Cybereason’s latest report Ransomware and the Modern SOC: How Ransomware is Driving the Requirements for SOC Modernization, surveyed 1,203 security professionals from eight countries and a dozen industries, and found more than 58% said their SOC spends most of its time responding to ransomware and supply chain attacks that often lead to ransomware incidents.

As a result, their modernization plans are now focused across four specific areas:

• 38% — Plan to deploy new detection capabilities with better detection efficacy.
• 31% — Need better visibility into the full attack story.
• 31% — Are looking for ways to augment staffing and contract for managed services, and
• 29% — Said ransomware has increased their need for better automation and faster response.

“In a post COVID world, the modern SOC needs to be a decentralized, capabilities-based organization that leverages industry-leading detection, prevention, visibility, and automation technologies, all of which are often augmented by managed services,” said Israel Barak CISO, Cybereason.

Travel and Transportation Industries Struggling

The study also revealed that almost a third (31%) stated the ransomware threat has exposed their need for better insight and visibility into the full attack story against their organisation. On average, 35 percent of respondents in the United States need better insight and visibility. In Italy, that number jumps to 46 percent. In the travel and transportation industry, more than 57 percent of respondents lack the proper level of threat attack visibility, followed by 39 percent of respondents in the retail, catering and leisure industries.

The post Rise of Ransomware Attacks Main Focus for SOCs, research finds appeared first on IT Security Guru.

Key facts from the report include:

• Most active ransomware groups: Existing entities like LockBit, BlackCat, Hive, and Karakurt have demonstrated exponential growth and have surpassed previous records despite the disappearance of prominent threat groups such as CONTI and the old REvil

• Most attacked countries: From the 101 different countries that registered victims, 42% of them are from the United States. The UK second on the list followed by Canada, Germany, and France. In fact, 28% of victims were from Europe.

• Worst offender: Last year, the ransomware group known as LockBit exhibited a significantly higher level of activity compared to other groups. They were responsible for 34% of all recorded attacks in 2022.
• Sector most at risk: While critical infrastructure sectors accounted for just over half of the attacks perpetrated (51%), construction was the most targeted sector overall.

The post UK second most targeted nation behind America for Ransomware appeared first on IT Security Guru.

However, questions remain as to whether existing disaster recovery (DR) and business continuity plans are sufficient for ransomware recovery.

To address this, I&O Leaders must consider five areas between the two recovery approaches, to better establish whether existing plans can withstand a potential ransomware attack.

1. Similarities and Differences

Traditional DR and ransomware recovery have many similarities, including the need to coordinate with business continuity management, prioritise via recovery tiers and understand dependencies. Both also require procedures to assess the impact, declare and activate recovery plans, execute plans, and obtain clarity around access and maintenance.

However, ransomware recovery involves greater complexity and unpredictability and so it’s important to consider the business demand of the differing recovery steps in the process, which will naturally involve different stakeholders. These include varied recovery approaches, location, data loss, recovery time and the speed of a return to business as usual.

2. Disaster Recovery Protects Against ‘Predictable’ Disasters

Traditional DR planning assumes that an entire location or application has failed, requiring failover to a DR location. These events can vary in scope, from regional power outages to IT equipment failure, and even natural disasters such as earthquakes, tornadoes and flooding, which destroy all infrastructure.

Planning for these events requires active or hot standby application infrastructure across data centres, which enables the failover to happen within a reasonable time, and with minimal or no data loss.

3. Disaster Recovery Not Always Suitable for Ransomware Attacks

As of today, ransomware attacks are mostly well-planned where the attack can start weeks or months before the final ransomware assault. Typically, ransomware is only activated as the last step in a this well-prepared cyberattack, with attackers still having access during the attack.

Traditional DR usually relies on the replication and synchronisation of applications, data, and foundational network services between the primary site and the DR location. So, all the work the attackers do to compromise the production site will be replicated on the DR site. Consider that the contamination of the DR site will make it impossible to use standard recovery procedures after a cyberattack.

Contemplate that you may have to build from scratch in a worst-case situation and this will require planning to recover from alternative infrastructures, such as isolated recovery environments, cloud infrastructure, relocation sites and services.

4. Disaster Recovery and Ransomware Recovery Follow Different Processes

Traditional DR activation follows a straightforward process where — after the disaster event is detected — an assessment is conducted to decide whether failover is required or not. After that, failover is executed and validated, and business continues. A well-planned failback (when applicable) can be executed when the primary environment is recovered.

Recovery from ransomware, on the other hand, requires multiple and more complex stages. In the first phase, there is a focus on stopping the attack from execution and propagation. In the second phase, forensic analysis is required to find out what happened, what ransomware was executed, the security issues at hand and how it infiltrated the infrastructure. During the third phase, analysis is required to find which network artefacts, apps, data and backups are affected.

Through phase four, there is a focus on the recovery of foundational infrastructure, by either a restore or a rebuild of all artefacts in the network, as well as storage and compute infrastructure, followed by a rebuild or recovery of network services like DNS and AD. In phase five, a dedicated isolated recovery environment (IRE) is leveraged to scan, repair, and validate operating and application/data systems to prepare for recovery back to the primary environment. Finally, in phase six, systems are migrated out of IRE back to production.

