*By Janus Agcaoili and Earle Earnshaw
As ransomware operators increase their arsenals of weapons, companies are increasingly at risk of suffering serious consequences from these attacks. Organizations that are affected by ransomware typically experience financial losses in the millions, in addition to experiencing inaccessibility and even exposure of sensitive data.
Most recent attacks have used double extortion techniques, in which hackers encrypt a company's files and leak their data to the public. It seems that by 2021 ransomware-like attacks will be an even more worrisome threat as they become more targeted.
Cybercriminals will also continue to use legitimate tools to facilitate and increase ransomware attacks. By themselves, these tools are not malicious. On the contrary, they help in researching security or increasing the efficiency of programs. However, like many other technologies, cybercriminals have found a way to exploit them, making them a typical component of ransomware campaigns and other cyber attacks. The UK's National Cyber Security Center (NCSC) has published a list of these tools in a report.
Using legitimate tools for ransomware campaigns is attractive for several reasons. First, because they are not malicious themselves, they can escape detection. Another factor is that these tools are open source and therefore can be accessed and used by the public, free of charge. And, finally, they are like a double-edged sword, as while they benefit security analysts with their resources, they are used by cybercriminals as advantageous weapons of attack.
The presence of legitimate “beloved” tools must be detected so that security teams can stop a ransomware campaign and cover their tracks. However, this is easier said than done, as these tools can disguise themselves in a number of ways. One is through resources used to implement evasion techniques. Cybercriminals can also change the code of these tools to adjust the parts that trigger antimalware solutions.
Also, when viewed from a single entry point (for example, if we look only from the endpoint), detections can appear benign, even when they should sound the alarm. What would not happen if they were viewed from a broader perspective and with greater context in relation to other layers such as emails, servers and cloud workloads.
When tracking threats, organizations would be better protected if they didn't just rely on file detections and hashes, but also from monitoring the behavior in layers.
Defense solutions for platforms that centralize risk alerts provide greater visibility and detection power because they correlate the different layers (endpoints, emails, servers and workloads in the cloud), ensuring that no significant incidents go unnoticed. This allows for faster response to threats before they can do any real damage to the system.
Janus Agcaoili, Threat Research Engineer at Trend Micro
Earle Earnshaw, Trend Micro Threat Research Engineer
Notice: The opinion presented in this article is the responsibility of its author and not of ABES - Brazilian Association of Software Companies