Organizations around the world are now beginning to realize that traditional security measures are largely ineffective against the current generation of increasingly sophisticated ransomware attacks.
The recent DarkSide attack on Colonial Pipeline, the Avaddon break-in by Axa Insurance and the alleged Conti attack that recently attacked the Irish healthcare system are all evidence of the professionalism of the ransomware industry. For example, in 2020 the average ransom payment increased 171% to $ 312,493, according to Palo Alto Networks. Highly organized ransomware gangs like REvil and Clop, a gang whose recent victims include Shell and Stanford University, are now acting like regular businesses, running high-profile recruiting campaigns and issuing press releases to help build their organizations’ online credibility. Their strategy is to build a reputation for reliability with potential victims to reassure target organizations that after paying a ransom, the criminal gang will release the necessary encryption to get the system working again, and even provide them with any necessary support services .
Ransomware attacks themselves are also more sophisticated and harder to detect, as threat actors now have a wider range of attack vectors to choose from, such as the rapid increase in the number of IoT devices. To protect against constant attacks by organized ransomware gangs, organizations ideally need information in the form of advance warnings of the most serious incoming attacks.
Effective threat intelligence now includes the full use of AI to use malware analysis tools to provide consistently updated threat feeds to automatically identify relevant threats, along with automated patch prioritization recommendations to help engineers decide which threats pose the greatest risk . This can help identify vital information such as the exact build of the customized ransomware that is being used to attack the targeted companies and that can reverse engineer the attacks to determine the encryption key and retrieve the stolen data.
Business continuity and disaster recovery planning can also help organizations prepare for a ransomware worst-case scenario by providing the ability to successfully recover and recover from an attack. Monitoring dark web publishing sites for different families of ransomware also allows companies to download the sample exfiltrated data they have published for browsing and understanding exactly which organizations have been exposed, including business partners and customers.
Ransomware gangs can now shop from an ever wider range of malware available on dark web forums and often order ransomware designed for a unique attack on a specific target. Because not all threats affect all organizations equally, threat intelligence needs to be customized to focus on the categories of threats that are most relevant to a particular organization. Security experts also base this on considerations such as the structure of their IT environments, which are often located on the company’s premises or in the cloud. Security teams can also determine the potential for a threat based on the types of workloads the organization is using along with other considerations, including industry compliance.
The threat landscape has become so diverse and complex that data visualization tools for inbound threat intelligence are also essential to successfully navigating it so that engineers can identify relevant trends in threat data and assess the potential severity of various threats.
Effective threat intelligence must also show how and where certain threats originated and how they are developing. To understand the severity of an attack, security teams need to find out exactly who is behind certain threats and what their motives are, as individual threat actors can range from screenplay kiddies to nation-states.
It is not always possible to physically apprehend the criminals responsible for a ransomware attack, as many reside in regions outside the United States. However, knowing the identity and motivation of an attacker can help security teams develop appropriate countermeasures and track the steps taken by threat actors in order to counter their strategies and mitigate potential damage.
Organizations and their advisors need to work closely to gather effective threat intelligence to defend against increasingly professional and ambitious ransomware attacks. The effective collection of threat intelligence, which includes monitoring the darkest areas of the deep web and the dark web, enables companies to take the fight directly to the cybercriminals. Standard security protocols and countermeasures to prevent known attack vectors are no longer sufficient. Truly intelligent threat intelligence tools are required to provide effective security.
Troy Wachter, Vice President, Sales, America, Cyberint