Over the last few years, the time to execute ransomware attacks dropped 94%; now, criminals take, on average, just 3.85 days to deploy a ransomware attack.
On the other side, according to the “Veeam Ransomware Trends – 2023 Global Report”, recovering the affected environment after a ransomware incident takes an average of 3.3 weeks of work, equivalent to 136 business hours of business downtime.
Here is the link for this Veeam’s report:
https://go.veeam.com/ransomware-trends-report-2023
Along with exploiting application vulnerabilities, hackers heavily utilize client-side compromise techniques to deploy ransomware.
In each attack, criminals must take well-known steps to reach their targets. Based on this, models were created to identify and prevent cyber intrusion activity. One of the most famous is the Cyber Kill Chain, developed by Lockheed Martin.
For this purpose, we will focus on four stages of a client-side attack: delivery of exploitation, installation, command-and-control, propagation, and actions on the objective.
Client-side attacks through phishing, exploitation of public-facing applications, and use of valid accounts are the primary vectors for malware delivery.
After device exploitation, initial access, malware installation, and gaining command and control over the user’s endpoint, the cyber attacker must discover, recognize, and access sensitive data and another high-value asset.
To achieve this, the hacker needs higher-level permission to access these systems. This attack stage is called Privilege Escalation. The most common way to escalate the privileges is to exploit software vulnerabilities like application errors, operating systems characteristics, and kernel security weaknesses. Active Directory (AD) privilege escalation vulnerabilities allow standard domain users to impersonate administrators.
The subsequent action for the hacker is to discover valuable targets and propagate the attack using Lateral Movement, a set of techniques criminals use to enter and control systems connected to a network.
In many cases, the attacker uses existing and legitime tools installed in the environment to reduce the footprint and evade detection. This type of action is also called Living off the Land (LotL).
Some of the legitime tools used by criminals during the lateral movement are:
- RDP – Remote Desktop.
- Powershell.
- SMB / psexec.
- WinRM – Windows Remote Management.
- WMIC – Windows Management Instrumentation.
After the attacker lands on the target, the first action is achieving access persistency across systems activities like restarts, credentials changes, or other interruptions.
Once persistence is guaranteed on the target, attackers apply actions to turn off security tools and other protection services, like backup services. Event logs are cleared, and the criminals perform data exfiltration using compression, encryption, and network protocols. The exfiltrated data is often used in the financial extortion phase or traded on the dark web.
Finally, sensitive data is encrypted, business operations are impacted, and the extortion phase of the ransomware attack begins.
Ransomware encryption speed
According to a real test scenario conducted by Surge/Splunk, the time to encrypt 98.561 files placed in 100 directories of a Windows Server 2019 host is abot 5:50 minutes. LockBit is the fastest variant because it only encrypts 4KB of each file, rendering it unusable.
Extorsion Phase
The extortion can be triple. If the ransom is not paid for recovering the encrypted and exfiltrated data, criminals can launch a distributed denial of service (DDoS) attack against the organization’s services.
As an additional measure to prevent the organization from recovering its environment and data, backup repositories are also targets for criminals. They encrypt the backup files to force the ransom payment.
According to the Veeam report, the backup repositories are fully or partially affected in 75% of attacks.
Once an attack is successful, the data cannot be recovered entirely, whether due to non-payment of ransom and inability to restore all data or by incomplete/failed restoration, even with the ransom payment and receiving a decryption key.
Due to the increase in the number and frequency of ransomware attacks over the past years, insurance has become more expensive, with increased premiums and coverage benefits reduced.
NIST Cybersecurity Framework
The good news is that we can deploy defense frameworks and techniques for each stage of this type of attack.
The NIST (National Institute of Standards and Technology) Ransomware Framework Profile identifies and maps security objectives from the NIST Cybersecurity Framework to security capabilities and measures that can be used to manage the risk of ransomware events.
A Public Draft of the NIST Cybersecurity Framework 2.0 for public comment is expected to be published in early 2024.
The NIST Cybersecurity Framework Core comprises cybersecurity activities, desired outcomes, and relevant references across critical sectors.
