Ransomware attacks may be fast, but they are still made up of several distinct stages — which means security defenders have multiple opportunities to stop the attack before it causes serious damage.
These attacks are, first and foremost, a human intrusion and follow all the familiar phases associated with security breaches, says Max Heinemeyer, director of threat hunting at Darktrace. The malware's actual capabilities and specific techniques vary, but the attack always involve initial access, communicating with a command-and-control server, reconnaissance, and lateral movement. Encryption is often at the end of, or near the end of, the attack life cycle.
In this Tech Talk (above), Heinemeyer outlines how organizations need to know what "normal" looks like in order to detect outliers, and to be able to interrupt those unusual activities as they occur.
"If you want to interrupt ransomware before it can deploy, the previous stages of that attack are very interesting to look at," Heinemeyer says.
The increasing professionalization of ransomware attacks, especially in how the attackers market themselves and recruit new members, worries Heinemeyer. Attacks have evolved from just encrypting everything to extortion, and then to mixing in other attacks in order to collect the ransom. It's possible that future attacks will involve going down the supply chain if the victims don't pay.
"It's all about interrupting business and interrupting revenue ... we don't think this is just a tech issue about encrypting data anymore," Heinemeyer says.
Note: DR Technology is sponsored by Darktrace.