Ransomware

Emerging Trends & What We Have Learned

Ransomware is one of the most common global malware threats

One that often catastrophically impacts an organisation. So, it should come as no surprise that 2021 brought us some of the largest ransomware attacks to-date. With large national and global brands (who command large security budgets and resources) making the headlines, the upward trend of cybercrime across the globe.

Whilst the large scale attacks against big brands make the news, small to medium enterprises are just as vulnerable to these increasingly sophisticated attacks.

Looking back at 2021, there is a lot we can learn from the emerging trends, large scale attacks and the aftermath of a ransomware infection. This information is crucial to organisations looking to understand the associated risks of a ransomware outbreak, empowering them to ensure the necessary mitigations are in place.

Watch The Video

RANSOMWARE STATISTICS

rising costs icon
Ransomware costs total $20 billion in 2021
agencies affected graph
37% of business and organisations affected
recovery costs icon
Recovery costs on average $1.85 million
locked computer icon
32% of organisations pay the ransom, only 65% get the data back
missing files icon
57% of businesses recover lost data

Ransomware & Cyber Threat Trends of 2021

In the fast-moving world of cyber security, there are a always trends to watch for. To sift through the noise, we have highlighted some of the key takeaways below.

ransomware and remote work

Working From Home
With the continuation of working from home in 2021 (and signs that it might not go away) many IT departments are now protecting an extend attack surface. Exposure of corporate devices to home networking environments, increasing spam volumes (common delivery mechanism for ransomware), and not being around colleagues who can help all play a part in raising the risk of exposure.

Sophisticated Attacks
Modern ransomware attacks are growing increasingly more sophisticated, both in terms of the technologies leveraged and the effort applied by cyber criminals. There is a growing trend of bad actors performing scrupulous amounts of research around their targets. From researching employees via social media and whether a company has ransomware insurance, to tracking stock prices and company activities to time their attacks. Organisations must utilise multiple layers of security (technology, people and processes) to help fight these premeditated attacks.

Sophisticated Ransomware Attack
beware of ransomware phone banner

Ransomware-as-a-Service (RaaS) Increasing
Ransomware “gangs” are functioning very much like real companies, supplying sophisticated ransomware kits to bad actors on a subscription model. These kits come with all the benefits of a SaaS product, constant updates and changes (making the exploits more technical and varied), low consistent costs ensuring large ROI, and even support! This lowers the bar considerably for malicious individuals/groups looking to extort internet citizens.

Supply Chain Attacks & Trusted Services
Supply chain attacks are becoming increasing popular. Hot off the heels of SolarWinds, Kaseya (a global remote monitoring and management tool vendor) announced a vulnerability within their products that exposed their customers (and their customers customers) to ransomware attacks. It also highlights an increase in the use of trusted tools and services, as the initial attack vectors for deploying ransomware payloads.

Large Scale Attacks 2021

Whilst there are thousands of attacks per day around the globe, we have highlighted some of the largest headline-grabbing breaches of 2021:

Company Industry Date Vulnerability Ransom Impact
Brenntag Chemical distributor April 2021 Compromised credential purchased on dark web $4.4 million in Bitcoin – Paid Operational difficulties, threat of confidential information leakage
Colonial Pipeline Petrochemical & Oils May 2021 Compromised credentials from dark web $4.4 million Bitcoin – Paid but half recovered Surge in fuel pricing within US (highest within 7 years)
JBS Food supplier May 2021 Not disclosed $11 million Bitcoin – Paid Operations affected in Australia, Canada and US
Health Services Executive (Irish Health Service) Healthcare May 2021 Phishing email containing malicious Excel file open by user $20 million – Did not pay Cancellations of medical appointments, no access to patient records, delays in COVID testing, for a number of weeks
Kaseya IT Software July 2021 Vulnerability in product $70 million – Did not pay Approximately 1,500 organisation using Kaseya products affected globally

The Ransomware Aftermath

Whilst the potential loss of data or a large pay-out (sometimes both) is an obvious outcome of a ransomware attack, there are several other (potentially lasting) effects that organisations should consider.

Lost revenue/productivity

Whilst IT professionals work tirelessly to return systems to operational normality, employees and customers have to work around the current state of systems. Whole order systems or financial packages could be offline or compromised, resulting in lost orders and simple tasks taking much longer. These remediation works can take long periods of time to complete, meaning there could be a considerable impact to an organisation’s bottom line.

Brand reputation

Damage to a brand’s reputation can have a lasting effect on an organisation, sometimes taking years to rebuild. From lost customers to difficulties attracting or retaining talent, the effects can be incredibly difficult to remediate. Current research suggests it can have a devastating impact on a customer’s confidence in a brands capability, ultimately impacting the sales pipeline.

Legal obligations

More often than not, cyber criminals threaten to leak confidential information obtained from your organisation during a breach. Certain types of data are protected by legal structures (GDPR), meaning there may also be legal obligations that your company has to meet with regards to disclosure, etc… Some of the governing bodies monitoring these obligations even have the power to impose further fines if sufficient care wasn’t taken to protect the data.

