Download The “How To Prevent Ransomware” Cheat Sheet
Grab this free PDF resource on how to prevent Ransomware
Home » How To Prevent Ransomware? » Threat Hunting » Threat Hunting for Ransomware
The initial access stage is varied, with a diverse set of initial access vectors, and so is the “hands-on-keyboard” stage of a ransomware attack, with even affiliates of the same ransomware groups using different sets of tools.
Part of the reason ransomware groups rely on a core set of tools for reconnaissance, exfiltration, and deployment is that the tools do their work quietly and often go undetected. The other reason is that ransomware groups learn from each other and share information, which they then pass on to other ransomware actors.
We previously discussed the leak of the Conti ransomware group’s manual, as well as many of the tools its affiliates use. Affiliates are fluid, jumping from one Ransomware-as-a-Service (RaaS) offering to another, and are often part of multiple RaaS offerings simultaneously . Some of these affiliates will even go on to start their own RaaS offering. All the tactics, techniques, and procedures (TTPs) that affiliates pick up from one ransomware group they take with them when they move between ransomware groups.
We previously discussed the leak of the Conti ransomware group’s manual, as well as many of the tools its affiliates use. Affiliates are fluid, jumping from one Ransomware-as-a-Service (RaaS) offering to another, and are often part of multiple RaaS offerings simultaneously . Some of these affiliates will even go on to start their own RaaS offering. All the tactics, techniques, and procedures (TTPs) that affiliates pick up from one ransomware group they take with them when they move between ransomware groups.
If a good threat hunting program can catch most ransomware attacks, why are so many ransomware attacks successful? Because threat hunting is surprisingly hard—and the challenges that come with it keep some organizations from doing it at all.
Threat hunting is often the best chance to catch new ransomware groups during the reconnaissance, exfiltration, and deployment phases. This is the chance for defenders to take advantage of the “dwell time” discussed in Chapters 3 and 6. Keeping up with new threats from ransomware groups and acting on that new intelligence can give defenders an advantage, but it does take a lot of work to set up and maintain an effective threat hunting program.
Disabling PowerShell won’t always deny access to a ransomware actor, so organizations need to monitor for malicious PowerShell scripts on the network. The best way to do that is to enable PowerShell logging in GPOs.
PowerShell logging can be noisy. For example, running the Invoke-Mimikatz script generates more than 2,200 events. Again, filtering at the SIEM can make these event logs more manageable and trigger alerts only for PowerShell scripts that are indicative of ransomware.
It’s the ransomware resource you can’t afford to be without. 437 Pages of ransomware know-how. Stay ahead of the cybercriminals: get your copy now!
A REVEALING REPORT FOR IT PROFESSIONALS BY IT PROFESSIONALS