Ransomware Response: 5+ NDR Tips to Enhance Defense

Introduction

Ransomware is a bane for organizations and is likely the most persistent and potentially damaging cyber attack. Organizations of all sizes in the public and private sector alike are regularly targeted by criminals, nation-state actors, and opportunistic groups who purchase information or ransomware services. One September 2023 survey found that 79% of respondents had experienced a ransomware attack in the last 12 months. A cryptocurrency tracing firm tabulated 2023 revenues for ransomware attackers at $1.1 billion , or more than $100 million more than 2021, the previous high-water mark.

These numbers are evidence that ransomware tactics, techniques, and procedures (TTPs) are constantly evolving. Even the most elite network defenders and agencies tasked with identifying ransomware TTPs and thwarting attacks recognize that it is impossible for even the most hardened defenses to completely eliminate the risk of ransomware. Improved reconnaissance, defense evasions techniques, and other TTPs can help an adversary evade even the most sophisticated defenses.

Coupled with the persistence of human error and the ongoing effectiveness of traditional attack vectors such as malicious links and email-based infections, defenders should expect to be fighting a multifront battle against ransomware for the foreseeable future.

Preventative tools (e.g., protections such as antivirus, endpoint detection and response (EDR) , intrusion detection systems (IDS) , and processes (e.g., employee education, identity access management) can often prevent ransomware at the perimeter. But ransomware’s persistence demonstrates their limitations.

Facing this threat landscape, all organizations should invest in threat detection and response capabilities and create a detailed ransomware response plan. While the detection of a ransomware attempt is difficult, due to the speed with which many attackers escalate attacks, network telemetry can, in some cases, alert defenders to the attackers’ presence before the ransomware payload drops.

Given that attackers who have achieved persistence have the advantage, a ransomware response plan should also include robust, well thought-out disaster recovery and investigation capabilities, not least for the purposes of determining whether or not the organization should pay the ransom.

Network detection and response (NDR) platforms can provide security teams with the visibility and evidence to execute a comprehensive ransomware response, and provide evidence of the adversary’s scope, duration, and attack vector.

In this article, we’ll explore why network evidence and attack analysis are critical to:

Defining the intruder’s initial access, the scope of the attack and its blast radius
Isolating impacted systems and employing tools to limit attack escalation.
Assessing damage, what backups are available, and how recent they are
Detecting data exfiltration and command and control (C2) attempts
Recovering data
Determining and mitigating persistence
Protecting against repeat attacks (double extortion)

Call their bluff

In high stakes ransomware investigations, many security teams are unable to answer key questions and default to worst-case assumptions. With complete visibility from Corelight, teams can avoid costly overreactions. One customer, when confronted with a $10 million ransomware demand, used Corelight to prove the exfiltrated data being held for ransom had no real value while providing legal aircover for refusing to pay the ransom.

SEE HOW

Detecting escalation: a narrow window for ransomware prevention

Ransomware attacks often entail privilege escalation, in which an adversary moves laterally from a compromised host and gains access to shared administrative credentials, domain controllers, active directory servers or essential systems from which they may launch a widespread attack. Depending on the initial intrusion, privilege escalation may involve compromising accounts with similar privileges (horizontal) or laddering up to accounts with more expansive privileges (vertical).

In either case, network detection tools can document evidence of the escalation path. However, in many cases it is not possible to identify the attack pattern as ransomware, or even a possible ransomware event. Furthermore, many ransomware attackers launch attacks when defenses are reduced or absent, such as weekends and off hours.

So while security teams may detect an adversary before the final attack step is complete, the window for blocking these attacks is often very narrow. It is therefore critical for organizations to flesh out response plans that assume the attacker has achieved some success and begins with an advantage.

When isolating infected hosts and backups isn’t enough

A payment demand is often the first indication of a successful ransomware attack. In these cases, security teams begin their assessment knowing the adversary has achieved at least partial success by compromising operations.

The response will depend on the security team considering what that attackers’ ultimate goal may be. Each of the likeliest scenarios — holding data hostage, stealing intellectual property, or selling access to another adversary — should be considered when the organization is reviewing the recovery plan.

Whether the targeted organization pays a ransom, wipes infected devices, or utilizes uncompromised backups to restore operations, additional steps will be needed to determine if the adversary is still in their environment or has a backup mechanism to maintain a command and control (C2) channel through which they can leverage for future attacks.

Assuming the ransomware attack is not so extensive or costly that the viability of the organization is in question, the demand is a jump-off point for an investigation that presents many questions for responders and the organization as a whole.

What you should know before you pay

A near-ubiquitous challenge of fighting cyber crime is the adversary’s lack of ethics and trustworthiness. Government agencies, such as the FBI and CISA , do not recommend paying ransom demands since there is no guarantee that criminals will decrypt or return seized data, and payments ultimately reward criminals’ actions and may fund future (and better) attacks. What’s more, a CrowdStrike survey reported that 96% of organizations that paid an initial ransom still paid out more in extortion fees.

