Countering and Disrupting Ransomware Attacks
Ransomware is an ever-increasing form of cyber crime. Ransomware causes downtime, data loss and IP theft, business disruption and harms a business’ reputation.
In our ransomware videos, our Sr. Threat Intelligence Analyst and our Sr. Product Manager for Endpoint discuss the evolution and growth, stages, and current state of ransomware. In this follow-up podcast, they go into more detail about how to counter and disrupt a ransomware attack. Listen to learn:
- Defensive measures for enterprises to use against ransomware
- How to block ransomware attacks
- And more.
Introduction: Welcome to the Fidelis Cybersecurity Threat Geek podcast. My name is Claire, and today I’m joined by our Sr. Threat Intelligence Analyst, AK, and our Sr. Product Manager for Endpoint, David Ries. If you missed it, go to our website at www.fidelissecurity.com and check out our videos, where they initially discuss the evolution and growth, stages, and current state of ransomware. In this podcast, they’ll discuss how to counter and disrupt a ransomware attack.
AK, I’ll let you start.
AK: Thank you, Claire. As we discussed how ransomware campaigns have proliferated in the last couple of years, we’ve also come across opportunities for disrupting and countering ransomware affiliate and hosting operations that extend beyond technical defensive efforts, which are without a doubt still very important.
The past year we’ve seen the arrest by law enforcement of affiliate members and operators of various ransomware campaigns including GandCrab, NetWalker, and Egregor, as well as the disruption of key ransomware facilitators and supply lines. These include the take-over of Emotet and Trickbot infrastructure, which were often leveraged to deliver ransomware as payloads.
Another focus, which I personally believe to be of even greater effectiveness, is the take-over and seizure of bulletproof hosting services. These BP hosting services serve as a backbone of underground and illicit cyber activity including the hosting of ransomware leak sites, malware C2s, and cyber-criminal forums and marketplaces. A BP hosting seizure, to me, is like a supply-chain level compromise for criminal and illicit cyber activity because the effects are far reaching.
Aside from these offensive measures, one defensive measure that I think organizations often overlook or have not considered much is on the marketing front. One of the non-technical pieces of information that adversaries use for reconnaissance are public-facing web pages of organizations that state who their customers and key strategic partners are. While I will agree this does serve a beneficial purpose for the organization from a marketing or PR perspective, I do strongly feel that having a risk-based discussion or at least considering feedback from risk and security teams is important to determine the ROI and risk-reward of putting out this type of information for the public to see.
David: By combining Endpoint, Network, and Deception platforms, the Fidelis Elevate solution provides the technologies enterprises need to quickly detect-investigate-remediate-and inoculate their infrastructure against the tactics and techniques used by today’s ransomware attackers.
The foundation of a ransomware defense is the collection and retention of file, process, and communications metadata. Using this rich metadata, the Elevate platform adds machine learning-based anomaly detection and alerting, providing security teams a smarter active defense toolkit. The Elevate solution of course also includes powerful data loss protection and anti-malware engines, providing protection and detection against internal as well as external threats before damage is done.
When we look at the Elevate capabilities against the MITRE ATT&CK matrix, the combination of endpoint, network, and deception functionality gives security teams broad insight into, and detection of, the behaviours adversaries are known to use to compromise attack targets.
Fidelis Elevate provides several capabilities that are especially relevant to disrupting Ransomware campaigns. These campaigns often target known vulnerabilities in commonly deployed software packages and services. Fidelis automatically enumerates deployed software and maps software to published CVE, enabling security teams to prioritize these vulnerable assets. Second, the Fidelis platform provides a rich and powerful set of investigation and blocking capabilities to detect what traditional protection-only tools miss; revealing details around detections, such as when, where, and where else the attack may be targeting. Beyond detection, Fidelis helps security professionals research threats, and subsequently apply remediation, such as opening a live console on remote systems, quickly isolating potentially compromised endpoints, automatically collecting disk or memory forensic images, or killing processes and/or process trees, manually or programmatically based on detection rules.
Adversaries are constantly adapting their attacks to counter the active defenses we are building, so it is an unending battle. However, the stakes are high and we are committed to finding new ways to detect and disrupt these malicious attacks before they can steal data, disrupt operations, or extort businesses. This is what we do every day.
If you’d like to know more about our cybersecurity solutions, especially on how to block ransomware, visit https://fidelissecurity.com/solutions/ransomware/.