How to Leverage Your SIEM to Detect and Respond to Ransomware

Leverage Your SIEM to Detect and Respond to Ransomware
Share on linkedin
Share on facebook
Share on twitter
Share on reddit
Share on email
Share on print

According to the Ponemon Institute, only 20% of organizations are confident of their ability to deal with a ransomware attack. This may seem counter intuitive since the cost of a successful attack to an organization can be significant, but exemplifies the challenges endemic preventing, detecting and responding to the growing sophistication of ransomware threat actors. In 2019, ransomware attackers collected an average of around $84,000 from victim organizations, up from $41,000 in Q3 of 2018.

However, a paid ransom is only a fraction of the cost of a successful ransomware attack to an organization. Assuming files are restored following payment, impacted organizations also lose productivity, experience reputational damage, and incur significant recovery costs.

Minimizing the impact of a successful ransomware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this.

This post explores how to leverage SIEM technology to detect and respond to ransomware attacks.

Related Reading: 5 Ways to Prevent Ransomware

Understanding the Types of Ransomware Attacks

Understanding the objective of a cyberattack is important to effectively protecting against. Many advanced persistent threats (APTs) focus on theft of sensitive data. This means cybercriminals put time and effort into constructing an attack that remains undetected while looking for systems containing sensitive data. In fact, the average time between a system being compromised by an attacker and the data breach being detected is 207 days.

In contrast, ransomware attacks are designed to be detected relatively quickly. Once the attacker has encrypted the files on a system, they want the owner to know as soon as possible so that they can pay the ransom.

There is one critical caveat to the above statement which represents a shift in the sophisticate ransomware actor’s modus operandi – double extortion.  Rather than solely focusing on the operational impacts of encrypted systems for negotiation leverage, ransomware actors are actively exfiltrating sensitive or regulated data during a pre-ransom reconnaissance phase of their activities.  This stolen data is then leveraged as an additional motivator for the victim to succumb to the ransom demands – failure to pay will lead to leaked data, causing further reputational, legal and regulatory liabilities.

The time between initial compromise of a system with ransomware and this revelation depends on the type of attack being performed. Three of the major types of ransomware attacks are:

  • Consumer Ransomware: Some cybercriminals take a “spray and pray” approach to ransomware infections, attempting to infect as many computers as possible and asking a low ransom per infection. These attacks are often automated, with encryption beginning shortly after the computer is infected.
  • Server-Focused: Server-focused ransomware attacks are designed to render an organization incapable of doing business by encrypting vital files on critical systems (such as asp.net files in a web application). The ransomware generally encrypts a server’s files then looks for other connected servers to increase the impact.
  • “Critical Mass” Attack: Instead of targeting servers (which are often better protected), this type of ransomware attack targets user workstations. By rendering a high percentage of a company’s computers unusable, it achieves the same objective as a server-focused attack but exploits more vulnerable client machines.

Of these three types of ransomware attacks, the server-focused and critical mass variants often require more control by the attacker and have a longer window from initial compromise to encryption. The reason for this is that the attackers need to decide if they have compromised enough systems to degrade an organization’s operations before revealing themselves.

Related Reading: Ransomware Prevention to Incident Response

Detecting Ransomware Attacks with SIEM

Even with properly configured systems, no security solution provides iron-clad protection against ransomware. This calls for a defense-in-depth approach to create security layers in the environment.

A comprehensive SIEM-based approach increases the potential for catching a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior.

To be effective, a SIEM needs a source of high-quality data and knowledge of what to look for. A number of data sources exist including system logs, Windows AppLocker, endpoint security solutions, and SIEM agents deployed on the endpoint.

Knowledge of what to look for comes from an understanding of the ransomware’s goals and the steps necessary to achieve them. Ransomware attacks can be identified using indicators that appear in the early, middle, and late stages of an attack.

Early-Warning Generic Indicators

Ransomware is a particular type of malware and, as such, share many early-stage signs of infection with other types of malware. Some of these indicators include:

  • New Processes and Unrecognized Code: The launch of new processes and unrecognized programs can indicate the execution of malware dropped on a system. Looking for Windows process start events, changes to the registry, and commands used to start these processes can help to detect the initial execution of malware on the system.
  • Endpoint IoCs: Malware present on the system can be identified based on the changes it makes to the Windows registry, unusual parent/child process combinations, and other endpoint indicators of compromise (IoCs). The SANS Find Evil poster provides a summary of some of the most common endpoint IoCs.
  • Command and Control Traffic: Ransomware operators commonly need to communicate with their malware to provide instructions and receive updates. Looking for this network traffic can help to identify a ransomware infection.

