Ransomware Groundhog Day: Elevating Your Program in a High-Threat Environment

The latest Kaseya ransomware campaign by the REvil syndicate sounds like cybersecurity groundhog day to business leaders. While Splunk was not impacted by the ransomware attack, as a security leader we want to help the industry by providing tools, guidance and support.

The pace and scale of these attacks continues to increase — and there are several reasons for the acceleration of ransomware. At the highest level, the growing digitization of the economy has made data the universal resource that must be protected to preserve business resiliency. The business landscape has been shifting with the rise of software-as-a-service (SaaS) and the increase of the software supply chain in the last decade. The COVID-19 pandemic also accelerated remote working trends — creating new dimensions to the attack surface area and changing the baseline pattern of life that many security organizations rely on for detection and response.

Attackers took advantage of this shift by exploiting these new threat vectors. First SolarWinds, and now the Kaseya attack, are examples of exploiting highly trusted management software, and the software supply chain, to compromise mission-critical operations and data. Individual groups, like REvil, have layered disruptive innovation into these vectors offering a full stack ransomware-as-a-service (RaaS) capability, complete with installation support and bonus packages, such as programmable outreach with VoIP, scrambling to notify local journalists about an organization’s business compromise in order to escalate the pressure on the victim.

These types of attacks can lead to a flurry of activity and a fair amount of “OMG. DID YOU SEE THIS? HOW CAN WE BE SURE WE ARE NOT NEXT?!” questions from executives. With a rapidly evolving threat landscape and relentlessly innovative attackers, it’s easy to become complacent to the threat and assume resistance is futile. However, there are some real steps business and security leaders can take to improve their defenses.

1. Create a Policy on How You’ll Handle Ransomware Incidents.

The U.S. Department of Homeland Security and the FBI advise all corporations to not pay ransoms. Work with your organization’s board of directors to define how you’ll respond to different ransomware scenarios in a non-emergency environment instead of immediately after a breach.

2. Build Your Intelligence Ecosystem.

In a ransomware event, by the time you know it's happening, it might be too late. We suggest collaborating with sharing communities like Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs). These groups allow you to share (and receive!) tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) between trusted organizations facing the same threats as your business. Faster information sharing will help increase your ability to detect and respond to ransomware — before you start getting skulls and crossbones popping up on your desktops.

3. Shore Up Your Fundamentals.

Ensure you have strong people, process and technology stack for detection and response. Asset management, when performed well via your asset and identity framework, can quickly identify where your vulnerable systems reside. Running regular vulnerability scans will show which systems are vulnerable and can help you prioritize your patching schedule and better focus your detection efforts. 

As a security leader, it can be difficult to know and show progress in maturity and performance for your own team and for others in the organization. When fear, uncertainty and doubt is flying, cross-functional and clear communication is critical. This is where metrics like mean-time-to-detect and mean-time-to-respond are a helpful north star. These metrics provide a powerful shorthand for you to communicate your readiness and resilience in terms your peers across the business can understand.

Preventing and detecting ransomware, while also safeguarding your supply chain, will continue to be top of mind as threat actors profit and commandeer data worldwide. Taking a strategic, data-centric approach to the overall issues of ransomware attacks and supply chain threats will help you examine your environment, employ targeted preventative and proactive measures, and streamline security-related communications across your organization. For additional information on all things REvil, read the Splunk's Threat Research Team deep dive to understand how the REvil ransomware is executed in a simulation in REvil Ransomware Threat Research Update and Detections, as well as detection recommendations you can start applying today in Kaseya, Sera. What REvil Shall Encrypt, Shall Encrypt.

Patrick Coughlin is VP, Global Technical Sales at Splunk. He was the Co-founder and CEO of TruSTAR, a cyber intelligence management platform that was acquired by Splunk. Prior to TruSTAR, Patrick led cybersecurity and counterterrorism analyst teams for the US government and private sector clients in the US and EMEA.