Most security specialists remember the devasting Not Petya-attacks that hit global companies such as Maersk, MERCK, Saint Gobain, and many more. Although IT-professionals (and their non-IT colleagues) are painfully aware of the threat ransomware-attacks pose, these tiny, menacing pieces of code continue to cause huge disruptions – and the stakes keep growing.
Recently several leading companies have been the target of a vicious attack carried out by the Lockbit gang. The surge of Lockbit 2.0 ransomware-attacks have resulted in costly disruptions to critical IT-systems and the exfiltration of sensitive financial documents and intellectual property.
The following blogpost will take you through how Network Detection and Response technologies such as Muninn would have autonomously detected and blocked a fast-moving ransomware attack such as Lockbit 2.0.
Most companies already have advanced security infrastructure in place to stop hackers from entering the corporate network. Many companies also have log-based tools for monitoring potentially malicious network activities. Although such technologies are indispensable, they are not enough to stop increasingly pervasive waves of ransomware attacks.
Once the threat actor breaches the first lines of defense (usually firewalls, endpoint-security, and spam-filters) and successfully deploys the script, ransomware can spread laterally through a company in a matter of seconds, taking down entire systems. Too often, the victim organization suffers catastrophic damage that could have been avoided with network detection and response technologies that do not rely solely on rules and signatures.
The hacker tends to strike outside ordinary office hours when security teams are less capable of responding in time. Machine-speed attacks require machine-speed response capabilities that autonomously (without human guidance) detect and stop the highest severity threats, for instance ransomware.
When deployed on a network, Muninn immediately starts learning the normal behaviors of every user and device across the organization. This allows the AI-based technology to detect all behaviors and connections that deviate from legitimate business activities on the network.
Leveraging a highly developed understanding of the organization’s normal network behaviors, Muninn recognizes unusual and suspicious activities in real time, for example:
In a cyber-attack similar to the attacks executed by the Lockbit gang, Muninn detected a vicious strain of ransomware targeting a pharmaceutical company. Although the detected ransomware in this instance was not Lockbit 2.0, the attack exhibited similar behaviors and can therefore be used to demonstrate how Muninn would have detected Lockbit 2.0
In the model-case, Muninn immediately detected every phase of the attack, providing the security team with a full overview of the incident as it occurred. Muninn detected several indicators of compromise preceding the execution of the ransomware script, helping the company avert a full-blown crisis.
Posing as a trusted supplier, the hacker entered the organization’s network via a spear phishing email. Ransomware attacks such as Lockbit 2.0 are often delivered to companies and public entities using pandemic-themed phishing emails.
Upon breaching the first layers of cybersecurity, the hacker started to engage in network scanning activities to gain a stronger foothold within the organization. Muninn detected several indicators of an ongoing ransomware attack, such as the compromise of admin credentials, unusual RDP activities, and illicit authentication attempts.
The attack was effectively thwarted by Muninn AI-Prevent in the stages leading up to the delivery of the payload, before the threat actor managed to exfiltrate large amounts of data or encrypt business critical files.
We have in recent months witnessed a surge in dangerous, double-threat attacks such as Lockbit 2.0. The targeted organization risks losing data, but also risks having the data sold on the Dark Web if they refuse to pay the ransom, as was the case with most recent Lockbit attacks.
Organizations are beginning to leverage the power of cyber-AI to detect and investigate intrusions. Increasingly, organizations are also turning to AI to autonomously respond to cyberthreats as they occur. Ransomware attacks such as Lockbit 2.0 show companies why autonomous response is necessary: fast-moving, machine-speed threats require machine-speed responses that can stifle the cyberattack before it becomes a crisis for the organization.
Subscribe to our newsletter to receive new posts straight to your inbox