Ransomware dominates the news cycle — and for good reason: They're disruptive, expensive, and, in some cases, destructive to the organization. Brianna Leddy, director of analysis at Darktrace, notes that while security teams should pay attention to those well-known malware families behind the ransomware attacks, enterprises should really be worried about the brand-new, never-before-seen ransomware strains.
It is "extremely trivial" for a threat actor to buy or rent the necessary tools and command-and-control infrastructure in order to set up a "novel" ransomware attack, Leddy notes. The number of affordable ransomware-as-a-service offerings available means attackers no longer have a technical or financial barrier to entry.
In this Tech Talk (above), Leddy recounts a recent incident stemming from compromised administrative credentials where the attackers accessed an internal server with privileged credentials and began sending out WMI commands. For many security teams, detecting these kinds of attacks, in which a common Windows administrative tool is being abused to hide malicious activities or lateral movement, is a challenge. These are the type of behaviors that enterprises need to be able to detect and stop before there is actual damage caused, Leddy says.
"By virtue of the fact that we know them [ransomware groups], that we have names for them, that means the security tools know about them as well. They have the associated signatures and threat intelligence in order to catch these attacks in the future," she says. "What really concerns me is the unknown attacks — the ones that we don't know anything about, so we don't know how to predict them. We don't know where they are going to move next or what tools [and] tactics they are going to be using."
Note: DR Technology is sponsored by Darktrace.