Dealing with Ransomware

The Ponemon Institute addressed ransomware in their 2020 Cost of a Data Breach Report calculating the average cost of a ransomware breach to be AUD$5.9M. When it happens to you, it could be larger or smaller.

Ransomware is commercialisation of cyber-crime. eCrime organisations have become more business savvy. They focus on their niche strength rather than trying to do it all.  This has developed an ecosystem of criminals procuring and providing services to generate revenue by extortion.

We are seeing more ransomware attacks because the criminal side of the equation are managing their businesses better, working together and leveraging their strengths to extort.

The Ponemon Institute report that in Australia the average breach to detection time is 211 days. Seven months for the attacker to do reconnaissance, steal credentials, breach other systems, steal more credentials, create a back door or two, steal some admin credentials, copy data, and keep doing this for every system they can breach.

The breach to detection time on a ransomware attack is expected to be shorter than other cyber-attacks. Ransom and extortion are about monetising a breach so once an attacker has stolen the data, files are encrypted, and ransom demanded.  Refuse to pay and the copied dataset is released on a “data leak site”.

It seems like the attacker is calling the shots. 

Our defensive response to date has been to limit access by reducing vulnerabilities, reducing the attack surface and watching for evidence of bad data and bad behaviours.  This defensive response has a high success rate but It’s not perfect.  How can we make a great result better and not be tomorrow’s data breach headline?

The next step

We need to set the terms for the interaction.

Set honeypots to attract attackers. We control the interaction, and the attackers are not aware that we are watching and learning. We’ve had this capability for years, but it has been time and resource intensive and therefore hard to justify.

Advances in technology over the last couple of decades provide the automation, orchestration and virtualisation to deliver honeypots and other deceptive services at a much lower operating price point.

A ransomware attack

A ransomware attack will normally flow like this. Get in, create a backdoor, find interesting data, copy the data and then encrypt the files (including a ransom note).  Each step is quite complex but the earlier we get positive notification an attacker is in the environment, the sooner they can be evicted.  Stopping them early in their process will stop them from stealing data or encrypting files.

After the initial breach the attacker will be looking for privileged credentials or the “keys to the kingdom”. Dropping deceptive credentials on endpoints makes the environment more dangerous for the attacker. Other deceptive tokens can be used to direct the attacker to honeypots. The burden of risk is now on them because they don’t know what is real, and what is deceptive.

Positive breach detection

Monitor log files to see where an attacker uses these credentials.  As soon as they do, there is positive notification of an attacker in the environment, where they are and where they tried to go.

When an attacker finds a honeypot, there is positive notification of an attacker in the environment because there is no other purpose for a honeypot than to attract an attacker and monitor their activity.

Actively dealing with ransomware

The cyber defence techniques we’ve been using for years are increasingly important as the number and sophistication of attacks increase. The re-emergence of deception technology at a lower operating price point provides the opportunity to discover the few attackers that get through the defences and stop the theft of data.

To deal with ransomware, consider supplementing your current defences with deception technology.