Changing ransomware models make proactive security crucial

Andrew Mundell, principal security engineer at Sophos.
Andrew Mundell, principal security engineer at Sophos.

Ransomware attack patterns are changing fast, making proactive cyber security and threat hunting more important for mitigating risk.

This emerged during a Sophos webinar on ransomware techniques in 2022, held in partnership with ITWeb last week. Andrew Mundell, principal security engineer at Sophos, said the Sophos 2022 Threat Report had found an expansion of the Ransomware-as-a-Service model.

The Conti infection rate was now 16%, REvil was 15% and Ryuk 9%, he said. “These are platforms that give potentially a less skilled hacker all the tools they need – often with technical support built in,” Mundell said.

“We’ve definitely seen big success in ransomware attacks over the past couple of years. Among the reasons for this are that attackers are really good at finding unprotected or under-protected systems across target environments, and at using scanning exclusions. We’ve also seen a behavioural shift in what the attackers have traditionally done, with the emergence of the concept of evading EDR. Conti ransomware playbooks indicate many legitimate applications. This means they have started leveraging more and more legitimate applications that can’t be blocked preventatively by threat protection platforms.”

Pieter Nel, SADC regional head at Sophos.
Pieter Nel, SADC regional head at Sophos.

Actions defenders can take today include addressing gaps in coverage, he said. “We’re seeing a shift to making sure that systems which are trying to access business applications – typically remotely through VPN or ZTNA – are being checked for the health state or even the existence of that threat protection capability on the endpoint. We think it’s important to also consider whether you can use that type of control for regular east-west traffic.”

“Every scanning exclusion is a possible gap for an attacker to take advantage of. Key measures to reduce this risk include talking with vendors to understand what their concerns are around scanning, and then making sure those exclusions are done in the most efficient way possible. This means touching the minimum surface possible and making sure the exclusion types are configured correctly.”

Exclusions should also be reviewed regularly, he said.

To address the risk of evasion of EDR, Mundell said: “Make sure tamper protection is enabled across your systems, so an attacker is not able to make changes to any of the configurations locally. Also when temporarily disabling tamper protection as part of a day to day process, it is important to make sure that the technical teams and the end users fully understand what that process should look like. You can also use application control or application blacklisting to reduce the exposure of those ‘shrink wrap’ applications where possible.”

The remaining risks can be addressed by threat hunting activities including leveraging third party threat intelligence, observed activities and proactive ‘leadless’ threat hunting, he said.

Mundell elaborated on the use of Sophos threat analysis and threat graphs for threat hunting and detection of suspicious activities.

Lukas Pelser, pre-sales engineer at Sophos.
Lukas Pelser, pre-sales engineer at Sophos.

His recommendations for mitigating risk included planning a security strategy based on the assumption that the organisation will be hit, making and testing backups, deploying layered protection to stop attackers at every point, and having a malware recovery plan. Mundell advised: “Don’t pay the ransom – it won’t get you all the data. Also, use both advanced technology and human professionals in the threat hunting loop as your best defence against attackers.”

Pieter Nel, SADC regional head at Sophos, added: “We see the market shifting in South Africa, and with everything more connected, the risks are increasing. With Covid, organisations have adapted to a hybrid model, and now a lot of the risk sits between the business and home and remote users, as well as on devices such as mobile phones.”

“It’s a challenging and critical time for IT – they have to think about the risks to data sitting off the network, across multiple sites and clouds. Ransomware in SA isn’t dead and we are in a danger zone – we get requests daily for assistance in dealing with breaches, and most of these companies are running up to date cyber security. We recommend customers take a proactive approach to cyber security, train their staff, and have an action plan for responding after an attack,” Nel said.

Lukas Pelser, a Pre-Sales Engineer at Sophos, noted that paying ransoms did not necessarily mean organisations would get their data back. He said: “Recently, a major local company paid around R600,000 to attackers and didn’t get their data back."

Pelser said organisations of all sizes are being attacked – from a small retirement home, to a petrol station, to a massive enterprise with 15,000 users. “It doesn’t matter if you’re big or small, you can be attacked,” he said. “It’s best not to pay the ransom: you should rather seek advice from an expert like Sophos. Sophos has a rapid response team to assist with managing a ransomware attack. We can’t always get your data back, as your backups might be encrypted or the keys might not be sent after the ransom is paid.”  


Share