Five Ways to Stay Ahead of Ransomware

December 5, 2023

While not a new threat, ransomware is constantly evolving. Even if you’ve been involved in cybersecurity for years, it's essential to stay abreast of new trends, challenges and approaches to detecting, investigating and responding to attacks. Based on a recent Trellix Ransomware Detection and Response Virtual Summit, here are a few key points to consider when protecting an organization against ransomware attacks.

1. The best defense for any variant of ransomware is to have layered visibility and controls at as many vectors as possible.
No single control point will provide ransomware protection. Email is the most exploited initial threat vector, but having strong endpoint, network and data protection controls is necessary in the current ransomware landscape.

Layering of controls is the first step. The second is to be able to link the controls together via integrations. Security silos aren’t effective enough on their own — they benefit from the sharing of data, information and analysis that spans the silos. Not only can integrations enable a more effective view of threats, but they can also enable coordinated responses when a conviction regarding a specific ransomware variant is determined and requires response actions.

This is where XDR (extended detection and response) proves so valuable in the fight against ransomware. XDR unites data from multiple tools, giving you visibility across your environment and streamlining analysis. It creates multi-vector detections and prioritizes alerts for your SOC.

2. Know thy enemy: Double extortion, multiplatform threats, intermittent encryption and more — ransomware threat actors are innovating fast, and we need to react and respond in kind.
The sophistication of threat actors means there is no safe space. Mapping activities of threats to the MITRE ATT&CK matrix is an invaluable exercise. Technologies that visualize MITRE ATT&CK can make the job of knowing what to build or enhance in the security architecture easier.

Of particular importance is understanding the tooling that threat actors use. Due to the prevalence of LoLBin techniques in ransomware campaigns, it becomes critical to map and rate the cross section of tools that could be leveraged by threat actors. Cross referencing what is known to be deployed and expected, normal usage with threat actor activity can help create a baseline to work from and detect unusual or malicious behavior.

3. Detecting ransomware early means having good operational threat intelligence.
Being able to understand the threat actor landscape is a daunting task but threat intelligence can make that job easier. Seeing the most prevalent campaigns bubbling up in a geo, vertical or even being targeted against an organization is critical to knowing how to react and respond.

Operationalizing threat intelligence is more than just collecting information. Putting it into action for ransomware defense means having visibility across the IT estate and correlating indicators from various telemetry sources. Threat intelligence can play a critical role in the confidence and contextualization of observed events. Additionally, having the ability to “stich together a story” from seemingly disparate events via an analysis layer such as XDR makes threat intelligence more valuable.

4. Ransomware victims are organizations of all sizes and verticals.
Ransomware does not discriminate. In our research it was not necessarily the largest companies who were the most targeted victims. Often it was the smaller enterprises with revenues in the $10 million to $250 million range who are more likely to have a smaller security team. There is a greater likelihood of success for threat actors at this level due to staffing shortages and gaps in their cyber defensive architecture.

Due to the likelihood that smaller organizations will have less staff and budget to deal with ransomware and other threats, it’s critical to learn from what works. Sourcing knowledge of techniques, processes and architectures that have been successfully deployed will make the job easier in determining what to focus on first. Best practices, reference architectures and journey maps can be valuable assets to be able to map your own path forward.

5. Ransomware is cyclical.
Threat actors will introduce new variants of a particular ransomware family or change their business model and go into ransomware as a service to proliferate their means. Just because a particular campaign has recently dropped off in prominence doesn’t mean that it won’t return. We’ve seen the rise, fall and rise again of threats such as Emotet and Ryuk, so building defenses that provide visibility and preventative measures across a broad segment of ransomware attacks is critical.

Because of the cyclical nature of ransomware, a feedback loop and regular introspection of control capabilities needs to be part of the plan. The extremely damaging aspects of ransomware reinforce the need for a process of continuous improvement, perhaps more than any other use case in the current cyber landscape.