Guarding against ransomware in the midgame
Ransomware has evolved significantly over the past decade. While it began as a simple, indiscriminate 'spray-and-pray' tactic, targeting anyone who might fall for a phishing email, cybercriminals have since refined their methods, incorporating spear-phishing techniques as a more targeted approach. As these tactics matured, ransomware transitioned to a 'land-and-pivot' model, using advanced techniques to gain access to IT systems and seek out valuable data before launching an attack.
Here in Australia, organisations including Diabetes WA, MediSecure, Monash Health, Evolution Mining and Western Sydney University have all suffered data breaches during 2024, while Medibank is still counting the costs of its 2022 data breach, anticipated to reach $126 million by the middle of next year.
Indeed, the ExtraHop 2024 Global Cyber Confidence Index found that 82% of Australian organisations surveyed said they experienced six or more ransomware incidents in 2023, with 15% citing ransomware the biggest risk to their organisation. Of those surveyed, almost all organisations globally that experienced a ransomware attack paid up; in 2023, 91% paid the ransom, compared to 83% in 2022 and 72% in 2021. On average, the research found ransomware payments alone cost nearly US $1.3 million per organisation in the last year - before adding in the unrealized costs associated with remediation.
The Chessboard of Cybersecurity
Many in the cybersecurity field compare ransomware attacks to a game of chess, with distinct phases: The opening, midgame, and endgame. Understanding these stages is crucial for organisations looking to strengthen their defences.
The opening phase of a ransomware attack often begins with social engineering. This could involve tricking an employee into downloading an infected file or unknowingly providing access credentials. Traditional controls for this phase are focused on securing the perimeter and preventing the attacker from gaining a foothold in the environment. These controls include firewalls, EDR, email filtering, etc.
Once access is gained, the attacker moves into the midgame (post-compromise). At this stage, the attacker has a foothold within the target's IT infrastructure but remains under the radar. They use this time to map out the network, identify high-value data, and establish a means to move laterally through the infrastructure. This stage is crucial because it allows attackers to increase their control over the system, making the eventual ransomware demand more impactful.
The endgame occurs when the attacker begins exfiltrating and encrypting sensitive data. At this point, they present their ransom demands, leaving the targeted organisation with a difficult decision: Pay up or face the loss of critical information.
Focusing on the Midgame
Historically, many organisations have focused their security strategies on prevention and trying to make sure that nothing enters their network. However, this oversight can be costly. As attackers evolve their tactics to circumvent traditional perimeter controls, preventing them from gaining a foothold in an environment has become nearly impossible.
To effectively combat ransomware in today's digital environments, businesses should invest in tools and strategies that identify malicious activities during the midgame period – before attackers can do real damage.
Attackers often employ lateral movement during the midgame phase, seeking to escalate their access rights and gain control over larger parts of a network. By identifying activities like lateral movement early, security teams can disrupt the attack before it progresses to the data encryption stage.
Strengthening Security Posture with NDR
One of the most effective ways for organisations to detect and respond to threats in the midgame phase is with a Network Detection and Response (NDR) platform. NDR provides visibility into network traffic, enabling the identification of unusual or potentially harmful activities that could indicate an ongoing ransomware attack.
NDR capabilities complement existing Endpoint Detection and Response (EDR) tools and Security Information and Event Management (SIEM) platforms, creating a more robust and comprehensive security posture. While EDR focuses on securing individual devices and endpoints, NDR monitors the network as a whole, providing insight into broader attack patterns that might go unnoticed at the endpoint, like:
- Internal reconnaissance and enumeration behaviors
- Lateral movement
- Exploitation of vulnerable internal services
- Isolating intruder and malware command and control (C2) activities
- Data staging for exfiltration and encryption activity indicative of ransomware
Deploying NDR platforms can be particularly valuable in environments where the potential entry points for attackers are numerous and varied. With a solid NDR system in place, businesses can monitor traffic between virtual spaces and traditional IT infrastructure, making it more difficult for attackers to operate undetected.
Preparing for the Inevitable
As new attack vectors continue to expand, organisations must balance the excitement of adopting new possibilities, such as AI, with a clear understanding of the accompanying risks. While it is easy to focus on the potential benefits of user engagement, companies should not overlook the need for robust cybersecurity strategies that encompass all stages of a potential ransomware attack.
By focusing on advanced detection methods like NDR and maintaining a strategic view of ransomware attack stages, organisations can navigate this new terrain more securely.