Products and Solutions

Defending Against the Latest Ransomware Attacks with NetWitness

Jul 20, 2021 | by Amy Blackshaw |
blog post

Ransomware continues to be a scourge upon the world’s digital infrastructure.  As noted by the Institute for Security and Technology’s Ransomware Task Force, in 2020 ransomware attacks on organizations resulted in, on average, 21 days of downtime, 287 days to fully recover, with over $350 million in ransoms known to be paid, and an average ransom of over $312,000.  It’s easy to feel that the bad guys have gained the upper hand.

Yet, while ransomware is a particularly noxious and damaging type of cybercrime, it’s really just the latest wave in a war that’s been waged continuously since NetWitness was first developed 25 years ago.  From a cybersecurity perspective, ransomware is reliant on the same type of tactics, techniques, and procedures (TTPs) as other types of cybercrime such as economic espionage, data exfiltration, and identity theft.  It generates similar indicators of compromise (IOCs) and behavioral signatures, which can be detected and used to neutralize attacks with sophisticated tools employed by skilled threat hunters.

NetWitness customers, and our own threat hunters and researchers, understand this basic premise and battle ransomware actors continuously.  Having proactive defenses in place greatly lowers the risk of the types of substantial damages cited in the Ransomware Task Force report.  NetWitness stands shoulder to shoulder with the rest of the cybersecurity industry in sharing threat information and detection techniques, while constantly improving the platform’s ability to successfully defend against cybercrime evolutions such as ransomware.

Supply Chain Ransomware

The latest example of this evolution is supply chain ransomware, as seen in the Kaseya attack.  In this case, the infamous REvil ransomware gang combined ransomware with a supply chain attack, making it possible to attack many victims at once – a novel technique that greatly increased the impact and potential profitability of their criminal efforts.  Burying the ransomware in software from Kaseya, a provider of IT/security management solutions for managed service providers (MSPs) and small to medium businesses (SMBs), REvil was able to infect many of Kaseya’s customers, and Kaseya’s MSP customers’ customers, in a single act.

The NetWitness Platform: Defending Against Ransomware Attacks

Because ransomware, like other advanced persistent threats (APTs), must first breach a target and conduct reconnaissance to locate important assets, using well-understood tactics such as credential harvesting and network traversal, there are signals that can be targeted for detection.  Finding the attack before the ransomware is detonated is critical.

NetWitness users have a range of powerful tools available, including visibility across network packets, system logs, PC and server endpoints, and Internet of Things (IoT), among data center, cloud, and virtualized systems.  This makes it extremely difficult for ransomware and other exploits to hide while performing their necessary activities.  Through continuous real-world usage, NetWitness security researchers have developed a vast library of assets that help NetWitness users – and users of other systems, as intelligence sharing is a core value among cybersecurity professionals – to quickly identify new attack variants including ransomware.  Some of these resources include: 

The latest guide, appropriately, is Detecting and Responding to Kaseya Ransomware with the NetWitness Platform, which provides specific technical content on how to detect the Kaseya attack using the NetWitness Platform, and the specific steps to take to respond.

Summing Up

The continued use of ransomware is dominating headlines, due to its high impact and continuing innovation in things like Supply Chain Attacks and Ransomware as a Service (RaaS).  And while a lot of appropriate attention is focused on geopolitical efforts to deny ransomware practitioners the safe harbor they require, it’s safe to say that ransomware – like other types of cyber-attacks -- will always be with us in some form.  Organizations seeking to defend themselves and reduce the risk of catastrophic outcomes can act today with a leading cyber defense platform like NetWitness.