and start protecting your organization today.
Additional Resources
Webinar: Protecting Against the Rise in Remote Access Attacks
Join our webinar with Blumira’s CTO Matt Warner on June 2, 1pm ET | 10am PT to see trends in remote access attacks from our honeypot data, and how to mitigate these threats for your organization’s remote workforce.
Top Five Security Threats You Should Be Detecting
A basic primer on some of the top attacker techniques you might not be catching – from ransomware to brute-force attacks – based on Blumira detections.
Top Security Threats: Detecting Data Exfiltration
What tactics do attackers use to steal your data? Other security solutions may miss the signs – Blumira can detect and protect against key indicators.
Hands in the Honeypot: Detecting Real Security Threats
What is a honeypot? Here’s how to set up a honeypot with Blumira to help you detect and stop network intruders.