Network monitoring, threat detection and response is more essential than ever for enterprises such as large telcos and services providers that can’t afford downtime from ransomware attacks and the ensuing loss of employee productivity and customers.
At the same time, hackers are becoming more sophisticated, so having the right defensive strategy in place will improve the chances of your applications remaining always on at peak performance, and this is where network detection and response (NDR) technology provides an edge.
Threats can arise from anywhere in an increasingly decentralised modern IT environment where mobile, IoT, and third-party devices are all-but ubiquitous, a situation which is becoming exponentially more challenging from a security perspective. Add the cloud, VPNs, and other types of off-site server storage and attacks such as ransomware will become harder and harder to pinpoint.
Cyber-crime currently sucks a staggering US$1.5 trillion from the global economy annually, according to some estimates. Ransomware is the most profitable type of malware attack in history and the frequency of attacks globally is only going to get worse, with a new attack expected every two seconds by 2031. So how sophisticated is your current threat detection and how prepared is your organisation overall for a well-orchestrated attack?
In the APJ region, the average cost of remediating a ransomware attack grew by more than US$1 million in just one year, rising from an average of US$1.16 million in 2020 to US$2.34 million in 2021. In May 2021, a US insurance company paid a ransom of US$40 million — the largest publicly reported payment of a ransomware victim to date.
So educating your security team now about the stages of a ransomware attack and the unique benefits of NDR’s defensive capabilities has become vital.
Ransomware is often described as ‘weaponised encryption’, where malware attacks are delivered through phishing emails that disable data and are followed by a ransom demand. This may in the past have simply meant a request for money, but these days a ransomware attack may seek out health, military or other types of data and could emanate from a rogue government, terrorist cell, or criminal organisation.
The six stages of ransomware
There are six primary stages of ransomware attacks identified in the MITRE ATT&CK® framework, which is built into the Kemp Flowmon Anomaly Detection System (ADS):
The attacker initiates a campaign to exploit an organisation’s IT environment, usually through malicious emails but often through servers or websites as well. The standard of the mass spam emails has improved considerably over the years, and may include information of a much more personalised nature to the recipient.
- Initial access
The malicious code is let loose on an unprepared system, taking hold of data and rendering it unusable.
The ransomware embeds itself into the system, altering configuration and hijacking code to keep a firm foothold in the system.
- Lateral movement/collection
The malware scans the infected host network to find files to encrypt. It may then also look for file shares or data stored elsewhere such as a remote server or the cloud. It will also scan the infected system for permissions it has gained access to.
- Command and control
The ransomware establishes communication between the attacker and the compromised system, using a variety of techniques to avoid detection.
Once the malware has concluded its search and disable mission, it will commence encryption, where local files are initially encrypted, followed by network shares. Once the network data is copied and encrypted, it is uploaded back to the original document’s share place.
Once the data has been encrypted, the attacker sends a ransom note throughout every area of the compromised network, usually with payment demands and details that these days invariably involve bitcoin. The attacker then waits for payment in exchange for the decryption key.
NDR offers state-of-the-art, end-to-end defence
Ransomware’s new and improved iterations are making it harder and harder to get on top of for enterprise security gatekeepers that may have gotten by with patches and anti-virus software in the past. NDR has been designed as an end-to-end solution that stops ransomware in its tracks by identifying the attack, isolating it and remediating the threat posed before it gets a stranglehold on your system. This holistic strategy has resulted in greatly reduced incident response times and enhanced email and end-point security.
Part of this is due to breakthroughs in AI and behavioural detection technology that give NDR a big edge over existing signature-based intrusion-detection systems, resulting in far earlier detection, less false positives and unprecedented visibility over the entire network. Additionally, NDR’s forensic capabilities are another major differentiator over existing end-point detection and response (EDR) solutions.
Ransomware has multiple methods of entry, but the maturity of NDR’s monitoring, detection and response methods puts it way ahead of its peers.
See how Kemp’s Flowmon network detection and response (NDR) solutions can effectively bolster your security against ransomware attacks.