Illusive Blog May 12, 2021

Ransomware Strikes Yet Again, and Early Threat Detection is Critical

By Jeff Barker
Active Defense, Ransomware, Threat Detection

Well, here we go again. And again. And likely again sometime soon. This past weekend brought the news of a major ransomware attack against Colonial Pipeline

Almost half of all the US East Coast’s gasoline, diesel and other fuels travel through the Colonial Pipeline, which has been shuttered since May 7th. It’s a significant cyberattack against an important infrastructure target in the country. It also underscores the vulnerabilities faced by utilities and infrastructure companies specifically, and private enterprises across all industries more generally, against sophisticated and targeted ransomware attacks.

We are already trying to absorb a lot of analysis from cyber defense experts as to what went wrong, even as the details continue to unfold. The ransomware group DarkSide is believed to be responsible. The ransomware-as-a-service (RaaS) group has its creators in Eastern Europe, but as cybersecurity reporter Kim Zetter points out, the perpetrators of this particular attack against Colonial Pipeline could have operated from anywhere. 

Alyssa Knight recently explained the business model that groups like DarkSide and other typically use:

“RaaS services offer their ransomware as a tool to affiliates. Affiliates often split their payouts with the RaaS operator in a 60/40 split (Forbes, 2020), with the affiliates taking 60% of the profit and the rest going to the RaaS operator. Once they reach 3 successful extortion payments, the affiliate is often bumped up to a higher percentage to 70%. The RaaS operator offers quite a sophisticated toolset for its affiliates,including the luxury of an administrator dashboard and a dedicated site where dumps (stolen data) can be automatically published if a victim refuses to pay.”

Daniel Hoffman, Former CIA Station Chief and Fox News contributor, noted that Russia continues to not prevent (if not support) these cyber groups from acting freely. “Make no mistake, they’re operating in the former Soviet Union, the Russians know plenty about them, and even if they’re not directly linked to Russian intelligence, it’s a distinction without a difference. Russia allows those hackers to operate with impunity on their territory.”  

NOTE  – Hoffman will be joining us for an upcoming webinar May 19, The Changing Face of Insider Threats. Click here for more information and to register.

The harsh reality of modern ransomware

Ransomware continues to be a major source of concern for government officials, CISOs and infosecurity teams at businesses large and small. Ransomware attacks have risen over 700% over the past year, exacerbated by the massive shift to working from home that occurred in the wake of the coronavirus pandemic. 

Illusive recently sponsored a brief from analyst firm 451 Research, “The Harsh Reality of Modern Ransomware.” As we’ve previously pointed out, ransomware has more often shared characteristics with APTs, utilizing initial network penetration (through a phishing attack or other means), then used lateral movement inside the network toward critical Crown Jewel targets. 

451 expands on this point:

“[C]riminals, driven by higher payouts from more impactful events, appear to have started deploying ransomware as the final act in more elaborate attack campaigns: silently compromise an initial beachhead, then use that to move laterally across the environment, exfiltrate sensitive corporate data and silently obtain broad administrative access to a large swath of the IT infrastructure. Then, and only then, does the attacker explicitly disrupt operations and demand ransom. Faced with the potential for catastrophic damage, many organizations are more amenable to making exceptionally large payouts.”

It would therefore behoove security teams to – when determining their anti-ransomware strategy – focus on early lateral movement detection (in addition to Data Loss Prevention, data recovery and the like). The problem is that traditional tools relied on for detection of attacker movement – anomaly-based endpoint security tools, even NDRs or UEBA solutions – aren’t working as effectively as security teams would like. After all, ransomware attacks are still happening in environments where those solutions are installed! 

Notably, in a 2020 survey conducted by 451 Research of those impacted by ransomware attacks, only 6% of respondents said they are confident that their endpoint security tool would interrupt a ransomware attack, while 11% thought their network security tool could do so. “Many factors likely play into this – Was there sufficient coverage from a deployment perspective? Were configurations and updates adequate against the threat? – but the trend points to some level of disappointment with how controls appear to have performed.”

Read the 451 Research brief in full here.

Where Illusive deception-based Active Defense helps

The three-pronged Illusive approach to paralyzing advanced ransomware is as follows:

  • Identifying and eliminating the extraneous cached credentials and pathways created through legitimate connectivity between devices, such as Shadow Admins or RDP sessions that were never closed. This denies ransomware the easiest and most traveled lateral movement avenues that evade security agents and allow ransomware to spread unimpeded.
  • Replacing those extraneous lateral movement pathways with customized deceptive stories that appear authentic to threat actors. In that way, ransomware propagators launch their attacks on deceptive hosts instead of production hosts and are instantly identified when they do so.
  • If ransomware attempts to encrypt a production host, it will be diverted by deceptive data contained on that host. This sends an alert to the organization so they can block the malicious activity on the device before it can be encrypted and the ransomware is able to spread to other hosts.

Learn more about ransomware and active defense