Ransomware is a booming business.
Just how big is it?
Well, in 2021, over $400 million was sent to Russia-linked attackers alone.
But, since many companies refuse to make payments, the overall cost of ransomware attacks is even higher. Especially when you factor in lost business opportunity, client lawsuits, and business shutdowns.
Since you can’t prevent every attack from starting, knowing how to stop, or at least detect ransomware in progress is a must.
Though new forms of attacks are always cropping up, some of the most dangerous methods are now known.
To help businesses detect ransomware before it takes effect, the U.S. Federal Bureau of Investigation (FBI) is revealing what it knows.
Lockbit & Ragnar Ransomware
The Lockbit gang operates ransomware as a service, recently striking the world-wide IT consulting firm Accenture, and demanding $50 million in ransom.
A second Lockbit victim, Atento, disclosed that even without paying a ransom, it still suffered nearly $35 million in business losses and over $7 million in expenses from an attack affecting only their Brazilian operations.
Another major ransomware gang, Ragnar Locker, struck at least 52 identified entities in 10 critical infrastructure segments.
What’s important to note here, is that with the newly signed Strengthening American Cybersecurity Act (SACA), companies in critical infrastructure must now report cyberattacks to CISA within 72 hours.
And, according to SACA, any ransomware payments must be reported within 24 hours, drastically increasing the pressure during an attack.
This new act also allows law enforcement to further punish companies for negligence – perhaps even more than the $500K imposed upon CafePress for their failures.
No matter how an attack ends up, significant expenses for investigation, remediation, business losses, and reputation damage tend to follow.
How to Detect Ransomware in Progress from Lockbit Locker
When the next generation LockBit 2.0 ransomware begins an attack, it uses bitwise operations to evade detection while it decodes strings and loads modules.
Though it’s a bit complex, it’s also fairly predictable.
The FBI notes that this ransomware begins to take the following series of steps:
- Checks for Eastern European languages (Russian, etc.). If detected, the program exits.
- Uses command line commands to:
- Detect and delete application, security and system log files
- Disable Win10 Recovery
- Detect and delete shadow copies on the disk that might enable restoration
- Determine hostname, host configuration, domain information
- Detects data storage: local, remote shares, external storage devices
- Uses Stealbit application to exfiltrate specific file types
- Updates group policy to disable Windows defender
- Change the local registry to create persistence and a new wallpaper screen
- Encrypts data saved to any local or remote device (excluding core system functions)
- Deletes itself
It’s an involved series of steps to be sure, but if you know what to look for, you can detect ransomware in progress, hopefully stopping it before it takes hold.
Ragnar Locker Ransomware Indicators of Compromise
The FBI began tracking Ragnar Locker activities in April of 2020, issuing an updated flash notice (CU-000163-MW) in March 2022.
Their goal was to distribute updated indicators of compromise.
The FBI’s findings?
Ragnar Locker ransomware also follows a standard pattern of attack.
- Checks for Eastern European languages (Russian, etc.). If detected, program exits.
- Uses Windows APIs to identify attached hard drives and make all accessible
- Checks and terminates running services used to remotely administer networks
- Silently deletes all volume shadow copies
- Encrypts files not associated with the operating system
Again, with the right cybersecurity protocols in place, the pattern can be seen, allowing you to detect ransomware in progress.
Paying ransoms isn’t the solution.As the FBI notes, payment doesn’t guarantee your data won’t be leaked or that you won’t be attacked again.
You also shouldn’t wait for an attack to start before implementing security improvements and cybersecurity monitoring.
Instead, take preventative measures now to prevent pain in the future.
The FBI suggests mitigation strategies against these attacks, many of which will be familiar to you:
- Require all password logins to have strong, unique passwords
- Require multi-factor authentication
- Keep operating systems and software up to date
- Remove unnecessary access to administrative shares, especially ADMIN$ and C$
- Use a host-based firewall and restrict server message block (SMB) connections to a limited number of administrator machines
- Enable protected files in the Windows Operating System to prevent unauthorized changes
- Use network segmentation to limit access
- Use a network monitoring tool to identify, detect, and investigate abnormal activity
- Monitor cyberthreat reporting of compromised VPN login credentials
- Add email banners too emails received from outside the organization
- Disable unused remote access, remote desktop protocol (RDP) ports, and monitor remote access
- Audit user accounts with admin privileges and implement least privileged access
- Implement time-based access for accounts set at admin level and higher
- Disable command-line and scripting activities and permissions for normal users
- Maintain offline backups of data and encrypted, immutable backups
Though these recommendations will deter near-term ransomware attacks, attackers are always developing new methods.
It’s important to monitor for new announcements, and share what information we can with each other.
And, when appropriate, reach out to your local FBI cyber squad.
Ransomware is a major problem – one that isn’t going to go away.
Only strong cybersecurity practices and vigilant monitoring can help detect ransomware in progress, allowing you to stop it before it gets worse.
Fortunately, known attacks follow a pattern. One that can be found before real damage is done.
If your organization needs help implementing mitigations or ongoing cybersecurity monitoring, contact Ideal Integrations and Blue Bastion at 412-349-6680, or fill out the form below.
Our experts can explain all of your options, and how we can help secure your organization against ransomware attacks.