In some cases, the ransom demand may not fit the scope of the crime. Attackers may count on their targets’ overreaction and lack of visibility into their systems and claim the data seized is far more valuable than it is.

In one instance, a Corelight customer received a $10 million demand for the return of captured data. Using evidence via the Corelight open network detection and response (NDR) platform, the customer determined the stolen data was stale and refused to pay.

The organization still needed to determine the extent of the intrusion and the source of compromise to close the incident. But with efficient investigation techniques and supporting evidence, it confirmed the attacker’s deception and minimized incident damages.

Elements of ransomware response

The effectiveness of a ransomware response is a function of identifying the blast radius; determining the scope of system damage or data loss; assessing the extent of liability and ongoing risk, and establishing containment . Each of these objectives depends on accumulating reliable evidence of the attacker’s movement and activity.

Identifying blast radius. The initial method of intrusion — such as a phishing email, compromised virtual private network (VPN),remote desk protocol (RDP), compromised endpoint, insufficiently protected OT device, unpatched system or application, or simply buying access from an access broker — is ground zero. But ransomware variants can quickly spread laterally through networks and systems. An accurate assessment of the blast radius should quantify lateral movement as well as dwell time (which on average is decreasing before attackers deploy their ransomware payload).

Determining damage scope. Response should determine the volume and characteristics of data encrypted or exfiltrated by attackers and which systems, operations, and access permissions were compromised.

Assess liability and risk of recurrence. Effective response is key to governance, risk, and compliance (GRC) and forensics. To ensure that the organization has met thresholds and requirements for regulatory compliance, securitization of customer data, risk assessments, and cyber insurance policies, organizations have tremendous incentive to produce evidence of their response process and remediation efforts.

These aspects of response may not recoup financial losses or stolen data, and they carry their own costs in terms of money, time, and engagement. But they can insulate the organization from far more serious impacts, such as fines, reputational damage, or business failure.

Incident response at this level requires experienced teams who are armed with the right tools for collecting evidence of the ransomware attack. Next-generation firewalls (NGFW) and endpoint detection and response (EDR) can reduce (but not eliminate) the risk of a successful ransomware attack. Organizations need tools that help security teams map out attackers’ lateral movements, data exfiltration attempts, and other actions to rapidly assess scope to reduce the damage after the initial ransom request.

How NDR enables effective ransomware response

NDR can support early detection of many types of threats. But as noted above, successful ransomware attacks either evade security defenses or exploit the lack of them. So while NDR has demonstrable value as a threat hunting tool , here we will focus on its value in the face of a realized ransomware threat.

Identifying the blast radius of the attack in a timely, effective manner depends on ready access to detailed, well-structured network evidence that is quantifiable and based on an overarching strategy that captures network transaction logs that help live-threat scenarios vs. alert-only events.

An NDR platform should leverage multiple resources that provide visibility into the attacker’s movements as well as evidence and limits of their actions. Advanced network telemetry provides defenders with a comprehensive picture of the devices attackers utilized for communications (C2), lateral movements within the network, data exfiltration attempts, and insights into remote connections.

These capabilities may enable some defenders to quickly identify the blast radius of the ransomware attack to aid in preventing contagion from attacks that originate with third parties or partner organizations. They can also greatly improve digital forensics and incident response (DFIR) , an extended process that can inform criminal investigations, demonstrate that the organization was in regulatory compliance despite the breach, and document remediation efforts for the purposes of insurance and risk management.

Used in conjunction with EDR and system information and event management (SIEM) , NDR completes the SOC Visibility Triad , which can provide a comprehensive view of the organization’s infrastructure and accumulate the evidence necessary to affirm the adversary is no longer dwelling in any environment.

Additionally, advanced methods such as packet capture (PCAP) convert raw network data into readable files that can shed light on the attacker’s traffic and operations. PCAP can help analysts dive deeper into a payload or non-confirming traffic. (That said, PCAP’s storage is often expensive, which can restrict lookback capabilities.)

How Corelight’s Open NDR provides additional support to ransomware response

At Corelight, we recognize that open source communities are sources for some of the richest and up-to-date information on emerging cyber threats. Our Open NDR Platform incorporates the Zeek traffic analyzer, Suricata IDS rulesets, and a wide variety of encrypted traffic , C2 , and entity collections developed by Corelight Labs to give coverage across on-prem, cloud and ICS/ OT environments. Combined with alert systems supported by generative AI, Corelight’s analytics and detections help security teams accelerate queries and decision-making when rapid response is essential. Corelight’s Smart PCAP approach enriches network logs with insights that allow analysts to build packet capture rules that focus on relevant traffic and extend lookback windows beyond the scope of most PCAP methods.

You can learn more about how Open NDR can help security teams quickly determine ransomware’s blast radius and improve incident response time and perform security validation simulations.