Ransomware has been particularly active over the past year, impacting government, supply chain, and individual businesses alike. The good news is that there are tools and resources available to help organizations build a resilient incident response capability to defend against ransomware.

Ransomware is evolving, and it is now a national security priority in the US after multiple high-profile incidents. SolarWinds, Colonial Pipeline, JBS Foods, Kaseya, and so many other organizations have made headlines around the world due to ransomware attacks.

Those that work in IT and cybersecurity have been worried about ransomware for a few years. What has changed in the past year is that the topic is now a dinnertime conversation for people across America, who might be talking about why they are paying more for gas at the pumps or why their meat costs more at the grocery store. Ransomware is no longer just a concern for cybersecurity professionals; it's a risk that impacts the everyday lives of individuals too.

Observed Ransomware Trends
So, why is ransomware a growing threat? Simply put, it has been an effective attack vector.

The ultimate goal for the adversary is to increase the likelihood of the victim paying the ransom. At Cisco Talos, we have seen adversaries advance ransomware payload capabilities to help ensure the maximum impact of an attack against an organization.

We also have increasingly observed attackers "living off the land" — that is, they are using native system tools to assist in the distribution of ransomware. Tools that IT teams use to manage networks, such as PowerShell, have now been unwittingly co-opted by attackers.

Ransomware-as-a-service (RaaS) is another disturbing trend on which adversaries are capitalizing. Instead of each criminal adversary needing to develop their own ransomware, with the RaaS model, adversaries can leverage this model, which enables scaling ransomware attacks for profit via affiliates. For the adversary behind Maze ransomware, the affiliate model was generating approximately 35 percent of the group's profits before it was shut down in November 2020, for example.

The Path to Ransomware Encryption
There tends to be a general path that ransomware attacks follow.

It starts with the initial access phase, whether that's phishing, vulnerable software, a stolen credential, or another entry point. That can be followed by privilege escalation, then lateral movement across an environment. Finally, with the right access and being in the right location in the network, the attacker can exfiltrate and encrypt data, holding it for ransom or double extortion.

Even with the most advanced ransomware threats, there is generally a detection opportunity that exists when you start looking at these attacks. The problem is that most organizations aren't doing sufficient logging or enough active monitoring to be able to detect the threat fast enough.

What Resilient Incident Response Is All About
Resilience is about having trust in the organization's incident response capability — trust that systems can be recovered and trust in relationships, across the enterprise, with vendors, and with law enforcement.

For organizations that do not have their own in-house capability for incident response, it's really important to have that expertise available via a third-party service, typically on a retainer.

At Cisco Talos Incident Response in particular, by partnering with organizations we have been able to demonstrably improve response and have helped to prevent ransomware attacks at large, multibillion-dollar organizations. Whether your incident response team resides in-house or with a trusted partner, it's important that there is a plan and a strategy in place, before an incident occurs.

The Business Enabler Incident Response Process: Prepare, Protect, Respond, Recover
There are four key high-level steps that can help to enable resilience.

Prepare. The first step is to be ready for an incident by testing the incident response plan. This phase involves tabletop exercises that span the organization, helping those involved to learn how to respond. As part of the preparation, organizations should test backup and recovery of data to help ensure business continuity.

Protect. The organization needs to identify its detection capabilities and see where the gaps exist to understand the assumed cyber-risk. As part of this phase, it's also critical to identify third-party and supply chain risk.

Respond. Organizations need to make sure they have either an incident response team in-house or on retainer, with service-level objectives, to be ready to team up and to respond when an incident occurs. When done right, incident response is the ultimate team sport.

Recover. After an incident, it's critical to do an after-action review that details lessons learned. Those lessons then need to be fed back into the incident response plan in a process of continuous improvement.

Resilient incident response is not about any one activity, but rather about having a continuous process and tested relationships in place before an incident occurs. Ultimately, this approach can minimize or even completely mitigate the severity of an attempted attack.

About the Author

Brad Garnett (CCE®, GCFE, GCFA, GNFA, GCTI) is the General Manager of the Cisco Talos Incident Response (CTIR) Team and is responsible for the overall strategy and daily operations of CTIR. At Cisco, Brad has worked and lead a wide range of global incident response engagements across many industry verticals and works with global organizations and government entities on a global scale in preparedness, tactical response to computer intrusions, and emerging cyber threats. In 2021, Brad joined the groundbreaking Ransomware Task Force, which is helping shape public policy and strategies for businesses in the fight against ransomware globally. Brad began his cybersecurity career, while working in law enforcement in the State of Indiana.