By Rabih Itani, Country Manager, UAE, Vectra AI
Ransomware. It is the new digital bogeyman. In the UAE, an industry survey from June 2021 showed the extent to which the country (and by implication, the wider region) has been subjected to ransomware. Some 37% of respondents said they had been victims in the previous two years. A staggering 84% elected to pay the ransom, only for most of them — 90% of those who paid — to suffer from second attacks that often came from the same bad actors.
What is even more concerning is that, particularly over the last year, the industry has seen a rise in RansomOps. While ransomware attacks follow the ‘spray and pray’ model (think WannaCry), RansomOps are more sophisticated, highly targeted APT-style attacks that are often associated with nation states but could also be the modus operandi of bad actors looking to maximise financial impact on a specific target. In May alone, there was the US Colonial Pipeline incident, an attack on Ireland’s Ministry of Health, and a DarkSide blitz on German chemical distributor Brenntag in which the company paid out US$4.4 million. More recently, US-based Kaseya’s virtual systems administrator (VSA) offering was infected with REvil ransomware via a supply-chain attack in which a routine update infected several managed service providers and potentially thousands of downstream customers.
As CISOs continue to adapt to an escalation in hybrid work, they must contend with multi-network environments and unvetted personal machines, both of which present tempting inroads for ransomware. As you read this, thousands of bad actors are leveraging tried-and-tested strains — or designing the next variants — of ransomware to extort vast sums from unsuspecting targets. They take their time; they get the job done.
Bad actors first assess potentials from a distance, researching their business model and determining how damaging downtime would be to them. From this, the attackers estimate how likely payment might be and calculate the optimal ransom level. The penetration itself can be outsourced or bought in “ready” form on the dark web for as little as US$300. Once inside their target’s perimeter, ransomware-attackers continue their assessment, evaluating applications and data for encryption. And then comes the pain.
In a digital world, total encryption of processes and files means the complete shutdown of business operations for any enterprise hit by such a campaign. Security teams will spring into action immediately but in many cases, they will face an uphill struggle. They must stop the attack in progress while restoring digital operations. That is not easy. Nor is determining the source of the incursion to prevent a repeat occurrence.
And payment of the ransom does not guarantee delivery of the encryption key. In short, ransomware attacks are more of a test of many organisations’ business-continuity strategies than of any other aspect of their threat postures. Without exceedingly sound contingency plans, ransomware victims suffer lengthy downtimes, data losses and financial shocks.
The road to mitigation
Early detection is the key to damage mitigation. If infected hosts are isolated promptly then threat hunters can get to work killing the processes that foment replication. Ideally, this should be left to automation tools, as human intervention in real time does little to stem the rapidity of ransomware propagation. Platforms that have oversight of the entire network are best placed to make automatic determinations that are effective in preventing damage and loss.
One key network-wide strategy that is successful in detection of ransomware is to take a bird’s-eye view of behaviors rather than actively searching for known ransomware variants in packet traffic or processes. This strategy is proactive and focuses on uncovering initial reconnaissance and penetration activity by bad actors, rather than waiting for the payload to be dropped.
In addition, robust identity-management policies can help stem the tide if care has been taken to ensure that only a select few have access to the most sensitive areas of the IT infrastructure. Ransomware must make do with the credentials issued to the user or application that allowed it to launch. Furthermore, if tight monitoring of the activity of high-privilege accounts is in place, security teams can act more quickly to head off a ransomware invasion.
A new battle tactic: AI-based Network Threat Detection and Response
These best practices are part of an AI-driven approach to threat detection and response. By taking a high-level, behavioural angle on the ransomware problem, we leave behind the too-little-too-late tactic of searching for the ransomware itself. Tools that deliver this approach engage in deep analysis of network traffic and have the ability to track attacker activity pivoting between on-premise, data center, IaaS and SaaS environments. Machine-learning models are already supplementing the expertise of security teams and delivering strong results. Only models like these have the scale and power to accept high volumes of telemetry and compare it with oceans of historic data in real time to identify risky activity.
These behavioural-based threat detection platforms are dedicated to detection and response within cloud, datacentre, IoT, and enterprise networks. Early detection, the elimination of false positives and the reduction of alert fatigue are key features of the technology, as is the validation of key industry standards, like MITRE D3FEND, which helps to build confidence among an organisation’s customers.
Ransomware is extremely profitable to cybercriminals and is unlikely to disappear from the threat landscape any time soon. Quick and accurate detection — which currently only come with AI-based threat detection & response approaches — are the best allies regional business stakeholders can have in this fight.