Introduction of Precursor Malware and How to Find it in Haystack Ransomware is among the fearest cyberattacks in the community, putting critical infrastructures at risk. Unfortunately, individuals and organizations continue to fall victim to this age-old cybercrime — and it's far from a new phenomenon. However, like a pandemic that doesn't start in a vacuum, so does Ransomware. If you are not new to cybersecurity, you should recall that when the infamous shattered companies and organizations. However, comparing what we are facing now with 2017, we saw a massive leap in the business model and the malware themselves. the last peak of attention on this issue was in 2017, WannaCry Ransomware What Works for WannaCry Won't Work This Time. Take a step back and review what happened in 2017. Since then, — seeking to collect hundreds of dollars worth of Bitcoin from each company. Still, now, we have supply chain attacks that caused hundreds of thousands or even impacted our critical infrastructures. WannaCry was a small-dollar ransom Corresponded to the Ransomware of recent times, it has turned toward high-value targets from well-funded threat actors to extort millions of dollars from each victim. So instead of going through the evolution of Ransomware, let's take a closer look into the upgraded attacks — Ransomware 2.0 and Ransomware-as-a-Service (RaaS). Ransomware 2.0 According to an analysis by cybersecurity company (Q1, 2021), the average ransom payment in the first three months of 2021 was USD220,298 — Coveware's Quarterly Ransomware Report a significant rise from USD154,108 in the last quarter of 2020. (Q3, 2020) gives us more insight into this matter. The report shows that As a result, more and more ransomware attacks are no longer just a business continuity or disaster recovery matter The Coveware's Quarterly Ransomeware Report nearly half of ransomware attacks steal data before the encryption begins. but also data thefts and even a complete cybersecurity incident response. Criminals now put several layers of extortion in place; some even in the event of unsuccessful ransom (nonpayment), notifying them of the cyberattacks. All those threats give cybercriminals various , for example: threaten to or send press releases to media email notifications to your customers opportunities to monetize their attack Criminals could threaten to release the data or sell it on different "black markets" if the victim did not pay the ransom. Moreover, this was typically followed by a solemn promise to erase the stolen data if the victim paid the ransom. Criminals may promise to erase data, but even after receiving the ransom, they sell it anyway, as most companies would not investigate further the post-ransomware impact. Another group of cybercriminals contact a victim and explain that they stole a copy of the victim's data from the original thieves and will release (or sell) it unless they receive an additional payment. Ransomware-as-a-Service (RaaS) Ransomware-as-a-service (RaaS) is a subscription model that allows affiliates to use already-developed ransomware tools to launch ransomware attacks. In the end, affiliates earn a percentage of each successful ransom payment. Ransomware-as-a-Service (RaaS) adopts the Software as a Service (SaaS) business model, like what we use in other cloud computing technologies. RaaS empowers even novel hackers (or simply criminals without a technical background) to launch highly sophisticated cyberattacks. This low technical barrier, and prodigious affiliate earning potential, make RaaS engineered explicitly for victim proliferation. RaaS users don't need to be skilled or even experienced to use the attack tool like all SaaS solutions. Large corporations will continue to be the victims of sophisticated ransomware attacks. However, new and less-skilled threat actors will join the market due to These groups will have SMBs as their prime targets. the malware-as-a-service and ransomware chains. So, What Now? As organizations look to protect themselves against future attacks, the answer is less sophisticated than you might think. Regardless of how or if attackers will monetize the breach for economic gains, such as: Exploiting misconfigurations, known vulnerabilities, Methodically working from initial entry points with phishing and malware to gain access to sensitive systems; They will still be the hallmark of most of these attacks. Therefore, Warning Signs of An Impending Ransomware Attack A ransomware attack is, in fact, the last stage of an attack cycle. According to , CISA MS-ISAC Ransomware Guide In some cases, ransomware deployment is just the last step in a network compromise and is dropped as a way to obfuscate previous post-compromise activities. Also, when we take a look at the on an attack kill chain: MITRE ATT&CK® Tactics TA0043 — Reconnaissance TA0042 — Resource Development TA0001 — Initial Access TA0002 — Execution TA0003 — Persistence TA0004 — Privilege Escalation TA0005 — Defense Evasion TA0006 — Credential Access TA0007 — Discovery TA0008 — Lateral Movement TA0009 — Collection TA0011 — Command & Control TA0010 — Exfiltration TA0040 — (That's where Ransomware takes place!) Impact In the same guide, it described what we called " ": Precursor Malware A ransomware infection may be evidence of a previous, unresolved network compromise. For example, many ransomware infections are the , such as TrickBot, Dridex, or Emotet. result of existing malware infections For example, assuming the initial access (TA0001) is undetected via a 0-day exploit, a precursor malware spreads laterally (TA0008) through a company's network and devices, escalating access (TA0004) before a ransomware package is deployed. When the companies were infected, some signs were happening months, and in some cases, , before the ransomware attack. Therefore, when you see any asset contacting these Ransomware's precursors, other pieces of malware cause less harm. more than three months Security professionals within the company may see some abnormal activities and suppose the firewalls or endpoint detection and response (EDR) agent has detected it and shielded them. However, it's maybe just the precursor. Meanwhile, to which they are paying more attention than the precursor malware, which seemed less harmful. the security operations may be bombarded by unrelated alerts As a result, Once we can map the tactics and look at them from a holistic point of view, we will have a better chance to spot the Ransomware before it happens. the warning signs are hidden in different stages of an attack operation. Risk-Based Approach to Precursor Malware Not everyone is facing the same risks, also for malware. Although it may seem challenging to prepare for cyber risk, there are some actions we can take proactively to get prepared. Risk management is not new, but it is used against cyberattacks based on the attack kill chain. I am going to walk through the approach below. Identifying Risk A CTO or CISO, despite understanding how technology works, also needs to know how the business operates and its most critical assets. These assets could be information, applications, processes, or anything that supports the organization's day-to-day operations. At the end of the day, we need to know the goal of implementing all the cybersecurity tools — to protect the assets (maintaining assets, Confidentiality Integrity, and Availability). In addition, cybersecurity professionals must focus on evaluating risk regarding the criticality of assets. For example, less harmful malware detection on a critical server would not be overlooked. Once cybersecurity leaders identify what is most vital to the business, they can assess the cybersecurity risks to those assets. Mapping the MITRE ATT&CK® Tactics to Cybersecurity Framework (CSF) Once we know what to protect, we can apply a risk-based approach to each step of the attack kill chain. For that, we need the Cybersecurity Framework (CSF). The is a set of best practices organizations can use to secure their data. Built by the , the Framework was designed to make cost-effective security possible for organizations of any size. NIST Cybersecurity Framework National Institute of Standards and Technology Also, — a set of activities that must be performed in the proper order, with specific duration and location. For instance, Ransomware is the result of a cyberattack. So if we can stop one of the steps before that, it is possible to prevent a Ransomware attack in the first place. we need to understand that cyberattack is a process CSF is a great starting point for finding the countermeasures against attacks in various MITRE ATT&CK® Tactics. One eminent way to , which emulate adversarial tactics and techniques against leading cybersecurity products. align the CSF objectives to real cyber threats is by leveraging MITRE's ATT&CK Evaluations The information is then made available to industry end-users to see how products are performed and align with organizational security objectives. Another excellent resource from MITRE is the Center for and . Threat-Informed Defense mapping MITRE ATT&CK NIST 800–53 https://github.com/center-for-threat-informed-defense/attack-control-framework-mappings This project makes As a result, defenders can focus on understanding how the security controls in use in the environment relate to adversary TTPs of interest. a comprehensive and open, curated set of mappings between 800–53 controls and ATT&CK techniques. These mappings provide an essential resource for defined in the and provide a foundation for integrating ATT&CK-based threat information into the risk management process. With every ransomware attack that came with other malware before it and paving the way, organizations to assess the security control coverage against real-world threats ATT&CK knowledge base managing the precursor malware when it occurs can decrease the number of ransomware incidents. Using the ATT&CK techniques mapping to the proper phase of an attack, the Framework becomes a continuous assessment that helps organizations measure compromises in their environments in a timely manner and find mitigation responses accordingly. Final Words — We Should Enforce Zero Tolerance to Protect "the Precious." Ransomware is in the spotlight now and may never go away, but stealing credit card numbers and hacktivism was in the spotlight before, and it will be something refreshing in the future. When addressing this persistent threat, the government must educate and provide resources to guide organizations — disrupting the criminal activities and economic drivers that allow this threat vector to grow. (Reference: ) https://www.cisa.gov/stopransomware Meanwhile, for a private organization, the focus should instead be on This includes: reducing the attack surface and building the fundamentals of a comprehensive security operation. knowing what's in your environment (enhance visibility), ensuring everything is configured correctly (security posture management), managing vulnerabilities and patching, limiting access (or even better micro-segmentation), and having an incident response plan. My recommendation is to deal with minor problems (alerts/ events) so that you don't have to face catastrophic attacks. It isn't easy to find something we're not directly looking for. And with that, you can let all your security measures work together and hopefully prove otherwise. A better way to handle that is a change in mindset — from preventing all the attacks to assuming infections are unavoidable. Thank you for reading. May InfoSec be with you🖖.

