By Nilaa Maharjan and Anish Bogati, Security Research
Foreword:
Ransomware is a type of cyber attack in which hackers or state-sponsored groups demand a ransom payment in exchange for releasing encrypted or stolen data. Over the past decade, ransomware attacks have become more sophisticated and now primarily target public and private sector organizations. No industry, location, or size of business is immune to ransomware attacks, which have become more frequent and costly, with ransom demands now reaching into the millions or even tens of millions of dollars. To protect against ransomware, it is important for organizations to have robust cybersecurity measures in place and to be vigilant against potential threats.
In some cases, ransomware attackers have demanded exorbitant ransom payments from victimized companies, with amounts as high as $40-80 million for the release of data. These extreme cases highlight the severity of the threat posed by ransomware and the need for organizations to have strong cybersecurity measures in place to protect against such attacks.
Over the last few years, ransomware attacks have evolved to include a digital extortion business model, in which attackers escalate the attack and threaten to release confidential data publicly if the victim does not pay the ransom within a certain timeframe. Some attackers even auction off confidential data on the dark web, and adversarial nation-states have been known to blend ransomware with destructive attacks to disrupt operations.
Ransomware is now one of the most lucrative forms of cybercrime, costing organizations billions of dollars each year and sometimes resulting in harm to human life through attacks on hospitals and medical devices. It is crucial for organizations to have robust cybersecurity measures in place and to be prepared to respond to ransomware threats.
At Logpoint, we believe that ransomware attacks and variants are on the rise and are likely to continue threatening businesses irrespective of the type and industry in the coming years. To protect against these threats, organizations need to understand the steps they can take to prevent an attack and to have a plan in place for optimal recovery if an attack does occur. This document is not completely based on Logpoint as a platform and is intended to be served as a general-purpose guide for all the blue team defenders and stakeholders and is designed to help organizations understand the critical steps they need to take to protect their business and achieve optimal recovery in the event of a ransomware attack.
Who is this report for?
This report is designed for cybersecurity professionals, security analysts, IT administrators, and other individuals responsible for protecting their organization's IT systems and data. The report provides a comprehensive guide to what a ransomware lifecycle looks like, how one can break the cycle into digestible chunks, and how one can detect and mitigate the risk of Ransomware-as-a-Service (RaaS) attacks using Logpoint, a leading Converged SIEM platform.
With the increasing prevalence and sophistication of RaaS attacks, organizations need to have a proactive and effective defense strategy in place. This report is particularly useful for those seeking to enhance their knowledge and skills in the areas of threat detection, incident response, and data protection.
Whether you are a security operations center (SOC) analyst, network administrator, or cybersecurity executive, this report offers valuable insights into RaaS attack methods, detection techniques, and response strategies using Logpoint. By implementing the recommended best practices, you can better secure your organization's critical assets and reduce the risk of financial loss, data theft, and reputational damage caused by RaaS attacks.
It's not a surprise that ransomware is growing out of control. We, at logpoint, have been covering active ransomware that might be actively scanning for new threats. Not necessarily ransomware samples, but active gangs, the lists of ransomware blogs created to date can be viewed from:
-
Ryuk: Comprehensive detection of the revamped Ryuk ransomware
-
Conti: Detecting Conti ransomware - The successor of infamous Ryuk
-
LockerGoga: LockerGoga ransomware
-
Egregor: There's a new ransomware in town: Detecting Egregor using Logpoint
-
FiveHands: Detecting FiveHands ransomware at different stages of the kill chain
-
Netwalker: In-depth look at the NetWalker ransomware operators
-
Bad Rabbit ransomware: Bad Rabbit ransomware
-
Petya/NotPetya: Petya/NotPetya ransomware
-
REvil: Fighting the ransomware war
-
Royal: A crowning achievement: Exploring the exploit of Royal ransomware
-
Hive: Hive hunter: The tools and tactics to track down Hive ransomware
From the list, many have disbanded, broken off into new gangs, or are simply inactive as of 2023.
However, we've listed 7 of the ransomware gangs as a benchmark to analyze common patterns used. These include Lockbit, BlackCat, Clop, Conti, Egregor, FiveHands, and Hive. These were randomly selected from the list and are not based on any patterns to maximize the coverage and give a general idea of advanced persistent threats (APTs) that have used up-and-coming ransomware in the past to provide comprehensive detection coverage to the defenders.
Mission Statement:
The goal of this document is to try and reduce the time it takes between the infection and the detection of ransomware. There are various factors that come into play, however, we have tried to streamline the process based on the commonality that various ransomware share. We have broken the attack into Mitre(v12) and selected the common techniques they use to make detection easier. Detection of ransomware involves identifying abnormal behavior and issuing automatic alerts to users.
At the end of the attached report, we have also listed a table of alerts that might be useful. Upon receiving an alert, users can promptly halt the virus's propagation, preventing the encryption of valuable or sensitive files. This requires isolating the affected computer from the network, removing the ransomware, and then restoring the computer using a secure backup. With the logpoint’s SOAR, the entire can also be streamlined for a reduced response time.
Report Structure:
The blog and the attached report are structured to encompass everything that there is known about Ransomware, the actors and their Tactics, Techniques, and the procedures they use. The outline structure is:
A. Blog: This section contains preliminary information for beginners and intermediate analysts to better understand the task at hand.
B. Report: The report contains a step-by-step breakdown of tactics, and how they are employed by the ransomware gangs.
B1. The report also has a detection part in the appendix.
The report assumes that we’ve understood the consequences and the way a ransomware attack emerges. Now, let's dive into each step of Mitre Att&CK and see how each of the ransomware gangs that we’ve selected performs their nefarious activities. Click to download the attached report and start hunting!