What’s Next in Battling Ransomware? Human-driven Threat Hunting

Ransomware has been a plague on networks and systems for several years. But despite its longevity, its only getting more pervasive and difficult for security teams to mitigate.

Over the last several years, hackers have turned their sights from individual users to organizations as their primary target. The Sophos 2021 Threat Report finds in the last quarter researchers reviewed, the average ransom payout is up 21%. The average payout is now the equivalent of $233,817.30. A year ago, the average payout was $84,116.

“Because it’s focused on business, the volume of the ransom has gone through the roof,” says Chester Wisniewski, principal research scientist at Sophos. “I think that is what is misunderstood about the impact it’s having. We’re mostly hearing about the headlines with the million-dollar ransoms. What we’re not hearing about is the $100,000 and $150,000 ransoms that are happening much more frequently.”

“You talk to an average or midsize business and they just don’t think this is going to happen to them,” he notes. But it is happening – quite frequently. Among organizations who experienced a security incident in the last year, 28% reported being hit with ransomware, the Sophos research found.

Cyber Hackers Use New Techniques

What’s making this type of attack so common and successful for criminals? Wisniewski says it’s because ransomware techniques are being driven by human input.

While many attacks used to be bot-generated, hackers are now getting intimately involved in refining their tools and techniques to evade detection by traditional security methods. They often abuse commonly used tools to disguise an active attack. Reliable mitigation strategies no longer work because these tools don’t trigger the usual red flags. Even if the hackers are stopped, they continue to find ways in until they are successful.

“Humans are unpredictable,” says Wisniewski. “Not to mention humans are tenacious. If a hacker fails, they don’t do the same thing again. They try something different and by the second or third time, they’ll get past whatever defenses are there.”

Ransomware attackers are also honing the skills needed for specific steps along the ransomware exploit chain. For example, initial access brokers may break into a computer. Once they have access, they connect with other criminals and sell that victim’s access information.

“Those are the people who are buying victims and then installing the ransomware,” said Wisniewski. “They are affiliates of the people who actually write the malware. Their job is to install it and trigger the encryption and then intimidate the victim into paying.”

From there, the criminals then loop in another person or group to launder the money collected from the victim.

“You’re dealing with highly-specialized people who are really good at their jobs,” he said. “And because of that specialization, I think that’s one of the one of the primary reasons we’re seeing an increase in success against victim companies.”

Most organizations can defend against malicious code, but a modern strategy must emphasize monitoring for malicious behaviors,  he says. To defend against malware effectively, organizations must use human-driven threat hunting and managed threat response.

The good news: Many organizations are, but there’s room for improvement. A recent Sophos report on the human element of cybersecurity found that 48% of respondents have already incorporated people-driven threat hunts in their security procedure, and nearly half (48%) plan to implement it within 12 months.

Sophos can assist you with your ransomware mitigation efforts. Find out how by visiting Sophos.com.