“If it ain’t broke, don’t fix it”. As we predicted last year, ransomware has been one of the most successful business models for cybercriminals in the last year, who have made huge sums from extorting thousands of businesses. It’s of little surprise our most read Photon research, Q1 Ransomware Roundup is on this very topic. Given this “double extortion” ransomware shows no signs of going away, in this blog, I will get specific and show exactly how you can make intelligence on ransomware fully actionable in four ways:
- Track Emerging Variants
- Block Malicious Indicators
- Analyze Popular Targets
- Map Security Controls
This blog is largely geared towards existing SearchLight users, but if you want to follow along, you can register for Test Drive and get free access for 7 days.
Track Emerging Variants
As the whack-a-mole game between law encroachment and ransomware operators continues, it’s tricky to keep up-to-date with the latest active variants. You can see all of the variants actively tracked by SearchLight by going to Intelligence – Malware and then filtering by “Ransomware” malware type. Each of these will have an in-depth profile, information on targets, techniques, and associated intelligence and indicators–all the context you need to quickly understand what this variant means to you.
Block Malicious Indicators
First, on a very tactical level, we’ve made it pretty easy to export indicators. Each threat profile will have any associated indicators displayed in the “Indicators” tab, which means you can easily export associated hashes, urls, and other indicator types to hunt for in your own environment or block in your security controls. (Note: we provide STIX 2.1 export options if that’s your thing).
Analyze Popular Targets
On a more operational level, it’s important to understand who and where the ransomware operators target. We have some great intelligence on this, with thousands of victims recorded in the SearchLight platform. Obviously, if a variant is targeting your industry or your country, you probably want to know about that.
The threat profiles combine all of our intelligence reporting related to this malware (Clop in the case of the screenshot below). In the Targets tab, we display the location of the target organizations, and the corresponding Intelligence Updates we have published. You can also slice this by industry.
It goes beyond just the industry and location, however. Many of our customers have begun to combine this monitoring as part of their third party program. That’s understandable. If your supplier has been compromised and their data is exposed on the ransomware dump sites, you probably want to know about that.
Map Security Controls
Third, and at a more strategic level, you can begin to drill down into the tactics and techniques used by these different ransomware operations. Each Malware Profile has a dedicated Techniques tab where you can understand how these actors are conducting their attacks, and then map your security controls to see how well protected you would be.
For example, we might notice that Sodinokibi (shown below) has used PowerShell as part of the Execution stage. Navigating through to the Command and Scripting Interpreter: PowerShell profile will provide further details on mitigating controls.
Read further on securing PowerShell in our PowerShell Best Practices article.
Access Intelligence Today
For security practitioners looking to protect against the burgeoning ransomware industry, there are many considerations around backups, response playbooks, ransom negotiations, and so on. Hopefully this blog has articulated where threat intelligence– and specifically SearchLight – ties into this process at a tactical, operational, and strategic level.
If you’re still reading this and you’re not yet a SearchLight user, it’s time to head over to our portal and Test Drive it for yourself.