Ransomware is a type of malicious software that restricts access to computer systems and the data stored on them until a ransom payment is made. In recent cyberattacks, ransomware features have expanded to include data exfiltration, distributed denial of service (DDoS) attacks, and anti-analysis techniques.
Also, the Ransomware as a Service (RaaS) model has been widely adopted by threat actors behind these attacks. Ransomware as a Service is a business model that helps ransomware developers and operators sell or lease out ransomware capabilities to threat actors.
Common behaviors of ransomware
- Based on the attack pattern, ransomware can encrypt critical data without interfering with other computer system functions. This type of malware can deny access to an entire web application or specific files on the computer system. It can stop companies from viewing or using their data or performing operational functions. Examples include Lockbit 3.0, Black Basta, and Pandora ransomware.
- Typical behavior of some ransomware is their ability to lock victims out of essential device functions. Ransomware victims are typically restricted from further interaction with their operating system, leaving them only with access to facilitate ransom payment. Examples include Petya, GoldenEye, and KeRanger ransomware.
- Ransomware employs the double extortion tactics of encrypting files and exfiltrating the data with the intention of publishing it if the ransom is not paid.
- After successful ransomware attacks, threat actors usually leave ransom messages demanding ransom payments in cryptocurrencies like Bitcoin and Monero. This ensures the anonymity of the attacker is preserved.
Ransomware attack vector
Ransomware is spread using different techniques, but the most common way computer systems become infected is through user-initiated actions. These actions include clicking on a malicious link in phishing emails or visiting a compromised website. Threat actors also exploit system misconfigurations such as unsecured remote desktop connections available over the internet and weak passwords/access management to launch ransomware attacks.
There are other forms of infections that leverage malvertising and drive-by downloads. These forms of infection are disseminated without the need for user interaction with the malware.
Impact of ransomware attacks on organizations
Ransomware attacks can have significant impacts on organizations and their ability to perform crucial tasks in various ways. Some ways it can impact organizations are highlighted below:
- Sensitive data exposure: Most ransomware operators use data exfiltration techniques to force organizations to make ransom payments after carrying out a successful attack. They usually threaten to disclose the stolen data on the dark web if the ransom is not paid.
- Extended mean time to recovery: Ransomware attacks usually result in organizations losing access to mission-critical systems and applications for an extended period. Most companies experience downtime that lasts for several days, representing a significant disruption to operation and productivity.
- Brand reputation damage: Most organizations suffer damage to their reputations and brand value due to cybersecurity-related attacks, including ransomware.
- Financial loss: The ransom paid by organizations that experienced major ransomware attacks is usually expensive. These organizations may also incur an extra financial burden from regulatory bodies after a security incident.
How Wazuh protects endpoints from ransomware attacks
Wazuh is a security solution that offers unified SIEM and XDR protection across several platforms. The article Wazuh – The free and open source XDR platform highlights how organizations can take advantage of the open nature of Wazuh to freely use and customize it based on their security needs. It protects workloads across virtualized, on-premises, cloud-based, and containerized environments.
Wazuh offers several capabilities that organizations can implement to detect and defend against security threats. This section highlights several Wazuh capabilities that offer protection against ransomware attacks.
Vulnerability detection is a process of identifying weaknesses in the operating system and software installed on an endpoint. In a blog post recently published by Wazuh on Detecting Lockbit 3.0 ransomware, it is noted that one of the attack vectors of the ransomware is exploiting unpatched server vulnerabilities.
The Wazuh Vulnerability Detector module performs software audits to detect vulnerabilities in endpoints. Wazuh builds a global vulnerability database from publicly available CVE repositories. Then, Wazuh correlates the application inventory data collected from endpoints with the vulnerability database to detect vulnerable components.
Security configuration assessment (SCA)
Security configuration assessment is a process used to identify system misconfigurations that might expose a system to attacks. This includes periodical configuration checks and the implementation of security best practices by adopting standards such as CIS (Center of Internet Security).
Wazuh Security Configuration Assessment module offers the capability of performing regular scans on endpoints to ensure they comply with security best practices. These scans assess the configuration of the endpoints using policy files that contain rules to be tested against the actual configuration of the host.
For example, the Wazuh SCA module checks for configurations related to password use and unwanted applications and services. It also audits the TCP/IP stack configuration on a monitored endpoint. Our recent blog post on How to perform WordPress security assessment with Wazuh demonstrates how to implement the Wazuh SCA module for benchmarking WordPress configurations.
File integrity monitoring
File integrity monitoring (FIM) is the process of monitoring an endpoint filesystem for addition, deletion, and modification activities. It is important to monitor critical files and directories on an endpoint to ensure that changes made are legitimate.
The Wazuh FIM module detects changes to monitored files and directories, then generates an alert on the Wazuh dashboard. The changes are detected when there is a variance in the stored cryptographic checksum and other attributes of the monitored files and directories on the endpoint. Monitoring of the files and directories is done periodically or in near real-time.
As demonstrated in this blog post, the Wazuh FIM module can be used to detect the presence of ransomware on an endpoint. Most ransomware attacks initiate execution by transferring malicious files to specific directories, and the Wazuh FIM module can detect such activity.
Wazuh can be integrated with other security solutions like VirusTotal and YARA to scan files on endpoints and verify if they are harmless or malicious. The Wazuh active response module handles the removal of detected ransomware files.
Figure 2 below shows an example of Wazuh integration with YARA to detect Lockbit 3.0 ransomware. The active response module removed the ransomware file after it was detected.
Detection with Wazuh
The initial stage of ransomware attacks involves the malware performing several actions on the infected endpoint.
These actions may include deleting the volume shadow service, disabling the anti-malware service, clearing Windows event viewer logs, creating ransomware notes in multiple directories, and changing the desktop background.
These behaviors can be captured by Wazuh out-of-the-box rules and decoders and alerted on the Wazuh dashboard in near real-time. Custom detection rules can also be configured and mapped to their appropriate MITRE ATT&CK tactics and techniques to detect these events.
Due to the ever-changing dynamics of ransomware attacks, organizations need to implement adequate security measures. The concept of RaaS has made it simpler and more lucrative for threat actors to target organizations with ransomware. Organizations can effectively detect ransomware attacks by leveraging the various capabilities of Wazuh, as discussed above.
Wazuh is a free, open source SIEM and XDR solution with more than 10 million annual downloads and an ever-growing community. Wazuh integrates well with several third-party solutions and technologies.
For more information, check out the Wazuh blog posts and documentation. To deploy Wazuh and explore the various capabilities it offers, check out the Quickstart installation guide and Wazuh cloud options.
Sponsored and written by Wazuh