The six Framework Core functions are Govern, Identify, Protect, Detect, Respond, and Recover.
These functions are not meant to be serialized or intended to achieve a static end state. Instead, these functions must be applied concurrently and continuously to create an operational culture that can handle the dynamic nature of cyberattacks.
Here is the link for the document:
https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-20/ipd
During a ransomware event, organizations have little time to mitigate or remediate the impact, restore their systems, recover their data, and communicate with their partners and customers. Therefore, organizations must be ready to deal with it.
Let’s verify and review the NIST Framework Core functions:
Govern
Establish and monitor the organization’s cybersecurity risk management strategy, expectations, and policy. It provides outcomes to inform how an organization will achieve and prioritize the outcomes of the other five Functions in the context of its mission and stakeholder expectations.
This function directs an understanding of organizational context, the establishment of cybersecurity strategy and supply chain risk management, roles, responsibilities, authorities, policies, processes, and procedures, and the oversight of cybersecurity strategy.
Some tools help to implement and complement this function, such as;
- Governance, Risk, and Compliance tools
- Disaster Recovery Planning
- Identity Compliance and Identity Lifecycle Management
- Data Governance and Modeling
Identify
Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts. It is necessary to have hardware and software inventories to track information such as name and version, devices where it is currently installed, version and last patch date, and current known vulnerabilities.
It is also necessary to detect and prioritize the treatment of known and unknown vulnerabilities from the most severe and critical to the least urgent, based on a risk score/scale definition. Many solutions can detect, classify, and filter the environment’s vulnerabilities based on the degree of risk and associating it with CVEs (Common Vulnerabilities and Exposures) reports.
Some observability tools can map the relationship and communication between applications and systems, enabling the definition of network micro-segmentation policies within a zero-trust strategy.
At the same time, it is also necessary to deploy response and recovery plans.
It is fundamental to contain or limit the impact of a threat. Using identity management, authentication, and access control techniques is crucial to mitigate credential compromise. Multifactor Authentication (MFA) adds an extra layer of protection, especially for remote access. The constant review of granted access privileges and the least privileges approach is highly recommended.
Protect
It is fundamental to contain or limit the impact of a threat. Using identity management, authentication, and access control techniques is crucial to mitigate credential compromise. Multifactor Authentication (MFA) adds an extra layer of protection, especially for remote access. The constant review of granted access privileges and the least privileges approach is highly recommended.
Regularly auditing account logon and logon events like RDP, psexec, Windows Management Instrumentation, WinRM, and others are also important. It is necessary to create a baseline of configurations and best practices aligned with the organization’s security policy and perform audit and remediation actions over any deviation.
Keep relevant systems fully patched. Run scheduled checks to identify available patches and install these as soon as possible. Allow installation and execution of official/homologated apps only.
Conducting training and periodic awareness of the teams is essential since most attacks are made possible by users who carry out insecure practices.
Network micro-segmentation can limit the Lateral Movement, preventing ransomware from proliferating and reaching potential target systems. It is necessary to allow only strictly necessary communications between systems and applications.
Organizations must deploy Distributed Denial of Service (DDoS) protection systems and services in the network infrastructure.
Data security is crucial as it is necessary to guarantee its availability and reduce the ransomware’s impact. A good approach is to use the 3-2-1-1-0 rule for data security, which also includes maintaining an offsite backup, one backup copy offline, and ensuring verified backups that can be restored without errors and malware.
As backup repositories are also targets for ransomware, it is vital to use immutable backup repositories. The immutability feature protects backup files from overwriting, accidental deletion, ransomware attacks, and malicious insider actions.
Organizations can deploy replication between systems and sites to ensure high availability and lower Recovery Point Objective (RPO) and Recovery Time Objective (RTO) targets. Implementing asynchronous, near sync, and synchronous replication strategies is possible depending on the need of each type of application.
It is also essential to ensure the backup repository’s security/integrity and periodically test the disaster recovery capability by measuring the SLA performance through verification tests. The response and recovery plans must be updated and tested, including systems redundancy and disaster recovery sites.
