“Lindy Cameron, chief executive of the National Cyber Security Centre (NCSC), said this month that ransomware “presents the most immediate danger” of all cyber threats faced by the UK, in a speech to the Chatham House thinktank.”
Lindy Cameron’s comment comes from a report in The Guardian from the end of last year, highlighting that ransomware attacks in the UK had doubled in number over the past year.
In previous blogs we’ve looked at the ransomware threat as it affected businesses in 2021 and as we head into 2022, human-operated ransomware (HoR) and its complexity, and measures to put in place to prevent a ransomware attack – and all of which are covered in detail and in-depth in Bridewell Cyber Defence Technical Lead Gavin Knapp’s whitepaper, Human Operated Ransomware (HOR).
Also covered in the paper is a comprehensive analysis of ways in which to detect, respond to, and recover from an attack, because – and as Gavin says – “You will get breached,” – but, and as Gavin also says, it isn’t all “doom and gloom” and there are “multiple opportunities within the kill chain to detect the adversary activity and subsequently evict them from the environment.”
Detection
There is a phrase in security, “prevention is ideal, but detection is a must”. Whereas organisations can have implemented excellent cyber hygiene, it can still just take one off day, or a single broken link in the chain…
Gavin’s whitepaper goes into detail into methods for detecting ransomware, but below is a brief summary of recommendations.
- Create an effective audit policy.
- Implement detections/hunt analytics
- Defend against Cobalt Strike – the adversaries’ go-to tool and present in a high number of HoR intrusions.
- Detect lateral movement – attackers will get in but to achieve objectives, need to move around.
- Implement an EDR technology on your endpoints, servers and VMs.
- Implement a CASB.
- Implement SIEM solution, deploy Sysmon, and implement the SIGMA rule set to provide comprehensive coverage of the MITRE ATT&CK framework.
- Focus on the attacker’s TTPs and behaviours and make sure your EDR, SIEM and other monitoring systems have relevant analytics, that are tested and confirmed to be working.
- Build out a detection framework.
- Establish a threat hunting program.
- Look for associated techniques and tools in event logs and using EDR technology.
- Look for ransomware precursors such as the presence of Emotet.
- Don’t neglect the network, and make sure you are taking a hard look at your network ingress and egress points.
- DNS over TLS, and DNS over HTTPS are going to impact NSM but in the meanwhile, even without SSL inspection we can still get a lot of value here.
- Utilise your firewall, proxy, and other available logs or IDS alerts to detect the presence of lateral movement, services bruteforcing, C2 traffic and data exfiltration.
Response
The following recommendations can help you respond effectively to a HoR attack – and again this is a summary list. Gavin’s whitepaper looks at the guidance in detail.
- Have a plan – and rehearse it!
- Protect your backups.
- Isolate and contain the incident.
- Automate your response process – time is of the essence and so anything that can automate prevention, detection and response activity can make a big difference.
- And ask for help if you don’t have the capability to respond effectively yourself.
Recovery
Having backup and disaster recovery mechanisms have always been key to being able to recover from ransomware. But these mechanisms are now also being targeted within the HoR kill chain, to make it harder for organisations to recover from an attack, and increase the likelihood of paying the ransom.
Listed below are recommendations to help recovery – with these fully explored in Gavin’s whitepaper:
- Identify risks early on, record and communicate them and articulate this as business risk, not just a technical problem.
- Ensure you have a backup and disaster recovery plan and work with your business continuity contact to make sure key assets and services are covered.
- Implement technical controls to prevent unauthorised access and stop key directories and files being deleted, overwritten or encrypted.
- Use or migrate to cloud storage services that have inbuilt protection against ransomware.
- Test controls and processes regularly.
Cyber Insurance
Cyber insurance is not a silver bullet and should not be a substitute for an appropriate cyber security budget. However, it is something you should consider putting in place after discussing with management, compliance and legal counsel.
Paying the Ransom
This is not a decision that can be taken lightly. Paying a ransom is controversial – and in some countries and regions, illegal. There are ethical considerations such as ‘are we funding organised crime’, or even worse ‘terrorism’. Legal and ethical considerations should be addressed well before you become a victim of a ransomware attack.
If you do fall victim to a ransomware attack and decide to pay the ransom, there are guidelines to help negotiate with pay, and hopefully successfully recover your systems and data. These include purchasing cryptocurrency, and vetting and engaging with ransomware brokers and recovery specialists.
But very importantly, prepare for disappointment. Gavin advises, “Don’t put all your eggs in one basket and make sure you research and establish alternative recovery options,” and to also, “Prepare yourself for a second coming, after all these are criminals, you are dealing with.”
HoR represents a growing problem. It’s a crime that’s continuing to evolve, with increasing levels of automation and of sophistication shown by the ransomware operators. But so are the cyber defences improving and expanding in capability, along with a growing awareness among organisations of the threat and resulting commitment to protect themselves – through from implementing measures to protect against an attack in the first place, to detecting and responding to one should they fall victim.