Ransomware continues to ravage both public and private organizations in 2022 following on from last year’s unprecedented number of attacks. Ransomware attacks are growing in speed, scope, and complexity while ransom figures are sharply on the rise. The ability to effectively detect ransomware attacks has become paramount in the current threat landscape.
As the first half of the year draws to a close, approximately 1,150 ransomware attacks have been launched as of May 10 according to a ransomware tracker on The Record. These include a number of high-profile ransomware attacks. Not least the double ransomware attack against Costa Rica that has brought the country to its knees. The first, a Conti ransomware attack against almost 30 government institutions that began on April 17. The second, a Hive ransomware attack against the Costa Rica Social Security Fund on May 30. Other prominent victims of 2022 include Nvidia, Bridgestone, and the government of Bernalillo County, New Mexico. If history is any indication, organizations must brace themselves for another explosion in ransomware attacks in the second half of the year, as was the case in 2020 and 2021. So here’s some food for thought.
How prepared exactly is your organization against a ransomware attack?
How confident are you in your organization’s security defenses to detect ransomware?
The size of some ransomware victims, and presumably their well-resourced cyber security operations, suggest that detecting ransomware is no simple feat. Let’s take one of the largest victims of a ransomware attack in recent history, MediaMarkt, and discuss the challenges of ransomware detection and the measures that could have prevented a successful attack.
Headquartered in Ingolstadt, Germany, MediaMarkt is Europe’s largest consumer electronics retailer, with over 1,000 stores in 14 countries, approximately 52,000 employees, and €21.4 billion in revenue. Along with the Saturn retail brand, MediaMarkt forms the MediaMarktSaturn Group, owned by Ceconomy AG.
On November 7, 2021, MediaMarkt came under a Hive ransomware cyber-attack, which encrypted servers and workstations and initially demanded an astronomical $240M ransom.
The attack occurred late on a Sunday and continued into the next morning, paralyzing IT systems across the organization. Additional systems were shut down by administrators to contain the spread of the infection.
The attack affected MediaMarkt and Saturn stores in Germany, Belgium, and especially in the Netherlands. Although stores remained open for business in the direct aftermath of the attack, staff were asked not to use store computers and to disconnect cash registers. As a result, stores were unable to accept payments by card or provide receipts. Neither could customers use gift vouchers or make returns because historical purchase records could not be accessed.
A total of 3,100 servers were allegedly encrypted and, according to Dutch news channel RTL, compromised workstations received a ransom note that read “Your network has been hacked, and all data has been encrypted. To regain access to all data, you must purchase our decryption software.”
It was unclear at the time whether any data was stolen. Ransomware gangs such as Hive increasingly practice double extortion ransomware, a tactic that not only encrypts data but also exfiltrates it out of the network. Attackers effectively hold the data hostage by threatening to leak it or sell it if victims do not pay up. What also was not clear is whether MediaMarkt eventually paid the ransom, which was reportedly negotiated down to $50M.
The recently published H1 2021/22 financial report of Ceconomy, MediaMarkt’s parent company, shed light on these questions. According to the report, the affected IT systems were restored within a few days of the attack, and business operations returned to normal. More importantly, only “lost sales and earnings” were mentioned, with no entry for a ransom payment in the financial accounts. The report also states that there has been no indication that employee and customer data had been stolen and that no other cyber-attacks had occurred to date.
It appears from the latest financial report that MediaMarkt managed to come out of the ransomware attack relatively unscathed, without suffering a huge ransom payment and data theft. However, we can take lessons from such an incident: to acknowledge why it is so difficult to detect ransomware and establish measures to prevent such attacks from succeeding.
The Hive ransomware attack on MediaMarkt is an example of ransomware gangs employing APT-style tactics, techniques, and procedures (TTP) in their attacks. APTs, or advanced persistent threats, are attacks in which the adversary operates in the victim network for an extended period of time, using sophisticated and hard-to-detect techniques to elevate their privileges, evade detection, and move laterally through the network. This enables attackers to reach high-value assets, such as sensitive data, high privilege users, critical systems and servers, databases, and source codes, to maximize the rewards of the attack. Ransomware gangs are using the same advanced techniques to achieve double extortion, i.e., the encryption and exfiltration of data.
Cobalt Strike is one of the primary facilitators of attack. Cobalt Strike was initially developed as a tool to simulate adversary attacks in red teaming exercises but has been weaponized by threats actors like APT groups and now ransomware gangs. Cobalt Strike can be used to achieve a variety of functions, including keylogging, command execution, credential dumping, file transfer, port scanning, and more. Detecting and blocking Cobalt Strike is key to preventing an attack from escalating. However, this is easier said than done. Conventional endpoint security tools such as antivirus software rely on signature-based detection, that is, the detection of malware based on a unique identifier. Although Cobalt Strike is a widely available tool, adversaries can change its direct artifacts to evade detection using embedded features like Artifact Kit and Malleable C2.
Legitimate Windows system tools and features such as PsExec, BITSadmin, Windows Management Instrumentation (WMI), and Remote Desktop Protocol (RDP) are also leveraged for moving laterally through the network. Since these are native to Windows systems, they are not generally picked up by endpoint security protections.
TrojanSpy.DATASPY is loaded onto the endpoint to scan for running processes, including antivirus and endpoint protection software. Tools such as PCHunter, GMER, and KillAV are subsequently deployed to kill AV-related processes and disable AV protection, allowing the attackers greater freedom to stage the attack.
What does this mean for cyber defense?
So back to the million-dollar question: How do organizations detect ransomware when faced with such complex and stealthy tools and techniques? What is needed is a technology that provides security teams with unprecedented visibility and detects the undetectable.
That is exactly what Network Detection and Response provides.
Unlike conventional security tools, network detection and response (NDR) does not simply rely on signature-based detection. Using advanced technologies like machine learning, AI, and behavior analytics, NDR analyzes all network traffic in real time to detect deviations from baselines of normal network activity. The idea is that anomalous activity is a good indicator of malicious behavior since attackers operate in ways that do not match regular patterns of behavior.
However, NDR does not flag anomalous activity in isolation. This would lead to an unmanageable amount of alerts and false positives. Instead, NDR correlates network traffic from across and in and out of the network to add context to anomalous events. A seemingly innocuous event on an endpoint may not raise any suspicion, but when correlated with network traffic and activities on other endpoints, NDR may reveal a chain of suspicious activity.
To illustrate this point, let’s use the detection of lateral movement using Cobalt Strike as an example.
Analysis of lateral movement using Cobalt Strike reveals that this process typically involves the compromised device creating and starting a remote Service to run malicious code on another network device. Once the service is successfully created, it will often beacon out to Cobalt Strike Team Server, i.e., communicate with the attacker’s command and control (C2) server.
With this knowledge, NDR can be modeled to detect the chain of attack behavior, i.e., one device creating a remote service on a second device, which is quickly followed by communication with an unknown domain on the second device. By creating baselines for activities across network devices, NDR detects malicious behavior that does not show up in seemingly harmless events viewed in isolation. This is the key to detecting ransomware before serious damage is inflicted.
Behavioral- and anomaly-based protection technologies such as NDR are not used in isolation from signature-based protections. In fact, signature-based protections provide a robust first line of defense that filters out most threats. Without them, networks will be overrun with threats left, right and center. NDR can be deployed in conjunction with network firewalls, antivirus, and other security tools to provide organizations with multi-layered, holistic protection against ransomware, APTs, and other threats