This level of impact on the entire infrastructure is what makes ransomware recovery so complex and unpredictable, as you need to first recover and resecure every impacted element in your infrastructure environment before you can recover systems, applications and their data. Examine the complexities that come along with the different processes and the demands this may ask of your organisation.

5. Ransomware Recovery is a ‘Team Effort’

DR is often led by the DR team, which consists of the server team, network team, storage team, backup team, who all report to the DR manager, who then reports to the CIO. DR is part of the wider business continuity management process, where DR is responsible for the recovery of IT systems in a disaster situation.

Ransomware recovery, on the other hand, is initially led by the cybersecurity incident response team, which reports to the chief information security officer and is supported by other infrastructure and operations teams, including the DR team. Hence, recovery from a ransomware attack is far more of an all-enterprise effort and consider whether you have the resources to approach this appropriately.

Gartner analysts will further explore and compare disaster recovery and ransomware recovery at next year’s Gartner Security & Risk Management Summit 2023, taking place 26-28 September, in London, UK.

Jerry Rozeman is a Senior Director Analyst at Gartner

The post Gartner: 5 Considerations for I&O Leaders Planning Against Ransomware Attacks appeared first on IT Security Guru.

So here are our top seven predictions for this year. Ransomware will:

1. Target Linux systems
2. Become more targeted
3. Exfiltrate data
4. Be used as a smokescreen
5. Be an attack of last resort
6. Be used as a false flag
7. Leverage social media

Last year, we observed attacks hitting MongoDB which suggest that ransomware will increasingly target Linux systems in 2018 in an effort to further extort larger enterprises. Overall, ransomware will become more targeted by looking for certain file types and targeting specific companies such as legal, healthcare, and tax preparers rather than the “spray and pray” attack we largely see now. There is already ransomware that targets databases, preying on businesses, and small tweaks to their code can target critical, proprietary files such as AutoCAD designs.

While most ransomware samples simply encrypt files in place and transmit encryption keys for the purpose of decryption, there will be ransomware samples that will take the extra step of exfiltrating data prior to encryption. Not only would such an evolution put stress on companies to restore their data but also incorporate the loss of proprietary data that could be sold on the black market. Ransomware will emerge as a secondary method when initial forms of attack fail. Adversaries that rely upon more crafted and targeted attacks may use ransomware as an attack of last resort.

Ransomware will increasingly leverage social media to spread either intentionally or unintentionally. Similar to malware such as Koobface, maliciously shared content on sites such as Facebook could lead victims to click enticing links. Attackers are known to use social engineering to influence people to unknowingly spread ransomware over the internet. Intentionally shared ransomware, seen in prior concepts, such as Popcorn Time, where victims could share to reduce or eliminate their ransom, could see larger-scale use.

In addition the greater sophistication of ransomware attacks that is inevitable in 2018, cybercriminals are likely to use ransomware as a way of throwing defenders off the scent. Ransomware will increasingly be used as a smokescreen. For example, in the past, Zeus botnet operators hit victims with DDoS attacks after an infection to take investigators off the trail. A similar trend is emerging with ransomware attacks where the encryption of files could take place after more damning actions are taken by adversaries. Using already existing techniques of deleting Volume Shadow Copies, which deletes potential file backups, and the deletion of Windows event logs, adversaries can thwart many incident response efforts by forcing responders to focus on decrypting files instead of investigating data and credentials exfiltrated.

Also, ransomware will be used more commonly as a false flag, as seen with NotPetya. Solely from dynamic analysis it was perceived to be Petya, when a more detailed review showed it wasn’t. Such quick analysis also insinuated it to be obvious ransomware, but a greater depth of disassembly showed that data was not held at ransom; it was simply destroyed.

Ransomware is now estimated to be a $5 billion crime, according to a Cybersecurity Ventures Report. In 2015, the estimate was a mere $24 million. In 2017, the industries most targeted were technology, government, non-profit and legal. However, no industry was, or is, immune. As attacks become more targeted and increasingly exploit the methods described above, having a strong defence system is more important than ever.

Therefore it is critical that anyone looking to combat ransomware chooses a defence system that has undergone a comprehensive ransomware test. To test their effectiveness, defence products should be tested against ransomware samples selected from multiple crypto-ransomware families collected in the wild.  For more information on non-malware attacks, ransomware and the evolving threat landscape in 2018, download Carbon Black’s 2017 Threat Report Carbon Black’s Threat Analysis Unit (TAU) has researched the current state of ransomware, malware and non-malware attacks with a particular focus on how frequently organisations are being targeted.

Written by Param Singh, Director of Threat Research, Carbon Black

The post Seven Ransomware Predictions for 2018 appeared first on IT Security Guru.

The post Five Arrested in Romania for Spreading CTB Locker and Cerber Ransomware appeared first on IT Security Guru.

The post Corporate Cyber Insurance Will Fuel Ransomware Growth in 2018 says WatchGuard appeared first on IT Security Guru.

The post Mecklenburg County held to Ransom appeared first on IT Security Guru.

The post How businesses can unwittingly become launch-pads for malware attacks on clients and partners appeared first on IT Security Guru.

The post 59% of Employees who are Ransomware Victims Pay Ransom From Own Pocket's appeared first on IT Security Guru.

The post Bad Rabbit in the Works since 2016 appeared first on IT Security Guru.