Derailing Ransomware 2.0 Requires EPPs, EDRs and Advanced Deception Tools


Many cybercriminals secure their most lucrative payouts by sticking to classic forms of attack, with a bit of a new twist. As ransomware has evolved and become more disruptive, it’s keeping security pros on their toes and compelling adjustments to their defense postures.  

Today, newer ransomware programs such as Zeppelin and REvil/Sodinokibi, and others have surpassed original strains with more advanced and highly-targeted attacks. REvil/Sodinokibi, Zeppelin, and Phobos are examples of the growing trend of ransomware-as-a-service (RaaS) where the creators sell or rent the ransomware to cybercriminals in exchange for a cut of the profits of a successful attack. In the case of Zeppelin, the threat actors customized it to target technology, financial, and healthcare companies in the United States and other western nations. In contrast, REvil/Sodinokibi and its offshoots have primarily targeted healthcare organizations and local governments in Europe.

How ransomware attackers generate that initial compromise explains part of why it’s so difficult to stop. Email remains one of the most popular attack vectors for ransomware, and social engineering attacks like spear-phishing and business email compromises (BECs) are particularly dangerous. Attackers using these tactics can often circumvent certain perimeter protections, targeting individual employees rather than the network itself. Attackers are also still exploiting unpatched systems, taking advantage of known security flaws, and capitalizing on misconfigurations, such as insecure remote desktop connections. For security pros, there’s really no silver bullet. 

Start With The Basics And Move On To Advanced Deception Tools

Stopping a cyberattack of any kind requires multiple levels of protection, starting at the network perimeter and extending inside the network. It’s essential when starting at the perimeter to have baseline security controls such as firewalls, IPS/IDS and proxies in place. When moving to individual internal systems, companies can start with an endpoint protection platform (EPP), traditional antivirus software that should catch attacks with a known signature. Even the most effective antivirus software will only stop about half the attacks, but as far as the first lines of defense go, it’s a good place to start. EPPs don’t detect everything, but they do a good job stopping most commodity malware or ransomware. If the attacker modifies the signature of the attack in any way, that’s where the EPP solution will start having trouble.

Security pros can next look to endpoint detection and response (EDR) systems. Advanced EDRs looks at process flows and chains to see if something looks unusual—such as if a process spawns another process, or invoking an API that doesn’t seem right. These types of observations are also helpful after an attack. As security teams investigate an incident and piece together what happened, EDR can supply the process flows that it mapped during the attack. Like EPP, EDR does not stop everything—it will likely derail most attacks, significantly boosting a system’s ability to detect a wider variety of malware and ransomware attacks.

If ransomware manages to evade both EPP and EDR, the ability to engage in deception-based detection within the network has become critical. Advanced deception technology can quickly detect multiple forms of lateral movement and includes the ability to hide production shares, redirecting the ransomware to deceptive file shares, and occupy the attack by feeding it false data. Upon engagement, the decoy environment triggers an alarm, allowing defenders to isolate the program manually or automatically, making it so the attack can’t spread further. Together, cyber deception and EPP/EDR technology create a comprehensive defense for quickly identifying and isolating ransomware while delivering critical telemetry for incident response and investigation.

Attackers Are Getting Smarter—But So Are Defenders

Security teams always strive to have multiple layers of protection in place, but as today’s attacks grow more sophisticated, it has become essential. Although detection alerts are up, so-called “Ransomware 2.0” attacks using Advanced Persistent Threat (APT) techniques help attackers maintain a foothold so that they can secure better payouts. These are more targeted attacks with deliberate lateral movement and privilege escalation with stolen credentials.

New, advanced attack techniques also let cybercriminals disable security software and deploy ransomware on very specific targets—not just rely on the success of automated malware programs. For example, a recent variant of the Ragnar Locker ransomware installs a virtual machine and runs inside it to evade EPP/EDR detection. The ransomware then enumerates and connects all the network shares to the virtual machine (VM) for encryption. Because this activity happens from inside the VM, the local security controls can’t touch it. Without the ability to hide file folders and networked drives, as well as create other decoys and lures to control the path of the attacker, the ransomware has the opportunity to gain unfettered access to move laterally, and as a result, can cost businesses a lot of money.

Ransomware attackers have also adjusted their tactics beyond indiscriminately encrypting any data they come across. Today’s ransomware targets critical data. Attackers who go this route focus on gaining a foothold in the network from an initial compromise. They then conduct reconnaissance to identify critical assets and then deploy targeted ransomware to hit the ones they have identified. Next, they will encrypt or exfiltrate the data and threaten to publish it if the organization doesn’t meet their ransom demands.

Fortunately, attackers are not the only ones innovating. Although no single technology can stop every form of ransomware, the combination of EPP, EDR, and an endpoint deception network has become an effective strategy. Even if an advanced piece of ransomware like the Ragnar Locker variant can bypass the two outermost protection layers, it’s not likely it can defeat an in-network deception tool. As ransomware attacks continue to grow, businesses that understand the importance of multiple layers of network protection will succeed at protecting their assets and information from attackers.

Carolyn Crandall, Chief Deception Officer, Attivo Networks

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.