Detect
It is necessary to develop and implement appropriate activities and tools to identify the occurrence of a cybersecurity event. To avoid phishing, it is essential to detect anomalous activity using Endpoint Detection and Response (EDR) systems, Next-generation Antivirus (NGAV), DNS protection, and email/web security solutions.
Activity monitoring, unauthorized connection alerts, and detection of unknown devices might detect insider threats, insecure staff practices, or compromised credentials and thwart potential ransomware events.
Network traffic analysis might detect intrusions and initiate protective actions automatically against data exfiltration or malicious connections. It is also necessary to detect communication deviations to the network baseline, like command-and-control traffic or a non-standard connection between a user endpoint and the Active Directory system.
Data Loss Prevention (DLP) systems can help to block data exfiltration.
Distributed Firewalls/IPS/IDS can detect and block malware installation. We can apply specific signatures to distributed IDS and IPS to prevent known vulnerabilities from being exploited during an attack. With this, the operation teams can protect their workloads and gain time to apply paths and corrections. It helps to protect the east-west and north-south network traffic.
Security Information and Event Management (SIEM) systems assist in the early detection of ransomware and aid in understanding how ransomware may propagate through the environment.
Security policies must be implemented and revised in all systems to improve the detection actions over time. Organizations must constantly reinforce the detection processes because the tactics used in ransomware attacks are continuously evolving.
Respond and Recovery
The response must be adequate if the threat becomes a security incident.
The first action is triggering a response plan.
Identifying the root cause is the first action. Isolating the infected device or application is required to stop the ransomware and minimize damage, preventing the infection from spreading to other systems and minimizing the impact on business continuity.
It is necessary to connect to the affected asset and execute commands, such as viewing/terminating a process, checking a file, collecting artifacts for analysis of unauthorized access, and other actions. Some techniques allow you to quickly delete files on a device or across your entire environment.
According to the severity of the incident, recovery procedures are performed to restore affected systems and assets. These procedures can be applied only to a specific system, or initiating more extensive recovery actions involving multiple systems and other sites may be necessary.
In any case, the recovery plan must be up to date and contain at least the following information:
- People and teams involved in the recovery tasks.
- The communication process – internal and external.
- Critical applications and the applications recovery order.
- Target SLA, RPO, and RTO per application.
- The locations/infra/services where applications and data will be recovered. • Details about all infrastructure, applications, software, networking, cloud services, information about technical support contracts, etc.
It is essential to determine whether the backup or replica versions are also affected or might reintroduce malware in the environment. IT and security teams should perform validation in an “air-gapped” recovery environment, such as a sandbox.
In this isolated environment, starting applications from the backup or replicas must be possible. Usually, the validation is performed through a next-generation antivirus integration and custom scripts. After the analysis, if the application is operational and malware-free, it should be deployed back to the production environment.
While these measures are critical to mitigating ransomware attacks, especially those launched from users’ endpoints, nothing guarantees 100% protection against ransomware.
Paying the ransom is not recommended because it does not guarantee a solution to the problem. If the ransom is paid, it proves to the cybercriminals that ransomware is a reward crime, and they will continue their activity, looking for new ways to exploit systems.
The best alternative is:
- Deploy a cybersecurity framework in the organization;
- Keep up-to-date response and recovery plans;
- Implement, as the last barrier to ensure business continuity and data loss, an effective backup and disaster recovery architecture/solution.
How can Veeam help?
The Veeam platform can support and maintain the five functions of the NIST Cybersecurity Framework 2.0. Each platform's capabilities are mapped with these functions in the figure below.
In other words, if you already have or intend to acquire the Veeam platform, you will have already taken a first step towards adopting the NIST Cybersecurity Framework 2.0.
I hope you got some helpful information from this post!
References:
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
https://www.nist.gov/cyberframework
https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-20/ipd
https://www.nist.gov/cyberframework/framework-resources
https://www.cisa.gov/news-events/cybersecurity-advisories
https://www.nomoreransom.org/en/index.html
https://appliedincidentresponse.com/files/Lateral-Movement-Analyst-Reference.pdf
