According to the Ponemon Institute, only 20% of organizations are confident of their ability to deal with a ransomware attack. This may seem counterintuitive since the cost of a successful attack to an organization can be significant, but exemplifies the challenges endemic preventing, detecting, and responding to the growing sophistication of ransomware threat actors. In 2019, ransomware attackers collected an average of around $84,000 from victim organizations, up from $41,000 in Q3 of 2018.
However, a paid ransom is only a fraction of the cost of a successful ransomware attack to an organization. Assuming files are restored following payment, impacted organizations also lose productivity, experience reputational damage, and incur significant recovery costs.
Minimizing the impact of a successful ransomware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this.
This post explores how to leverage SIEM technology to detect and respond to ransomware attacks.
Related Reading: 5 Ways to Prevent Ransomware
Understanding the objective of a cyberattack is important to effectively protect against it. Many advanced persistent threats (APTs) focus on the theft of sensitive data. This means cybercriminals put time and effort into constructing an attack that remains undetected while looking for systems containing sensitive data. In fact, the average time between a system being compromised by an attacker and the data breach being detected is 207 days.
In contrast, ransomware attacks are designed to be detected relatively quickly. Once the attacker has encrypted the files on a system, they want the owner to know as soon as possible so that they can pay the ransom.
There is one critical caveat to the above statement which represents a shift in the sophisticated ransomware actor’s modus operandi – double extortion. Rather than solely focusing on the operational impacts of encrypted systems for negotiation leverage, ransomware actors are actively exfiltrating sensitive or regulated data during a pre-ransom reconnaissance phase of their activities. This stolen data is then leveraged as an additional motivator for the victim to succumb to the ransom demands – failure to pay will lead to leaked data, causing further reputational, legal, and regulatory liabilities.
The time between the initial compromise of a system with ransomware and this revelation depends on the type of attack being performed. Three of the major types of ransomware attacks are:
Of these three types of ransomware attacks, the server-focused and critical mass variants often require more control by the attacker and have a longer window from initial compromise to encryption. The reason for this is that the attackers need to decide if they have compromised enough systems to degrade an organization’s operations before revealing themselves.
Related Reading: Ransomware Prevention to Incident Response
Even with properly configured systems, no security solution provides iron-clad protection against ransomware. This calls for a defense-in-depth approach to creating security layers in the environment.
A comprehensive SIEM-based approach increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior.
To be effective, a SIEM needs a source of high-quality data and knowledge of what to look for. Several data sources exist including system logs, Windows AppLocker, endpoint security solutions, and SIEM agents deployed on the endpoint.
Knowledge of what to look for comes from an understanding of the ransomware’s goals and the steps necessary to achieve them. Ransomware attacks can be identified using indicators that appear in the early, middle, and late stages of an attack.
Ransomware is a particular type of malware and, as such, shares many early-stage signs of infection with other types of malware. Some of these indicators include:
After infecting “patient zero”, many malware variants will attempt to spread through the network to increase their impact or look for more valuable targets. This lateral movement creates detectable IoCs, such as:
Low-grade IoCs or abnormal events may be an anomaly if detected on a single system. However, if they are found on many workstations at the same time, it may indicate an attempt to perform a widespread ransomware attack.
Ransomware is designed to encrypt files, meaning that it will open, modify, and delete files one folder at a time. This type of anomalous activity can be detected by tracking file modification events (necessary for the encryption rewrites) and looking for processes that delete version shadow service (VSS) backups.
While data theft is often a standalone attack, many ransomware cybercrime gangs are incorporating it into their regular activities. Some indicators of a data theft attack currently in its late stages include:
To detect ransomware with a SIEM, it is necessary to lay the groundwork first. Some best practices to leverage your SIEM to detect ransomware include:
A successful ransomware attack carries a high cost to the organization in terms of loss of productivity, reputational damage, and recovery costs. Leveraging a correctly tuned SIEM system to achieve better network visibility and threat detection can help to minimize the probability that an organization will be the victim of a successful ransomware attack.
With high stakes like data loss, credential compromise, ransomware infection or other types of malware infections, and financial loss, organizations must learn how to prevent phishing attacks.