Ransomware Attacks and How to Protect Yourself

What is Ransomware?

An organization or user's access to data on their computer is restricted by malware known as "ransomware." Cybercriminals put businesses in a situation wherein paying the ransom is the quickest and least expensive option to recover access to their data by encoding these files and requesting a ransom demand for the decryption key. For increased motivation for ransomware sufferers to pay the ransom, several variations have included other capabilities, such as data stealing.


The first known ransomware attack was called "AIDS" or "PC Cyborg", which surfaced in 1989. Today, there are many different types of ransomware including Cryptolocker, CryptoWall, CTB-Locker, Locky, and TeslaCrypt. Some ransomware variants even go so far as to disable anti-malware software on infected systems so they cannot be removed by other means.



Emergence of Ransomware

The 2017 WannaCry attack marked the start of the current ransomware mania. This widespread and well reported assault proved that ransomware was both feasible and possibly lucrative. Numerous ransomware variations have since been created and utilized in numerous assaults.


The recent rise in ransomware was also influenced by the COVID-19 epidemic. Gaps in firms' cyber security emerged when they quickly shifted to remote labor. These flaws were taken advantage of by cybercriminals to spread ransomware, which led to an increase in ransomware assaults. When compared to the first half of 2020, ransomware assaults climbed by 50% in the third quarter.



Popular Ransomware Variants

There are several ransomware variants, each with specific features. However, certain ransomware organizations have been more active and profitable than others, setting them apart from the competition.


1. Ryuk

A very targeted ransomware variant is Ryuk. It is frequently sent by spear phishing emails or by utilizing stolen user credentials to access business systems over the Remote Desktop Protocol (RDP). After infecting a system, Ryuk encrypts some file types (but ignoring those that are essential to a computer's functionality), then demands a ransom.


One of the most costly ransomware variants in use is known as Ryuk. The average ransom demanded by Ryuk is above $1 million. As a result, Ryuk's cybercriminals mostly target businesses who have the means to satisfy their demands.


2. Maze

Because it was the first ransomware strain to combine file encryption and data theft, the Maze ransomware is well-known. When victims started declining ransom demands, Maze started gathering private information from their PCs and encrypting it. This data would either be made publicly available or sold to the highest bidder if the ransom demands were not satisfied. A further inducement to pay up was the prospect for a costly data leak.


The organization that created the Maze ransomware has formally ceased operations. This does not, however, imply that ransomware is any less of a concern. The Egregor, Maze, and Sekhmet varieties are said to share a same origin, and some Maze associates have switched to utilizing it.


3. REvil (Sodinokibi)

REvil started out as a conventional ransomware strain, but it has since developed. Now, it uses the Double Extortion method to steal data from organizations while also securing the files. This implies that attackers may threaten to reveal the hacked information if a second payment isn't received in conjunction with demanding a fee to unlock the data.


4. Lockbit

The ransomware-as-a-service LockBit has been active since September 2019 and encrypts data (RaaS). This ransomware was created to swiftly encrypt huge enterprises in order to avoid being immediately discovered by intrusion detection systems and IT/SOC teams.


5. DearCry

Microsoft issued remedies for four Microsoft Exchange server vulnerabilities in March 2021. A new ransomware version called DearCry is intended to exploit four previously discovered vulnerabilities in Microsoft Exchange.


Some file formats are encrypted by the DearCry ransomware. After the encryption process is complete, DearCry will display a ransom notice telling users to email the ransomware's operators to request instructions on how to unlock their data.


6. Lapsus$

A South American ransomware group known as Lapsus$ has been connected to cyberattacks on prominent targets. The cyber gang is well-known for extortion, threatening the publication of private data if its victims don't comply with its demands. The organization has claimed of getting into companies including Nvidia, Samsung, and Ubisoft. The gang masks malware files as legitimate ones by using stolen source code.



How to Protect Against Ransomware


Utilize Best Practices

An effective plan may significantly reduce the cost and effects of a ransomware attack. Adopting the recommended practices listed below can lessen an organization's vulnerability to ransomware and lessen its effects:


Cyber Awareness Training and Education: Phishing emails are a common method for spreading ransomware. It is essential to educate people on how to recognize and prevent possible ransomware attacks. User education is frequently seen as one of the most crucial defenses a company can employ, since many modern cyber-attacks begin with a focused email that does not even include malware but merely a socially engineered communication that tempts the user to click on a harmful link.


Continuous data backups: According to the definition of ransomware, it is software created so that decrypting encrypted data requires paying a ransom. A company may recover from an assault with little to no data loss and without having to pay a ransom thanks to automated, secured data backups. A crucial procedure for preventing data loss and ensuring data recovery in the case of contamination or disk hardware failure is maintaining frequent backups of data. Organizations may recuperate from ransomware attacks with the assistance of functional backups.


Patching: In order to guard against ransomware attacks, patching is essential since hackers frequently search the patches for the most recently discovered exploits before launching assaults on unpatched systems. Because fewer possible vulnerabilities exist within the company for an attacker to exploit, it is crucial that firms make sure all systems have the most recent fixes deployed to them.


User Authentication: Attackers using ransomware frequently exploit stolen user credentials to access services like RDP. A strong authentication process can make it more difficult for an adversary to utilize a password that has been guessed or stolen.

How NDR Is Revolutionizing Cybersecurity

Network Detection and Response (NDR) is an exploding field of cybersecurity, providing network-wide monitoring and advanced detection of potential malicious threat actors and suspicious activity, that other tools may miss. An NDR solution continuously scans all entities of network traffic while creating a baseline of normal network activity, creating an incredibly difficult environment for attackers to hide within.