Mid-Stage Generic Indicators

After infecting “patient zero”, many malware variants will attempt to spread through the network to increase their impact or look for more valuable targets. This lateral movement creates detectable IoCs, such as:

  • Unusual System-to-System Connections: Ransomware and other malware commonly tries to spread laterally through the network to maximize its impact. Look for communications between systems that do not normally talk to one another.
  • Elevated use of PowerShell:  Many ransomware groups leverage PowerShell to propagate malware throughout a network.  PowerShell logging can be used to detect such activities
  • Pass-the-Hash Indicators: Pass-the-Hash is an attack commonly used to expand an attacker’s access to a network. Pass-the-Hash traffic on the network points to an on-going attack.

Mid-Stage Ransomware (Critical Mass)

Low-grade IoCs or abnormal events may be an anomaly if detected on a single system. However, if they are found on many workstations at the same time, it may indicate an attempt to perform a widespread ransomware attack.

Late-Stage Ransomware

Ransomware is designed to encrypt files, meaning that a it will open, modify, and delete files one folder at a time. This type of anomalous activity can be detected by tracking file modification events (necessary for the encryption rewrites) and looking for processes that delete version shadow service (VSS) backups.

Late-Stage Data Theft

While data theft is often a standalone attack, many ransomware cybercrime gangs are incorporating it into their regular activities. Some indicators of a data theft attack currently in its late stages include:

  • Abnormal Access to Confidential Data: Cybercriminals performing data theft focus on valuable and saleable data. Look for anomalous access to databases containing confidential information.
  • Tripwire Pulled on Confidential System: Place fake files with enticing names (such as a database file called credit cards) alongside valuable data and track access to this fake data. Any access attempts indicate an attack since no legitimate uses for the data exist.
  • Staging: Data exfiltration actors will often consolidate purloined data to a single staging ground to simplify their exfiltration of data from the network.  An unusual amount of file transfers to a single server, or an unusual number of new network shares added to a single server are often signs of such staging activity
  • Data Exfiltration Traffic: After finding valuable data, cybercriminals need to get it out of the network to sell it. Look for large-scale data transfers leaving the network.

Best Practices for SIEM-Based Ransomware Detection

To detect ransomware with a SIEM, it is necessary to lay the groundwork first. Some best practices to leverage your SIEM to detect ransomware include:

  1. Collect Event Data from All Computers: Effective ransomware detection requires access to event data from all computers and especially workstations. Workstations are the easiest devices for cybercriminals to compromise and can act as an early warning system.
  2. Use SIEM to Aggregate Alert Data: While different security solutions provide useful insights, they lack context. Collecting security data in one place supports analysis and advanced analytics.
  3. Baseline “Normal”: Not all malware is detectable using signatures. Knowing what “normal” looks like on a network is essential to identifying the anomalies created by an attack.
  4. Lay Traps: Differentiating true attacks from false positives can be complicated. Creating tripwires and other traps can help with detecting an attack.
  5. Look for IoCs: IoCs from a threat intelligence feed can be essential for detecting the latest cyber threats. Select a SIEM capable of ingesting and using this data.
  6. Perform Analytics: Data analytics like searching for unusual connections or looking for ransomware’s anomalous file activities can help to detect attackers on the system. Look for the event patterns that attackers create while achieving their objectives.

Minimizing the Ransomware Threat

A successful ransomware attack carries a heavy cost to the organization in terms of loss productivity, reputational damage, and recovery costs. Leveraging a correctly tuned SIEM system to achieve better network visibility and threat detection can help to minimize the probability that an organization will be the victim of a successful ransomware attack.

Trending Phishing Techniques and Tips for Detection

With high stakes like data loss, credential compromise, ransomware infection or other types of malware infections, and financial loss, organizations must learn how to prevent phishing attacks.  

Download Now

Share this:
Share on linkedin
Share on twitter
Share on facebook
Share on reddit
Share on email
Share on print

Sign-up for Weekly Updates