Ransomware Doesn't Arise in a Vacuum  -  Spotting the Early Sign of Ransomware Infection

Introduction of Precursor Malware and How to Find it in Haystack

Ransomware is among the fearest cyberattacks in the community, putting critical infrastructures at risk. Unfortunately, individuals and organizations continue to fall victim to this age-old cybercrime — and it's far from a new phenomenon. However, like a pandemic that doesn't start in a vacuum, so does Ransomware.

If you are not new to cybersecurity, you should recall that the last peak of attention on this issue was in 2017, when the infamous shattered companies and organizations. However, comparing what we are facing now with 2017, we saw a massive leap in the business model and the malware themselves.

What Works for WannaCry Won't Work This Time.

Take a step back and review what happened in 2017. Since then, WannaCry was a small-dollar ransom — seeking to collect hundreds of dollars worth of Bitcoin from each company. Still, now, we have supply chain attacks that caused hundreds of thousands or even impacted our critical infrastructures.

Corresponded to the Ransomware of recent times, it has turned toward high-value targets from well-funded threat actors to extort millions of dollars from each victim. So instead of going through the evolution of Ransomware, let's take a closer look into the upgraded attacks — Ransomware 2.0 and Ransomware-as-a-Service (RaaS).

Ransomware 2.0

According to an analysis by cybersecurity company (Q1, 2021), the average ransom payment in the first three months of 2021 was USD220,298 — a significant rise from USD154,108 in the last quarter of 2020.

(Q3, 2020) gives us more insight into this matter. The report shows that nearly half of ransomware attacks steal data before the encryption begins. As a result, more and more ransomware attacks are no longer just a business continuity or disaster recovery matter but also data thefts and even a complete cybersecurity incident response.

Criminals now put several layers of extortion in place; some even threaten to or in the event of unsuccessful ransom (nonpayment), notifying them of the cyberattacks. All those threats give cybercriminals various opportunities to monetize their attack, for example:

• Criminals could threaten to release the data or sell it on different "black markets" if the victim did not pay the ransom. Moreover, this was typically followed by a solemn promise to erase the stolen data if the victim paid the ransom.
• Criminals may promise to erase data, but even after receiving the ransom, they sell it anyway, as most companies would not investigate further the post-ransomware impact.
• Another group of cybercriminals contact a victim and explain that they stole a copy of the victim's data from the original thieves and will release (or sell) it unless they receive an additional payment.

Ransomware-as-a-Service (RaaS)

Ransomware-as-a-service (RaaS) is a subscription model that allows affiliates to use already-developed ransomware tools to launch ransomware attacks. In the end, affiliates earn a percentage of each successful ransom payment. Ransomware-as-a-Service (RaaS) adopts the Software as a Service (SaaS) business model, like what we use in other cloud computing technologies.

RaaS users don't need to be skilled or even experienced to use the attack tool like all SaaS solutions. RaaS empowers even novel hackers (or simply criminals without a technical background) to launch highly sophisticated cyberattacks. This low technical barrier, and prodigious affiliate earning potential, make RaaS engineered explicitly for victim proliferation.

Large corporations will continue to be the victims of sophisticated ransomware attacks. However, new and less-skilled threat actors will join the market due to the malware-as-a-service and ransomware chains. These groups will have SMBs as their prime targets.

So, What Now?

As organizations look to protect themselves against future attacks, the answer is less sophisticated than you might think. Regardless of how or if attackers will monetize the breach for economic gains, such as:

• Exploiting misconfigurations, known vulnerabilities,
• Methodically working from initial entry points with phishing and malware to gain access to sensitive systems;

They will still be the hallmark of most of these attacks. Therefore,

Warning Signs of An Impending Ransomware Attack

A ransomware attack is, in fact, the last stage of an attack cycle. According to ,

In some cases, ransomware deployment is just the last step in a network compromise and is dropped as a way to obfuscate previous post-compromise activities.

Also, when we take a look at the on an attack kill chain:

• TA0043 — 
• TA0042 — 
• TA0001 — 
• TA0002 — 
• TA0003 — 
• TA0004 — 
• TA0005 — 
• TA0006 — 
• TA0007 — 
• TA0008 — 
• TA0009 — 
• TA0011 — 
• TA0010 — 

• TA0040 —  (That's where Ransomware takes place!)

  
  

In the same guide, it described what we called "":

A ransomware infection may be evidence of a previous, unresolved network compromise. For example, many ransomware infections are the result of existing malware infections, such as TrickBot, Dridex, or Emotet.

For example, assuming the initial access (TA0001) is undetected via a 0-day exploit, a precursor malware spreads laterally (TA0008) through a company's network and devices, escalating access (TA0004) before a ransomware package is deployed.

When the companies were infected, some signs were happening months, and in some cases, , before the ransomware attack. Therefore, when you see any asset contacting these Ransomware's precursors, other pieces of malware cause less harm.

Security professionals within the company may see some abnormal activities and suppose the firewalls or endpoint detection and response (EDR) agent has detected it and shielded them. However, it's maybe just the precursor. Meanwhile, the security operations may be bombarded by unrelated alerts to which they are paying more attention than the precursor malware, which seemed less harmful.

As a result, the warning signs are hidden in different stages of an attack operation. Once we can map the tactics and look at them from a holistic point of view, we will have a better chance to spot the Ransomware before it happens.

Risk-Based Approach to Precursor Malware

Not everyone is facing the same risks, also for malware. Although it may seem challenging to prepare for cyber risk, there are some actions we can take proactively to get prepared. Risk management is not new, but it is used against cyberattacks based on the attack kill chain. I am going to walk through the approach below.

Identifying Risk

A CTO or CISO, despite understanding how technology works, also needs to know how the business operates and its most critical assets. These assets could be information, applications, processes, or anything that supports the organization's day-to-day operations. At the end of the day, we need to know the goal of implementing all the cybersecurity tools — to protect the assets (maintaining assets, Confidentiality Integrity, and Availability). In addition, cybersecurity professionals must focus on evaluating risk regarding the criticality of assets. For example, less harmful malware detection on a critical server would not be overlooked. Once cybersecurity leaders identify what is most vital to the business, they can assess the cybersecurity risks to those assets.

Mapping the MITRE ATT&CK® Tactics to Cybersecurity Framework (CSF)

Once we know what to protect, we can apply a risk-based approach to each step of the attack kill chain. For that, we need the Cybersecurity Framework (CSF). The is a set of best practices organizations can use to secure their data. Built by the , the Framework was designed to make cost-effective security possible for organizations of any size.

Also, we need to understand that cyberattack is a process — a set of activities that must be performed in the proper order, with specific duration and location. For instance, Ransomware is the result of a cyberattack. So if we can stop one of the steps before that, it is possible to prevent a Ransomware attack in the first place.

CSF is a great starting point for finding the countermeasures against attacks in various MITRE ATT&CK® Tactics. One eminent way to align the CSF objectives to real cyber threats is by leveraging , which emulate adversarial tactics and techniques against leading cybersecurity products.

The information is then made available to industry end-users to see how products are performed and align with organizational security objectives. Another excellent resource from MITRE is the Center for and .

This project makes a comprehensive and open, curated set of mappings between 800–53 controls and ATT&CK techniques. As a result, defenders can focus on understanding how the security controls in use in the environment relate to adversary TTPs of interest.

These mappings provide an essential resource for organizations to assess the security control coverage against real-world threats defined in the and provide a foundation for integrating ATT&CK-based threat information into the risk management process. With every ransomware attack that came with other malware before it and paving the way, managing the precursor malware when it occurs can decrease the number of ransomware incidents.

Using the ATT&CK techniques mapping to the proper phase of an attack, the Framework becomes a continuous assessment that helps organizations measure compromises in their environments in a timely manner and find mitigation responses accordingly.

Final Words — We Should Enforce Zero Tolerance to Protect "the Precious."

Ransomware is in the spotlight now and may never go away, but stealing credit card numbers and hacktivism was in the spotlight before, and it will be something refreshing in the future. When addressing this persistent threat, the government must educate and provide resources to guide organizations — disrupting the criminal activities and economic drivers that allow this threat vector to grow. (Reference: )

Meanwhile, for a private organization, the focus should instead be on reducing the attack surface and building the fundamentals of a comprehensive security operation. This includes:

• knowing what's in your environment (enhance visibility),
• ensuring everything is configured correctly (security posture management),
• managing vulnerabilities and patching,
• limiting access (or even better micro-segmentation), and
• having an incident response plan.

My recommendation is to deal with minor problems (alerts/ events) so that you don't have to face catastrophic attacks. It isn't easy to find something we're not directly looking for. A better way to handle that is a change in mindset — from preventing all the attacks to assuming infections are unavoidable. And with that, you can let all your security measures work together and hopefully prove otherwise.

---

Thank you for reading. May InfoSec be with you🖖.