NDR stands out in the market due to its advanced suite of technologies used for detecting suspicious and malicious traffic, such as deep learning, AI, heuristic analysis, and machine learning.

Gartner created the NDR category in 2020, changing the name from its previous, “Network Traffic Analysis” due to the ever-increasing size and scope of data expansion across the cloud. The larger the networks, the longer threat actors can remain hidden without triggering alerts. NDR can detect and contextualize these problems via analytical techniques such as machine learning for threat detection, from the collection of telemetry data. NDR solutions create a resilient shield against zero-day attacks while utilizing sophisticated software to spot and anticipate potential threats before they surface, by analyzing all traffic flows at once.

The Beginning

Network traffic has been monitored for quite some time, but as the sheer amount of data dramatically increased, many organizations could not quite reel in the same insight they once relied on, leading to a new set of issues.

As technology evolved and systems began to manage the seemingly never-ending waterfall of data, Network Traffic Analysis (NTA) was utilized to provide analysis and behavioral tracking of network traffic for computer security. While NTA is still in-use within Security Operations Centers (SOCs), the market has evolved to open up to more advanced necessities and capabilities, such as those that NDR provides.

Advanced behavioral analytics, machine learning, and AI all form the primary backbone of NDR solutions enabling improved detection abilities, accurately determining threat risk levels, and automating manual tasks routinely performed by analysts, allowing them to focus on triage and rapid response maneuvers. Machine learning gives way to sophisticated detection of “known unknown” cyber threats and new zero-day threats “unknown unknown”

known-unknown: dangers that the company is aware of but whose extent and impact are unknown.

unknown-unknown: threats that the business is not even aware it is unaware of.

Why do I need Network Detection and Response?

Security Information & Event Management (SIEM) and Endpoint Detection and Response (EDR) are crucial tools, but not the end-all-be-all to protecting your organization. NDR fills the gaps to augment and help provide a fully comprehensive security monitoring platform, especially with IoT and cloud computing enticing threat actors to make their move now more than ever.

More traditional detection-focused solutions are using signature-based detection methodologies, which work to identify a threat while a security analyst is alerted. Next, incident response is performed, but only after the attack is successful, which could leave your network compromised by quick-moving, seasoned threat actors. These solutions alone, place your organization at major risk, relying on reactive measures rather than proactive approaches. NDR uses machine learning and automated response to accurately predict and remediate incoming intrusions before an attack has been fully launched, potentially saving your data.

According to ExtraHop, “What's more, while attackers may be able to fool firewalls and traditional IDS by masquerading as legitimate users and services and avoiding signature-based detection, they can't escape NDR. That's because it's almost impossible for them to avoid certain key activities on the network, which NDR can detect. It enhances rules-based detection with machine learning technology to model the behaviors of entities on the network and contextually identify anything that resembles known attack techniques. That means even legitimate-seeming processes may be flagged if their appearance seems unusual.”

Proactive Approach

Cybercriminals have more advanced tools at their disposal than ever before, even accessing nation-state-level tools.

“Tools developed by nation-states have made their way onto the black market many times. An infamous example is the Eternal Blue exploit, which was used by the WannaCry hackers,” comments Ian Pratt, Global Head of Security, Personal Systems, HP Inc. “Now, the return on investment is strong enough to enable cybercriminal gangs to increase their level of sophistication so that they can start mimicking some of the techniques deployed by nation-states too.

NDR provides a safety net against highly pervasive and sophisticated threat actors, providing a deeper level of security than EDR & SIEM together.

Logs and Endpoint Security Aren’t Enough

SIEMs and other endpoint tools are showing glaring weaknesses in detecting threats that are not simply malware-oriented, leaving lateral movements, such as stolen credentials, potentially undetected.

Furthermore, SIEM reporting can be unbelievably frustrating and complex, leaving only trained SIEM specialists with the ability to accurately determine actionable insights. Non-tech-savvy members of your organization would have immense trouble understanding reports which make for confusing strategies and communication gaps.

According to a NetWrix national survey, 63 percent of survey respondents said that they had difficulty understanding the reports output by their SIEM and a further 53 percent reported that they had to manually tweak their SIEM reporting so that non-tech stakeholders could understand.

IoT Needs Sophisticated Protection

IoT devices do not possess the computing ability or just are too small, like your Nest Thermostat, to run security protocols. Cyberattacks on these devices could lead to critical losses because of immediate physical concerns, such as the loss of front-door lock access or home-security take-over. Many of these devices are used in healthcare for patient vital monitoring and other high-risk situations. IoT devices are generally used throughout a large, interconnected network, with many also being portable, leading to the potential exposure of multiple networks.

Many users possess 10 or more interconnected IoT devices, challenging analysts and professionals in managing the complex web of connected features and configurations. NDR empowers organizations to manage these devices by overseeing their network activity, rather than focusing on each individual device’s software.

Context Matters

NDR solutions provide context-rich insights into your network, painting a full picture of all activity, including important questions:

NDR forms a powerful team when used in conjunction with a SIEM to provide rich context and validation to detections made within each tool.

Final Thoughts

NDR can be a lighthouse to organizations struggling to maintain a coherent, complete picture of their cyber environment, due to its state-of-the-art ability to detect incoming threats and anomalies that other tools inevitably miss. From behavioral analytics and machine learning to threat response automation, with the addition of NDR, your organization is better protected from evolving threats.