Ransomware’s malevolent heyday

If there’s ever a time when a type of malware can be labeled as “popular,” this is ransomware’s malevolent heyday. Attackers are clearly taking advantage of desperate times for financial gain and...to scratch whatever other itch they may have. 

Meanwhile, threat researchers are doubling down on their hypotheses and getting to work. And while ransomware is hardly new, the volume has escalated, the techniques are changing, and the damage inflicted has taken a murderous turn. 

IronNet’s Threat Research team is committed to discovering new characteristics that can aid in the detection and prevention of these destructive attacks.  With this in mind, they conducted experiments using lab detonation of publicly available ransomware variants to find commonalities among metadata and artifacts. 

Technically-minded readers can review the full text of the research methodology, observations and recommendations here. 

IronNet's detection capabilities and product offerings, through a combination of network behavioral detection models, fully enriched events, and prioritized alerts, are well-suited to address these types of malicious access activities within customer environments. As the leading provider of Collective Defense and Network Detection and Response (NDR) capabilities, IronNet is "leading the charge" against network-borne malicious activity, through combined behavioral analytics, signature-based detections, and shared human threat insights. 

All of that being said, in situations where the malicious actors’ accesses have not been addressed prior to executing their ransomware payloads, is there anything that could be done to detect and alert on the functionality of executed ransomware binaries themselves, and either stop that execution, or take action to minimize its impact within an enterprise?

The team researched six of the major recent ransomware families, including Maze, Netwalker, Ryuk, Snake/Ekans, Sodinokibi/REvil, and WastedLocker, to compare and contrast behavioral characteristics. 

The IronNet researchers observed three major characteristics: 

1. Ransomware has evolved from an automated attack propagated through email and malspam to a much more tailored approach among sets of malicious actors going after bigger targets such as hospitals, universities, and manufacturing facilities. Ransomware is also evolving to take a much stealthier approach, sometimes gaining access to internal networks via legitimate passwords,  establishing residency, and then deploying malware within that network. 
2. The evolution of ransomware means that detection via the traditional “North-South” data paths (from inside the network to outside the network) isn’t necessarily effective anymore because attackers may have entered using legitimate credentials.  One common characteristic the team found was that most of the ransomware variants studied  employed more “East-West” (within a corporate network) traffic/entry patterns instead of the traditional North-South entry paths. This pattern suggests that an enterprise security strategy must now adopt a zero trust approach.
3. Data files encrypted by ransomware often reflect a higher level of entropy than the pre-encrypted data from those same files. Additionally, as the ransomware is exercising its techniques and as files are written and encrypted, the majority of the ransomware variants tested updated timestamps on every file, for the time the file was last accessed, created and modified. So, if many files are showing new timestamps, especially in association with potentially encrypted content, that could be a behavioral indicator of ransomware.  Only two of the ransomware variants were sophisticated enough to modify the files with no timestamp to avoid detection.

The underlying age-old issue is still access: If malicious actors can gain access to your computing infrastructure and resources, and can deliver and execute code within that space, an assortment of malicious activity can potentially occur, including ransomware incidents.

As always, the best security methods involve robust "defense in depth" implementations. Defenses must evolve, however, to raise the bar against malicious actors who are continually devising and honing anti-defensive techniques within their tools, techniques and procedures (TTPs).

The team’s recommendations include securing greater access to real-time, or close to real-time, East-West network data for network security vendors and their sensors. Malicious actors will target internal enterprise and operational technology networks whenever possible.  The next challenge for the industry to tackle? More research is needed to create a capability that can deliver valid, real-time detection of ransomware at the endpoint. 

Read the full research here.