Persistence and Patience: Bad Qualities for Ransomware Attackers

Modern organizations are built on data. It enables collaboration and helps us engage with customers. But that same helpful data is also sprawled across countless apps, making it difficult to secure. Ransomware attacks are on the rise — 57% of security leaders expect ransomware to compromise their organization within the next year — which makes data protection more essential than ever. 

To help you stay ahead of the ever-evolving ransomware threat, I connected with Microsoft Chief Security Advisor, Sarah Armstrong-Smith. We discussed how remote work and cloud productivity have made it more difficult to spot ransomware attacks, as well as how behavioral-anomaly-based detection can help mitigate ransomware risk.

Below is an excerpt of that conversation, which you can watch in full here.

Aaron Cockerill: I feel like the way modern enterprises operate, which includes a combination of technologies, has allowed ransomware to thrive. Having experienced this type of attack in my past roles, I know how many CISOs are feeling out there. The human instinct is to pay the ransom. What trends are you seeing?

Sarah Armstrong-Smith: It's quite interesting to think about how ransomware has evolved. We think about these attacks as being really sophisticated. The reality is that attackers favor the tried and tested: they favor credential theft, password spray, they're scanning the network, buying credentials off the dark web, using ransomware kits. 

So in many ways, things haven't changed. They are looking for any way into your network. Although we talk about cyber attacks becoming sophisticated, that initial point of entry really isn't what sets the ransomware operators apart, it’s what happens next. 

It's down to that persistence and patience. The growing trend is that attackers understand IT infrastructure really well. For example, lots of companies are running Windows or Linux machines or have entities on-premises. They might also be utilizing cloud services or cloud platforms or different endpoints. Attackers understand all that. So they can develop malware that follows those IT infrastructure patterns. And in essence, that's where they’re evolving, they're getting wise to our defenses. 

Aaron: One evolution we've witnessed is the theft of data and then threatening to make it public. Are you seeing the same thing?

Sarah: Yeah, absolutely. We call that a double extortion. So part of the initial extortion could be about the encryption of your network and trying to get a decryption key back. The second part of the extortion is really about you having to pay another amount of money to try and get your data back or for it not to be released. You should assume that your data is gone. It’s very likely that it's already been sold and is already on the dark web. 

Aaron: What do you think are some of the common myths associated with ransomware?

Sarah: There's a misconception that if you pay the ransom, you’re going to get your services back quicker. The reality is quite different. 

We have to assume that ransomware operators see this as an enterprise. And of course, the expectation is that if you pay the ransom, you’re going to receive a decryption key. The reality is that only 65% of organizations actually get their data back. There is no magic wand. 

Even if you were to receive a decryption key, they're quite buggy. And it's certainly not going to open everything up. Often, you still have to go through file by file and it's incredibly laborious. A lot of those files are potentially going to get corrupted. It's also more likely that those large, critical files that you rely on are the ones you won’t be able to decrypt. 

Aaron: Why is ransomware still affecting companies so badly? It seems like we've been talking about methods attackers use to deliver these attacks, such as phishing and business email compromise, as well as preventing data exfiltration and patching servers forever? Why is ransomware still such a big problem?

Sarah: Ransomware is run as an enterprise. The more people pay, the more threat actors are going to do ransoms. I think that's the challenge. As long as someone somewhere is going to pay, there is a return on investment for the attacker. 

Now the difference is, how much time and patience does the attacker have? Particularly some of the larger ones, they will have persistence, and they have the willingness and desire to carry on moving through the network. They're more likely to use scripting, different malware, and they're looking for that elevation of privilege so they can exfiltrate data. They're going to stay in your network longer. 

But the common flaw, if you like, is that the attacker is counting on no one watching. We know that sometimes attackers stay in the network for months. So at the point where the network's been encrypted, or data exfiltrated, it’s too late for you. The actual incident started weeks, months or however long ago. 

Aaron: There's an interesting article written by Gartner on how to detect and prevent ransomware. It says the best point to detect attacks is in the lateral movement stage, where an attacker is looking for exploits to pivot from or more valuable assets to steal.

I think that that's one of the most fundamental challenges that we have. We know what to do to mitigate the risk of phishing — although that's always going to be an issue because there's a human element to it. But once they get that initial access, get an RDP (Remote Desktop Protocol), or credentials for the server or whatever it is, and then they can start that lateral movement. What do we do to detect that? Sounds like that's the biggest opportunity for detection.

Listen to the full interview with Sarah to hear her thoughts on the best way to detect a ransomware attack. 

The first step to securing data is knowing what’s going on. It’s hard to see the risks you’re up against when your users are everywhere and using networks and devices you don’t control to access sensitive data in the cloud.

Eliminate the guesswork by gaining visibility into what’s happening, on both unmanaged and managed endpoints, in the cloud and everywhere in between. Contact Lookout today.