Over the past couple of months cyber-criminals have targeted organizations critical to our supply chain. The most recent of these attacks was against JBS, the largest meat processing company in the world.
The attack on JBS was caused by the execution of ransomware in their network environment, and has been attributed to the REvil, aka Sodinokibi family of malware. The REvil ransomware has the capability to do more than just encrypt files, it can also disable Anti-Virus, delete backups of machines, and monitor for and kill other processes that may attempt to stop it. This ransomware has historically been delivered by spear phishing emails—exploiting Remote Desktop Protocol (RDP) exposed to the internet—using stolen credentials, or taking advantage of old vulnerabilities exposed to the internet.
Modern ransomware campaigns, like those that affected JBS and Colonial Pipeline, are inside the target network long before the actual ransomware is deployed. Typically, attackers are in the network moving laterally, stealing data and credentials, deploying additional tools, and then execute Ransomware as the final stage in the attack.
A window of opportunity: How OpenText MDR prevented a ransomware attack
The OpenText™ Managed Detection & Response (MDR) team stopped a similar attack in its’ tracks on a recent client engagement. The attack was detected early in the cyber kill-chain before the attackers had the chance to execute the Ransomware component of the attack.
OpenText MDR uses proprietary filters, based on attackers’ tactics, techniques, and procedures (TTPs) our consultants have seen across thousands of engagements. A detection triggered on anomalous user account behavior within an hour of deployment. Immediately, OpenText MDR analysts directed the client to disable the account while they began to remotely investigate the intrusion.
Our investigation quickly determined the account was being used to establish the command-and-control access required to launch a ransomware attack.
With the compromised account disabled, and the attacker ‘hooks’ remediated from affected endpoints, OpenText MDR was able to prevent the attackers from gaining the foothold needed to launch a ransomware attack.
While our MDR analysts caught this attack very early in the cyber kill-chain, OpenText MDR would have alerted on multiple phases on the attack including:
- The initial infection vector (IIV) – exploitation or poor security practices (not patching systems, RDP exposed to the internet), phishing email, etc.
- Abnormal behavior associated with legitimate user accounts, such as in the Colonial Pipeline attack where a legitimate username and password was used to access the VPN.
- Persistence techniques
- Account privilege escalation
- Lateral movement
- Data Exfiltration
Managed Services or Do-It-Yourself, we’re here to help
For organizations that have detection & response expertise on their team, EnCase Endpoint Security can provide the same benefits as our MDR service. EnCase Endpoint Security includes over 250 TTP-based rules, with more being added every quarter.
EnCase Endpoint Security allows for monitoring of suspicious activity at the endpoint and can be configured to isolate a machine from the network at the first sign of an attacker gaining access to it — before the execution of the malware. EnCase Endpoint Security TTPs would have detected the execution of malicious macros within an office document, C2 communications, suspicious command line and PowerShell activity, suspicious WMI activity, and more.
Mitigating the risk of ransomware attacks
Past implementing an MDR or EDR solutions, there are several steps organizations should take to mitigate the risk of a successful ransomware attack. Examples include:
- Ensure all systems and applications are patched and up to date
- Perform regular internal and external vulnerability scans to mitigate risks to the network
- Monitor incoming emails for suspicious attachments
- Evaluate the effectiveness of your backup and recovery program, including all critical systems and data
- Disallow execution of macros on user machines unless there is a very specific and approved need for them
- Mandate Security Awareness Training for all employees annually
To learn more about how OpenText can help you prepare for and detect the next ransomware attack before it strikes, please contact us at https://www.opentext.com/products-and-solutions/products/security#form.