Detecting and Responding to Ransomware

Ransomware hacker on screen

Ransomware attacks may no longer be a media darling since they’ve been around for some time, but they are still going strong, and account for nearly 24 percent of incidents where malware was used according to the 2019 Verizon Data Breach Investigations Report.  There’s been a dramatic uptick this year with Forrester reporting that the number of ransomware attacks on enterprises has increased 500% from October 2018 to October 2019.

Forrester also states that ransom attacks are getting more sophisticated and targeting organizations using three main ways to get in: “phishing, brute-force remote access using something like Remote Desktop Protocol (RDP), or hitting a vulnerable server that’s externally addressable”.

Network Detection and Response (NDR) provides visibility into all three of these attack vectors to enable multiple defense strategies that discover and contain ransomware.  Let’s have a look at four AI-powered technologies NDR should have to achieve this level of visibility.

Advanced Email Security

Ransomware is most often spread through phishing emails from attackers who are masquerading as a trusted entity to compromise a user’s account credentials to gain access.  In 2019, ransomware from phishing emails increased 109 percent over 2017.

McAfee Labs Threats Report: August 2019  reports that there’s a trend for ransomware attacks to use anonymous email services to manage their campaigns versus the traditional approach of setting up command-and-control servers.  Bad actors use these emails services to evade your security defenses, leveraging malicious email attachments and malicious links in emails as attack vectors.

As ransomware grows through phishing, the need for NDR to detect and contain sophisticated threats within email becomes critical.  Advanced email security should use a combination of static and dynamic analysis to identify ransomware. This solution needs to be able to scan emails for potential ransomware indicators, including looking at links, attachments and the content that is linked to from within the email. Further, advanced email security should include artificial intelligence (AI) algorithms that are specifically trained to catch phishing and ransomware threats.

File Analysis

Sometimes the only way to catch elusive ransomware is to analyze files in a dynamic analysis environment to detect malicious behaviors, even when the file has not been seen previously. File Analysis can detect ransomware attempting to enter your network via email, the web, or file transfers as well as ransomware operating anywhere in your network.

File Analysis deconstructs every malicious behavior engineered into an object and identifies malicious links.  It sees all instructions that a program executes, all memory content and all operating system activity. Using File Analysis, you can see unique file behaviors that other tools miss, such as activity observed when executing programs, opening documents, unpacking archives and rendering web content.

Intrusion Detection and Prevention Systems

Since ransomware must communicate with the outside world, having visibility into north/south traffic heading in and out of your network traffic is  critical to identify this commonly used threat vector. Intrusion Detection and Prevention Systems (IDPS) as a core component of your NDR platform will inspect north/south traffic for (ransomware) exploits that target a vulnerable server that is externally accessible, communications with known malicious servers, and transmission of data via covert channels.

Network Traffic Analysis

If ransomware successfully gets a foothold inside the network using RDP, a vulnerable server or any other attack vector, it quickly moves laterally to spread to additional computers.  Network Traffic Analysis (NTA) is the key to detecting ransomware’s activity and malicious behavior as it moves laterally (east/west) across your network. This visibility enables the fast detection and response you need to contain ransomware before it disrupts your business.

Get the Best Ransomware Protection

Lastline provides an all-in-one NDR platform powered by AI that combines email and web protection, IDPS, NTA, and File Analysis to detect and contain ransomware. Don’t let ransomware put your organization at risk.  You can deploy our NDR sensor and be operational in just 30 minutes.

Schedule a demo today!

Teresa Wingfield

Teresa Wingfield

As a cyber security evangelist at Lastline, Teresa Wingfield enjoys sharing new perspectives on top security challenges such as SOC efficiency, sophisticated threats, network visibility, and hybrid data center protection.Teresa has more than ten years of security experience at leading companies such as McAfee (cloud and data center security), VMware (mobile security) and Symantec (virtual machine protection and website security).She has also worked at several startups in the endpoint detection and response and compliance fields.Teresa holds a M.S. in Information Technologies from the Massachusetts Institute of Technology.
Teresa Wingfield