Op-Ed: Interrupt the routine, ruin a cyber criminal’s day

Although ransomware groups continue to evolve and refine their operations, the more things change, the more they remain the same. In 2022, an analysis of payloads, incidents and behaviours found the most commonly used tactics, techniques and procedures (TTPs) remained mostly constant. As a result, a window of opportunity has opened for organisations to systemise their defence and protect against the repetitive strategies of cyber criminals.

Ransomware will not slow down

The increasing sophistication of attacks, partnered with the growing number of threat actors, makes ransomware the most dangerous cyber threat today. Ransomware attacks can lead to data loss, disrupt and halt business operations, and expose sensitive information, causing huge financial losses and reputational consequences that can be costly to individuals and organisations.

For many businesses, cyber threats aren’t being addressed with appropriate investment, and the true understanding of the prevalence is minimal. Open-source tracking of close to 100 ransomware groups indicated an average of 231 breaches per month between September 2022 and February 2023, with the top three groups alone executing 157 attacks in the past 30 days. Organisations need to truly understand not only the sheer volume of ransomware attacks but also develop a deeper knowledge of cyber criminal operations in order to improve their cyber security posture.

A ransomware attacker’s toolbox

Ransomware has been evolving rapidly, especially since 2020, as cyber criminals continue to look to elevate their TTPs. Some common witnessed changes include:

• The use of double extortion, which sees threat actors not only encrypt the victim’s files but also steal the data and threaten to publish it unless the ransom is paid. The pressure on victims has continued to grow, often mounting further stress when urged by the government and the public not to pay the ransom. This was seen recently with the Latitude cyber attack.
• The increased focus on targeted attacks against specific organisations, rather than a traditional “spray and pray” tactic adopted by cyber criminals. These attacks are often conducted after extensive reconnaissance and typically see more success in data encryption and obtaining payments.
• The use of zero-day exploits, which attack unnoticed vulnerabilities before organisations have the opportunity to patch. This, in turn, becomes more difficult for organisations to detect and defend against, in attack campaigns.

Ransomware attackers will continue to evolve their tactics; however, many attack patterns remain the same. Like seen through legally operating businesses, innovation within industries is often introduced by a leader, then broadly adopted by following organisations. When cyber criminals follow the same attack approaches, organisations are presented with the opportunity to routinely systemise their defence to protect against incoming cyber threats.

Analyse and Systemise

VIEW ALL

Basic cyber hygiene is still effective against ransomware. This includes organisations identifying and patching vulnerable devices in their network, segmenting the network to avoid spreading any malware that breaches initial defences and continuing to monitor network traffic to detect signs of intrusion, lateral movement, or payload execution.

However, beyond this, organisations should adopt a range of practices that typically protect against recurring cyber techniques. Specific prevention and detection actions for common cyber threat tactics and techniques include:

• Initial Access: To prevent access through phishing, individuals should pay close attention to potentially malicious emails, advertisements, and websites. To prevent initial access for valid accounts, organisations can configure RDP and other remote access servers to only allow connections from trusted networks or IP addresses. As always, it is crucial to use multifactor authentication and prioritise patching efforts.
• Persistence: To prevent account manipulation attacks, organisations should look to limit account privileges, and regularly monitor account activity. The same should be done when trying to detect and prevent task scheduling.
• Discovery: To detect and prevent network discovery, organisations can segment systems to limit access and identify suspicious activity such as network scanning. When preventing network discovery, monitoring and restricting access to administrative tools, such as command-line interfaces and remote management tools, proves effective.
• Lateral movement: To limit lateral movement, organisations can implement network segmentation and enforce access controls. These measures can help limit the impact of compromised accounts.
• Exfiltration: To protect against exfiltration, organisations can implement access controls, such as least privilege and file integrity monitoring, to prevent adversaries from accessing sensitive data and to detect when such access is attempted. For preventing exfiltration to web services, monitoring and potentially blocking suspicious traffic to known cloud storage providers is essential.

It is important to note that a systemised cyber security protocol to accommodate defending against the most common TTPs should not be the be-all-and-end-all for organisations. It is critical for organisations to implement strong security practices and stay vigilant against the evolving nature of cyber threats. A systemised defence provides organisations with a strong opportunity to defend against attacks that share similar TTPs; however, just as cyber criminals innovate their attacks, organisations, too, must continue to improve their defence.

Organisations in different sectors should also pay attention to TTPs that are specific to their industry beyond the common ransomware behaviours. For instance, the financial services industry continues to be plagued by ATM malware, while point-of-sale (POS) malware is common in retail, and industrial organisations have a whole host of ICS-specific TTPs to watch out for.

Daniel dos Santos is head of security research at Forescout.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.