Ransomware attacks have undergone a pandemic-accelerated evolution in recent years—and defenses have struggled to keep up. The first phase of ransomware has given way to something new and different, better and worse. To help understand this evolution, Morphisec sponsored a report from SANS exploring the current state of ransomware defense. It examines the latest adversary trends prowling the attack landscape and the most potent defenses against them.
The report confirms that ransomware continues to be a devastating threat that puts every organization at risk. But the report also provides hope: with the right team, technology, and techniques, ransomware can be avoided.
In this blog, we highlight some main points from the SANS report. Then we propose practical and actionable next steps for companies serious about defending against ransomware.
(You can read the entire SANS white paper here: SANS 2022 Ransomware Defense Report: Current Ransomware Trends and Alerts for 2022.)
Emerging Trends in Ransomware Attacks
The conditions of the Covid-19 pandemic proved to be a perfect incubator for ransomware attacks. Companies suddenly switched to new locations, technologies, and security policies, while shifting more work to the web and cloud. In response, ransomware attacks became more frequent, successful, and devastating. Threat actors adopted new and updated techniques, tactics, and procedures (TTPs) to help malware evade detection and bypass defenses, including the following.
Attackers “canvas” a target for reconnaissance information that enables their attacks or emboldens their ransom demand. Knowing where and how to move laterally within an organization makes an eventual attack more likely to succeed and deliver (or exceed) the expected payday. But that can also work in the defender’s favor if an attack encounters a roadblock or situation that doesn’t match what the threat actor’s intelligence planned for.
When new vulnerabilities are discovered, it incites an arms race to weaponize them on one side and defend against them on the other. Attackers often win because of the time it takes to develop and implement patches—often weeks or months—when an attack takes minutes. Threat actors’ speed advantage reinforces the need for defenses that stop new and emerging threats earlier in the attack chain. Widely used behavior- and signature-based defenses such as next generation antivirus (NGAV) and endpoint detection and response (EDR) struggle with unknown and evasive threats.
To evade detection solutions such as NGAV and EDR, attackers have adopted fileless, in-memory, runtime attacks and exploit native binaries en route to their final target. Preventing ransomware depends on seeing and confronting an attack early. So evasiveness makes attacks exceedingly difficult to stop. The SANS report notes that legacy defenses like disk-based file analysis are not up to the task.
Driftnets vs Spear Fishing
Many malware attacks cast a wide net. They’re not aiming at specific entities, but rather, use automation to try and target as broad a range of targets as possible. One successful example of automation is a minor recent trend of ransomware groups partnering with banker trojan downloaders. However, today’s successful ransomware attacks are increasingly manual and highly targeted. This allows them to quickly adapt to an organization and customize their attack—with devastating results.
Latest Techniques in Ransomware Defense
The evolution in ransomware attacks has forced advances on the defensive front. So while these attacks remain more damaging than ever, they don’t always entail an inevitable cyber emergency. The SANS report highlights several countermeasures available against ransomware attacks.
Preventing Remote Access Abuse
Hackers exploit remote access for entry into networks and, in many cases, privileges to move laterally and find high-value targets. Preventing remote access abuse takes multiple layers of security. VPNs and MFA at the perimeter, EDR and NDR tools to spot and stop incoming threats, plus defense-in-depth or zero trust strategies to secure the space inside the perimeter. Remote access abuse has exploded since the advent of COVID-forced remote work. Key to preventing this abuse is implementing a Defense-in-Depth approach. You should always assume that any given layer of defense can eventually be penetrated, so you need a final layer of defense protecting your endpoint application memory and resources. Ransomware attacks can and do penetrate many levels of security. That’s why cyber defenses are expanding past the perimeter to address things like specific applications.
Preventing Fileless Malware
Most current security solutions were not designed to detect or stop fileless malware. That’s why ransomware utilizes this method of attack, along with native binary exploits. Attacks that infiltrate a network and advance forward without raising alarms are difficult to detect until after encryption occurs—but not impossible. Instead of looking for traditional red flags, consider monitoring native system files for anomalous behaviors and looking for distinctive patterns created by adversary C2 communications. More broadly, incorporate security solutions that specifically protect against fileless attacks. You don’t want to solely depend on a security team’s diligence to find and stop evasive threats.
Towards a Successful Ransomware Strategy
The SANS report highlights new and emerging technologies that effectively defend against advanced ransomware threats. Whether as standalone solutions or, preferably, part of an integrated Defense-in-Depth security posture, all companies should have these security stack layers in their arsenal.
Encrypted Traffic Analysis (ETA)
Attackers are encrypting their network traffic to cloak their movements from detection tools. ETA can search the unencrypted metadata signatures this traffic leaves behind to find evidence of attacks. Another option is to rely on security solutions that defend against attacks without having to detect them in advance.
Moving Target Defense (MTD)
This innovative technology prevents attacks by morphing and moving the expected memory resources threat actors expect to find. MTD defends against attacks without having to detect them first—a big advantage when it comes to advanced, unknown attacks. Since a protected asset is accessible only to authorized users and remains in motion and out of reach to everything else, all attacks fail whether they are previously known or entirely new. MTD creates a dynamic attack surface threat actors can’t penetrate, so they move on to easier targets.
AI event aggregation, correlation, and intrusion prevention
Automation can increasingly run point on all aspects of cybersecurity, from correlating and detecting events to running remediation playbooks. Automation will always move faster and more methodically than humans doing the same thing. That’s good news for cybersecurity because it allows lean, under-resourced security teams to have an impact that far exceeds their staff size. Put differently, everyone can stand up to ransomware.
Morphisec—Innovating Ransomware Defense
Morphisec sponsored the SANS report because we are committed to making breach prevention easy, and stopping advanced attacks such as ransomware. Morphisec is an innovator in this space, using a distinct approach designed to make fighting ransomware easier, more economical, and more effective.
Morphisec’s MTD technology works by morphing application memory at runtime to hide it, and by creating a dummy version of that memory in its original location. Only authorized users can reach the authentic memory. And since anything trying to access the dummy memory by definition has malicious intent, Morphisec traps these failed threats for forensic analysis. It’s a bait and switch that uses polymorphic technology to set traps for threat actors using polymorphic techniques.
With the ability to stop encrypted attacks, conduct moving target defense, and automate prevention and remediation, Morphisec combines the best weapons against ransomware into a single solution for endpoints and servers. Morphisec’s MTD uses a lightweight agent that can defeat the most sophisticated and successful ransomware threats in use today while making companies resilient against whatever comes next. Morphisec can also take the stress and anxiety out of fighting ransomware by automating, integrating, and streamlining much of the defensive effort.
Read the entire SANS white paper—get your free copy here: SANS 2022 Ransomware Defense Report: Current Ransomware Trends and Alerts for 2022.