Ransomware:
What’s to come in 2022

Ransomware is here to stay and we can expect an increasing number of organisations to be affected in 2022. With the rise of RaaS and the anonymous nature of cryptocurrencies, it can be a lucrative business for cyber criminals. Large pay-outs, low technical requirements and anonymity will only exacerbate this in 2022. A recent quote from the director of GCHQ (UKs intelligence, security and cyber agency) suggests that attacks on organisations in the UK have doubled.

“I think that the reason [ransomware] is proliferating – we’ve seen twice as many attacks this year as last year in the UK – is because it works. It just pays. Criminals are making very good money from it and are often feeling that that’s largely uncontested,”

In 2022, making sure key stake holders understand the risks and impacts of such an attack is vital. Sufficient resource needs to be allocated to protect an organisations interests through 2022 and beyond.

How Snare Can Help:
Extended Forensic Logging Capabilities

Snare offers a number of products that help customers with their log collection needs. These logs can be vital in understanding the timeline of a ransomware attack and performing root cause analysis of the responsible processes. However, as outlined above, with an increasing number of trusted services being compromised, conventional log collections systems (such as SIEMs) may leave key forensic data lost amongst the noise. There are many aspects to ransomware detection and detecting intruders on your network. Snare offers a number of extended logging capabilities that can help highlight the signs of ransomware within your organisation, such as:

Registry Integrity and Access Monitoring – Snare is able to monitor registry locations for access or changes to any and all registry keys stored within a system. Quite often, ransomware will look to persist post boot, so monitoring key registry locations that enable this behaviour can act as an early warning system.

File Integrity and Access Monitoring – Snare is able to monitor files or directories for access and changes to specified locations. In the event of a ransomware attack, large amounts of file changes will occur, generating 1000’s of FIM/FAM logs in a short time. Snare products are even able to provide customisable threshold alerts, meaning alerts can be generated if more than 100 file events occur within 5 second window (usually the sign of a process making bulk adjustments to files).

Proxy Logs –  Proxy logs can be searched using the standard reports where the logs were collected using the Snare agents. the proxy logs maybe a path to the Internet to access malicious content or used to exfiltrate data. By reviewing the top sites or users it may highlight who and where the activity was coming from for compromised users and systems. The standard reports are located here:

Reports\Application Audit\Proxy Servers 

User Lateral Movement –  Logins to other systems can be detected using the standard login reports to show which systems users are logging into. The report can be cloned as many times as needed with each of them having additional filters applied for specific users or groups of users to filter down to specific user account logging in to multiple systems. This could be an indication of account compromise if the user access was not legitimate. Out of hours login reports can also be run to see which accounts are being used in non standard working hours when the accounts would not normally be used. Location for user login activity is found here for Windows and other operating systems.  

Reports\Operating Systems\Login Activity 

User and group changes can also be tracked and reported on. One of the changes the malware does is to change or add users to have privileged access. Tracking if users have been added or removed, system policy changes occurring, audit logs being cleared can be a sign of malicious activity with the attacker trying to hide their tracks, group and group member changes as well as specific user changes for additional access. Snare Central has reports for tracking administrative user activity located here: 

Reports\Operating Systems\Administrative Activity 

Process Execution –  Reviewing process execution can be complicated in understanding what are normal applications used on the corporate network what is not. However getting context of what is run then seeing what is abnormal can be done with reviewing the activities of the key systems then expand to review other systems as needed. Where application white listing has been implemented the risk maybe lower, but not all organisations have been able to white list all application usage. Snare Central has some base reports that allow the user to show what commands are being run on the systems. If the customer has sysmon also installed (https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon) then it will provide additional information and parameters used in commands that are run including PowerShell commands. The reports can be cloned as many times as needed and adjusted with additional filters to search for specific applications or exclude known whitelisted applications and then report on other unknown applications. Location for process Monitoring can be found here: 

Reports\Operating Systems\Process Monitoring 

Network Activity Monitoring – Where Snare Central is collecting firewall, router, switches and other logs from snort or other IDS/IPS systems it can help correlate actions performed by systems and/or users to show where downloads of malicious content or where data is being exfiltrated to. Reports can be created for a variety of network devices with filters being created to look for specific IP addresses of interest from either internal or external sites. In the case of this malware using the source address of the SolarWinds server and any other compromised server may help narrow down what the actions were and how they were performed on the corporate network. Some of the standard Network activity monitoring reports can be found here: 

Reports\Network 

Database Activity Monitoring  – Database Activity Monitoring as provided using our Snare MS SQL agent can help provide additional information on what corporate data was accessed inside the MS SQL Server databases. By tracking the access to the databases and reviewing the contents of the SQL commands and who was running them it can provide additional forensics combined with the other user activity performed on the systems. There are several standard reports in Snare Central that provide details on Admin and DBA activity, Database Activity, and usage for specific commands. Users can report on login activity, use of user rights, review specific SQL events, report on objects accessed by using custom reports and tune them based on the customer’s specific naming conventions. Some of the standard reports can be found here: 

Reports\Application Audit\MSSQL Server 

These are just a few of the XFL (Extended Forensic Logging) capabilities of Snare products.

Have Questions About Ransomware & How Snare Can Help?

If you would like to learn more, please reach out to your regional Snare team.

Contact Us
“LOG4J” Vulnerability and SnareBill_Jessen_Snare_US-FederalProphecy International Appoints Bill Jessen as Head of Snare U.S. Federal T...