Chain

Discovery

Timely

PCI DSS 4.0 is Out!  Here's What You Need to Know About the Updates

How Do I Adopt a 'Zero Trust'  Framework?

2021 - HackerNoon Contributor of the Year - CULTURE

Support Me on Coil

2021 - HackerNoon Contributor of the Year - PERSONAL-DATA

Nominated for 2022 - HackerNoon Contributor of the Year - Cybersecurity

Nominated for 2022 - HackerNoon Contributor of the Year - Security

Nominated for 2022 - HackerNoon Contributor of the Year - Privacy

Nominated for 2022 - HackerNoon Contributor of the Year - Beginners Guide

Nominated for 2022 - HackerNoon Contributor of the Year - Containers

Nominated for 2022 - HackerNoon Contributor of the Year - Data Privacy

Too Long; Didn't Read

Ransomware Doesn't Arise in a Vacuum  -  Spotting the Early Sign of Ransomware Infection

Ransomware Doesn't Arise in a Vacuum - Spotting the Early Sign of Ransomware Infection

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

Windows Sticky Keys Exploit: The War Veteran That Never Dies

06/02/2018: Biggest Stories in the Cryptosphere

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

The Noonification: How the Liver Transplant System Changed Forever (11/25/2023)

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

Windows Sticky Keys Exploit: The War Veteran That Never Dies

06/02/2018: Biggest Stories in the Cryptosphere

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

The Noonification: How the Liver Transplant System Changed Forever (11/25/2023)

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps