Ransomware is becoming, alongside COVID-19, the headline issue of 2020. Attackers are using advanced tools and techniques usually associated with nation state groups to attack businesses for profit.
Attackers are now 'hunting big game', and are looking for large or well-funded organisations who can afford to pay a ransom and can be pressured into doing so. Attacks are targeted, well thought out, and highly likely to succeed.
The ultimate aim for attackers is to get paid. Ransomware is a big business, with millions of dollars' worth of ransoms often being paid by insurers or organisations to retrieve access to critical data. A ransomware group knows that hitting a single critical system and forcing a large payment is better business than the indiscriminate attacks we have seen historically.
We have set out below the key tactics we see being used and how we help clients understand managing this high-profile risk. Our expertise is based on the experience of our CREST accredited Incident Response team and our Threat Intelligence capability.
Key Ransomware Tactics
In our experience, a simple risk assessment does not demonstrate how ransomware will affect your organisation or how a ransomware attack will play out. We have been focusing on using our cyber threat intelligence to understand the most likely tactics that will be used and the specific controls that should be in place to prevent, detect and respond to them.
- Initial Access – Ransomware is often delivered via targeting phishing emails, or by access through exposed external services such as Citrix, Remote Desktop or other appliances sometimes using valid accounts for which the credentials are known.
- Execution and Persistence – Once onto a system, attackers will use PowerShell and other local tools to maintain their access and to further their attack. We often see the use of legitimate security testing tools being used such as Cobalt Strike.
- Evading Defences – Attackers will disable security tools and use privileged credentials found on systems
- Lateral Movement – How an attacker moves around your systems and environment, accessing systems and data to either encrypt, exfiltrate or both. We often see remote desktop, remote file copying or similar techniques being used.
- Impact – Attackers will encrypt data to deny access, disable backups and other system restoration functionality, and exfiltrate data. This data can be used to extort an organisation through threats of publication.
We are helping a variety of clients understand their ransomware risk and to improve their cyber security overall. Our assessment involves:
- Ransomware Impact - Developing an understanding of your key data, processes and performance indicators. We aim to understand exactly where pressure could be applied, and how it can be mitigated. For example, we look at where you store personal data and how a regulator is likely to respond if you have an issue.
- Technical Analysis – We assess the prevention, detection and response to a detailed set of ransomware techniques across your systems. For example, we see if privileged credentials are left behind and how well configured your permissions are across your Active Directory.
- Detection and Response Analysis – We help you understand how likely you are to detect an advanced attack, and if one happens how best to respond. For example, we review Incident Response plans and your organisations' ability to pay a ransom or not via Cyber Insurance.
- Improvement Plan – We provide detailed technical and procedural recommendations to manage your ransomware risk and overall cyber security.
If you would like more information on our assessment and how it could help your organisation manage ransomware risk, please fill in the form below.