Jeremy Pickett Infosec Researcher
Jeremy’s cybersecurity path began at Symantec and continued at Sana Security, where he pioneered the use of Machine Learning against cyber threats such as Nimda and Stuxnet. He furthered his influence by forming international teams and securing patents at vArmour networks, PayPal, and eBay, later advancing PayPal’s eCrime initiatives. Now at MixMode, he’s delving into AI’s impact on cybersecurity. Also an author, artist, and musician, Jeremy’s diverse talents underscore his substantial contribution to the cybersecurity industry.
In today’s data-driven world, organizations of all sizes are increasingly reliant on digital technology to store and manage their most valuable assets. However, this reliance also makes them vulnerable to a growing threat: ransomware.
Ransomware is a type of malware that encrypts an organization’s data, making it inaccessible until a ransom is paid. This can have a devastating impact on businesses, causing them to lose access to critical data, disrupt operations, and suffer reputation and financial losses.
Enterprise organizations are at an increased risk of ransomware attacks because:
- They have large amounts of valuable data that attackers are targeting.
- They often have complex IT networks that can be difficult to secure.
- They may have employees who are unaware of the dangers of ransomware and how to avoid falling victim to phishing attacks and other social engineering scams.
Why It’s Significant
Ransomware attacks can have a devastating impact on enterprise organizations. In addition to the ransom payment, organizations face the cost of recovering from the attack, such as downtime, lost productivity, and damage to their reputation. Key impacts that ransomware attacks can have on organizations:
- Data loss: Ransomware attacks can lead to the loss of critical data, such as customer records, financial data, and intellectual property.
- Downtime: Ransomware attacks can also lead to downtime, as businesses may be unable to access their data or systems until they have paid the ransom, causing significant disruption to their business.
- Financial losses: Ransomware attacks can cause significant financial losses, including the cost of the ransom, the cost of recovering from the attack, and the loss of revenue due to downtime.
- Damage to reputation: Ransomware attacks can also damage a business’s reputation, as customers and partners may lose trust in an organization that cannot protect their data.
- Skyrocketing Cyber Insurance Premiums: According to a report by Cyber Insurer Coalition, ransomware claims increased by 27% during the first half of 2023, and the average ransom payment reached $1.62 million, 74% higher than the previous year, raising premiums.
Key stats on how enterprise organizations are affected by ransomware:
Ransomware attacks have become increasingly sophisticated and targeted in recent years. Attackers are now developing ransomware specifically designed to target enterprise organizations, as well as using AI to develop novel attacks, using various methods to gain access, including phishing attacks, exploiting vulnerabilities in software and operating systems, and purchasing stolen credentials on the dark web.
Recent reports show that ransomware attacks continue at a record-breaking pace:
- 2023 Ransomware Attacks Up More Than 95% Over 2022, (Corvus Insurance Q3 Report)
- The average ransom payment in 2023 is $1.54 million. (Sophos, 2023)
- 72 percent of businesses worldwide were affected by ransomware attacks in 2023. (Statista, 2023)
Best Practices
There are several steps that enterprise organizations can take to protect themselves from ransomware attacks, including:
- Educating employees: Employees are often the weakest link in the security chain, so it is essential to educate them about the dangers of ransomware and how to avoid falling victim to phishing attacks and other social engineering scams.
- Keeping software and systems up to date: Ransomware attackers often exploit vulnerabilities in software and operating systems that have not yet been patched. Keeping all software and systems updated with the latest security patches is crucial.
- Backing up data: It is important to regularly back up data so that it can be recovered during a ransomware attack. Backups should be secured offline or in the cloud so that they cannot be encrypted by ransomware.
- Having a ransomware response plan: In the event of a ransomware attack, it is essential to have a plan to respond to the attack. This plan should include steps for containing the attack, recovering data, and paying the ransom (if necessary).
- Implementing effective security solutions: Several security solutions are available that claim they can help detect and prevent ransomware attacks.
How MixMode Helps
There are several reasons why ransomware is difficult to detect. First, threat actors constantly develop new and sophisticated techniques to evade detection.
