In recent years, no cyberattack payload has been more destructive to business and government organizations than ransomware. And to be clear, this is not new… the earliest variants of ransomware were developed in the late 1980s. This type of malware made a resurgence in 2019 with high profile attacks made on state and local government.
The Impact of these Attacks
The global impact of these attacks was quantified in Anomali’s recently published Cybersecurity Insights Report 2022 that included a Harris Poll survey of security professionals with analysis by the Anomali Threat Research team. In this report, the company found that:
- 52% of organizations were hit by ransomware attacks in the last three years
- 39% of victims paid a ransom to regain control of their data and systems.
Solving for ransomware requires a continuous global approach to detection that is rooted in intelligence. Let’s take one of the most notorious spates of ransomware attacks that leveraged three types of malware, Emotet, TrickBot and Ryuk to expertly extort over $61 million dollars from businesses in 2020 according to the US Federal Bureau of Investigations.
To remind readers, Emotet infiltrates an organization, spreading from the primary infected endpoint to other endpoint victims spreading TrickBot which establishes a command-and-control (C2) connection allowing the attacker to assess the victim and then spread Ryuk payload which delivers the ransomware.
Anomali delivers a cloud-native extended detection and response (XDR) solution via The Anomali Platform, that drives detection, prioritization, and analysis, taking security from intelligence to detection in seconds. Companies use Anomali to enhance threat visibility, automate threat processing and detection, and accelerate threat investigation, response, and remediation ultimately helping organizations to detect and respond to ransomware at all stages of the attack.
So, what is a CISO to do?
Even before an organization is hit, a CISO needs to have the global situational awareness to understand the prevalence of these threats in the wild and the impact of these threat actors on their industry and geography. Using the Anomali Platform dashboards, security professionals have the information they need to assess the threat of attack.
Using a cloud native XDR solution like the Anomali Platform Cloud XDR, organizations can detect Emotet’s initial access attempt through techniques like spear phishing by correlating the organizations messaging security telemetry together with all globally identified malicious links.
Using a precision detection from Anomali Platform Cloud XDR, organizations can detect Emotet in their environment with the first infected endpoint and then subsequently automatically updates endpoint security policies to block future threats.
Using the Anomali Platform machine learning Domain Generation Algorithm (DGA) capability, analysts can quickly identify suspicious command and control connections associated with Emotet and its variants. With key integrations to over 80 security control tools, analysts can automatically update perimeter and cloud security policies to block this communication.
By this point, an analyst has enough information required on the threat, the threat actor and techniques to understand what is going to happen next. An analyst is able to use the Anomali Platform Cloud Xdr to predict the next stage of the Ryuk powered attack to update all security controls with high fidelity indicators that protect the organization from Ryuk and all of its variants.