What if solving the ransomware problem was as simple as trying out a different tactic? Endpoint security, paying ransoms, and getting governments involved are all temporary, stop-gap measures that have little if any effect on your organization’s likelihood of being ransomed. That is what led us to create a ransomware defense deception campaign in the first place.
After tracing ransomware actors’ steps, we identified the common stages of their attacks and set out to define a campaign that would address their actions during different stages. We launched an alpha testing period of this ransomware campaign, and met with quite a bit of success, which we will outline below. All that led to our recently launched Ransomware Cloud Beta Program, in which we offer a chance to be part of the creation of this potentially groundbreaking technology.
The Campaign
Our team spent weeks developing this deception campaign to specifically target threat actors focused on ransomware. The campaign has two different features:
1) External: This involves installing pieces outside of the company perimeter (such as a public-facing external Windows server). In many of the alpha scenarios, we detected many different actors trying to compromise looking for weak credentials. Once they compromise the server logging in via RDP, they immediately try to gather information, find out if the machine belongs to the company, find out different features and networks and domains the machine is connected to, discover anything that can be useful for them to move laterally and get in. After the discovery phase, then we extract TTPS and IOCs.
2) Internal: This part of the campaign was developed after we observed the discovery phase of the attackers. It almost always started with seeking out available Active Directory domains, and determining relationships to find the biggest, most promising domain. That is why we created an internal aspect of the campaign, to be able to detect the movement that goes along with the discovery phase.
We advise to deploy both internal and external deployment. It’s important to deploy the external part of the campaign in order to detect attacks at very early stages. However, if the attacker is already inside, only an internal campaign can detect them. External is the first layer of detection. Internal is the second layer of detection and can actually be more efficient. A bonus? You won’t only be able to detect discovery phases of ransomware but also any other attackers inside your network, from red teams to insider threats.
The Alpha Phase
When we ran this campaign in the alpha phase, we saw activity targeting all different sectors, from medical to government to insurance to retail. We saw that this campaign can benefit all companies from all sectors, especially companies that have invested less in security to date. When a company doesn’t have all the security layers in place, they become the low-hanging fruit for threat actors. Attackers can easily compromise them and hence tend to target them more often.
During the alpha phase, we learned that many attackers don’t use custom malware—they use off-the-shelf tools that are available in the operating system. They don’t install anything specific for discovery of network information. We also noted lateral movement and illicit credential access, in which attackers try to dump the credentials that are stored in the machine to be able to move on to the next machine.
Much of this activity was automated. The connections we saw were primarily coming from Tor, the anonymization network, although we also saw connections from VPNs and compromised hosts. They use automated scanning to log in and then switch to manual mode to execute. That discovery phase is done manually, but the scanning of the internet looking for windows machines is automated.
Once the attackers were in, during the alpha phase we observed them trying to find other credentials and jump from server to server to gain admin privileges. This is the last step before ransomware deployment, and thanks to our internal campaign in the alpha test we were able to detect them in that discovery phase, such as when they tried to connect to our windows server. This allowed us to collect the commands they execute and also know where they are coming from.
Another action we uncovered was the attackers seeking out all the backup mechanisms, in order to control those backups and even delete them or make them unavailable. This action ensures that when ransomware is deployed, the company won’t be able to use the backups.
We found in the alpha phase that, even if there was not a ransomware attack, organizations were able to collect threat intel on any suspicious activity that was happening. The campaign extracted attackers’ MOs and the tools and techniques they were using. It was also used successfully in real time with other third party apps.
The Beta Phase
This campaign is now in its beta version. Based on the findings we collect, the campaign will continue to improve, increasing the ratio of detection via continuous refining of the ransomware response. Companies that sign up for the trial will work hand-in-hand with our experts and be able to suggest new features, contributing to the road map of what will be a powerful tool against ransomware.
To Work With Us
Sign up today for the ransomware beta program. The deadline is June 23 to participate. We will select 10 companies to beta test with us.
Find Out More
Read more about our cyber deception platform here.