The above two images from the Lumu Portal show an example of where the attackers were successful in deploying a completely avoidable ransomware attack. The second image represents malware contacts (yellow), while the first shows all other types of contacts (phishing, C&C, etc). The data has been separated into two graphs since the scale of the malware contacts would make the other contact types appear marginal.
Initially, there was just some generic Conficker malware activity detected. The ransomware attack truly started with the deployment of an exploit kit based on RIG toolkit, when a user visited a compromised website that redirected the vulnerable web browser (Internet Explorer) to the exploit server, which was then able to load the distributed payload: SmokeLoader malware. Finally, the STOP/DJVU ransomware payload was delivered. As the C&C contacts (red) increased, there was initially no real increase in malware activity. This represents the ‘lateral movement’ phase of the attack. Finally, we can see the drastic increase in malware activity before the ultimate deployment of the STOP/DJVU ransomware. The entire attack, including initial access and lateral movement, took a bit less than 3 months to carry out. At the end, ransomware deployment took just 1 weekend.
There are a couple of key takeaways from this case study. Firstly, the initial compromise could easily have been chalked up as being a ‘minor’ or low-importance threat. In fact, All threats should be eradicated swiftly before they morph into a more serious breach like ransomware.
Secondly, even if the victim had the visibility into the network to see the precursor malware, it would mean little without fast, precise response capabilities. Where the SOC team is not able to manually operate the eradication of compromises, automation and orchestration can be used to integrate detection capabilities with prevention and response tools.
How to Break a Ransomware Chain
Ransomware attacks never happen in isolation. As you can see from both the ‘theory’ of how ransomware chains are propagated and the evidence from the Lumu portal, there are always other malicious contacts that precede it. These first malware contacts are the ‘weakest link’ in any ransomware chain. If they can be swiftly detected and removed, the ransomware chain is not able to progress.
It should also be apparent that ransomware operators have to make use of the network—at every step—in order to achieve their aims. This means that they inevitably leave behind footprints of their actions and movements in the metadata that all networks already create. Continuous Compromise Assessment™ was designed to standardize, ingest, and analyze this metadata in real time and deliver confirmed evidence of compromise.
Lumu looks at both the traffic between the network and the external infrastructure (North-South) and the internal traffic (East-West) to pinpoint the sources of compromises as they happen. In this way, security teams are given the information they need to eradicate compromises before they can turn into encrypted data, inaccessible systems, and a ransomware note.
The popularity of ransomware as a business model is being driven by the perfect storm of ransomware-as-a-service, malware-delivery-as-a-service, and initial access markets. We invite you to open a Lumu Free account so you too can recognize and break the weakest link in the ransomware chain.