Second, ransomware attacks often exploit vulnerabilities in software or operating systems that have not yet been patched. Third, ransomware attacks can be very targeted, making them more difficult to detect by traditional security solutions.
The MixMode Platform utilizes behavioral detection to analyze network activity in real-time, leveraging self-supervised learning to establish a continuous baseline of normal activity and identify deviations that may indicate a ransomware attack.
For example, The MixMode Platform can detect the following suspicious behaviors that may be indicative of a ransomware attack:
- A user suddenly accesses a large number of files that they do not normally access.
- A user suddenly transfers a large amount of data to an external device.
- A system suddenly exhibits high CPU usage or disk activity.
- A system suddenly sends much network traffic to an unknown IP address.
Anatomy of a ransomware attack
Ransomware attacks are typically carried out in the following stages:
- Initial access: The attacker gains initial access to the victim’s network through various means, such as phishing attacks, exploiting vulnerabilities in software or operating systems, or purchasing stolen credentials on the dark web.
- Reconnaissance: Once the attacker has access to the victim’s network, they will conduct reconnaissance to identify valuable data and systems.
- Lateral movement: The attacker will move laterally across the victim’s network to access additional systems and data.
- Elevation of privileges: The attacker will then escalate their privileges to gain administrative control over the victim’s systems.
- Deployment of ransomware: The attacker will then deploy the ransomware payload to the victim’s systems.
- Encryption: The ransomware will then encrypt the victim’s data.
- Ransom demand: The attacker will then present the victim with a ransom demand in exchange for the decryption key.
The MixMode Platform
The MixMode Platform provides a proactive approach to ransomware detection by monitoring and analyzing various behavioral aspects within a network to detect malware early. It can also detect ransomware attacks at all stages of the attack lifecycle.
Initial access: The MixMode Platform can detect suspicious login attempts and other indicators of phishing attacks. It can also detect attempts to exploit vulnerabilities in software or operating systems, including disabling or exploiting endpoint protection software.
Reconnaissance: The MixMode Platform can detect suspicious activity on the network, such as unauthorized access to files and systems.
Lateral movement: The MixMode Platform can detect suspicious activity across the network, such as attempts to access systems the user is not authorized to access.
Elevation of privileges: The MixMode Platform can detect attempts to escalate privileges, such as changing passwords or modifying security settings.
Deployment of ransomware: The MixMode Platform can detect the deployment of ransomware payloads by detecting suspicious file activity and network traffic.
Encryption: The MixMode Platform can detect when data is being encrypted by looking for a sudden increase in the randomness of the data. This is because encryption scrambles data, making it appear more random. The MixMode Platform can identify this change in randomness and flag it as a potential encryption activity.
Ransom demand: The MixMode Platform can detect the presentation of a ransom demand by detecting suspicious network traffic to known command-and-control servers used by ransomware gangs.
Key Benefits of Using The MixMode Platform
The MixMode Platform helps arm security teams with what’s needed to defend against ransomware attacks. Key benefits include:
- Accuracy: Precision threat detection of ransomware attacks, even at the early stages of the attack lifecycle.
- Scalability: Scale to monitor large data environments across network, cloud, and hybrid networks and systems.
- Speed: Detect ransomware attacks quickly before they can cause significant damage.
- Proactive detection: Identify and block suspicious activity before ransomware occurs.
The MixMode Platform in Action
While conducting a recent POC, The MixMode Platform uncovered the devastating Emotet ransomware. Missed by most legacy solutions, The MixMode Platform detected the ransomware before any damage could occur. Click here to read more about it.
Click here for an interactive walkthrough of The MixMode Platform, detecting abnormal activity before it becomes a ransomware attack.
Other MixMode Articles You Might Like
Ethan Caldwell, Chief Development Officer of MixMode, Joins Forbes Technology Council
Proactive Defense: The Importance of Analyzing User Identity Data in a Zero Trust Framework
*** This is a Security Bloggers Network syndicated blog from MixMode authored by Jeremy Pickett. Read the original post at: https://mixmode.ai/blog/under-siege-ransomware-and-your-business/