Detecting Ransomware: Tips and Best Practices

What is Ransomware

Recent cyberattacks have leveraged a form of malicious software (malware) known as Ransomware. Ransomware blocks an individual or group of users from accessing computer systems until a sum of money is paid, typically in the form of a cryptocurrency like bitcoin.

Ransomware Variants

Detecting ransomware is extremely difficult because there are so many different variants which are constantly evolving.  The three main types of ransomware used in recent attacks include: Encrypting Ransomware, Non-Encrypting Ransomware (Lockerware), and Doxware (Leakware or Extortionware).

• Encrypting ransomware identifies storage systems, files, or critical databases and applies encryption to the data while withholding the decryption key or decryption application for a payment.

• Doxware, Leakware, Extortionware is typically difficult to detect because it uses a level of stealth to establish long dwell times in order to exfiltrate (steal) large amounts of data for extortion.

• Lockerware does not directly apply encryption, but instead blocks access to critical systems. Attacks often aim to tamper with credential systems or breach identity systems (Active Directory, OAUTH, SAML, endpoint user/pass logins, administrator logins, etc).

When a novel attack has thwarted initial detection from endpoint protection software but begins to cause direct damage to data systems, it results in immediate downtime for business critical systems.  Fast detection of data tampering and quick data recovery right up to the point of before the attack is critical for maintaining business continuity.

Ransomware-as-a-Service

It is typical for modern enterprise ransomware attacks to use multiple tools within a Ransomware-as-a-Service (RaaS) toolbox that are chained together to take advantage of zero-days (new unknown vulnerability) and unpatched systems (computer code with known security weaknesses).  RaaS solutions typically provide tooling, infrastructure, and access for clients to conduct cyberattacks in exchange for a cut of the proceeds. Since no detection system is perfect, instant recovery and early detection is essential for reducing total impact during attacks.

Why Early Ransomware Detection is Important

Ransomware attacks usually have dwell times of 100+ days, allowing cybercriminals to conduct large scale data exfiltration.  In the recent T-Mobile attack, nearly 50 million customer records were stolen which included Personally Identifiable Information (PII) such as names, birth dates, social security numbers, and drivers license numbers (7.8 million current customers and 40 million past customers in a relatively short amount of time.  Over 100 systems were impacted during the attack including hosts in less secure environments used for Development, QA testing, and pre-production staging. Faster ransomware detection reduces the total amount of data that can be stolen and the total business impact of an attack.

Enterprises Targeted

Recent ransomware attacks by cybercriminals have evolved from wide spray and pay tactics to highly coordinated “big payout” targeted attacks. The main reason for the shift is because most enterprises carry cyber insurance and the cost of downtime can be as high as $150M/day. When IT Operations and Site Reliability Engineering teams can’t quickly recover from an incident because of ransomware encryption or other core system failures, severity escalates up to a Sev1 incident where Information Security teams begin to lockdown a perimeter while Business Continuity (BC) teams assess the impact.  When estimated impact reaches 10-100x of ransom costs, paying becomes a forced path forward.

Business Data Attacks

In enterprises, the vast majority of valuable data encrypted during ransomware attacks is not in user endpoints but in databases supporting business critical applications or in siloed packaged applications.  In sectors such as healthcare, there can be hundreds of data systems that collectively store hundreds of gigabytes to petabytes of intellectual property and customer private information.  For financial institutions, losing an hour or day’s worth of transactions can be crippling to brand trust and reputation in addition to direct losses.

How to Identify Ransomware Attacks

How Can You Get a Ransomware Infection

While cyber defenders must protect against every incoming attack vector, an attacker just needs one way in anywhere on the attack surface.  Cybercriminals are becoming more creative than ever before and use targeted phishing campaigns to compromise the credentials of employees using multiple chained zero-days and taking advantage of unpatched systems.  For enterprises, teams should focus their cyber resilience plan to include fast data restoration and early detection around core business datastores. These are the most vulnerable to data exfiltration and major interruptions to revenue operations.

Detecting Unusual Data Activity

Many organizations have not adopted zero trust architecture and are still running large databases inside of large perimeter firewalled networks with shared credentials, making them extremely vulnerable to a variety of attacks. For enterprise systems, an effective way of detecting ransomware on a network is to identify rogue SQL queries and SQL injection that tampers with or deletes data within databases.

Five types of SQL attacks:

• Data Definition Language (DDL) - Drop, Alter, or Truncate commands can tamper with entire tables

• Data Manipulation Language (DML) - Insert, Update, and Delete commands can tamper with database fields and values

• Data Control Language (DCL) - Grant, Deny, and Revoke can modify or escalate user privileges to databases

• Transaction Control Language (TCL) - Commit, Rollback, and Save can tamper or remove changes made to a datastore

• Data Query Language (DQL) - Select can be used for data exfiltration of records, columns, or rows

Using a DevOps Data Platform, inspection workflows can quickly detect unauthorized changes to data, metadata, and schemas in order to rollback changes to virtual databases instantly without the need to re-deploy infrastructure hosts.

Detecting Loss of Data Access

Data access to critical systems is typically lost during final ransomware detonation after data has already been exfiltrated or to cover a cybercriminals tracks after being detected.  Critical applications and data services will begin to fail as access to database fields, columns, rows, and systems break.  Service retries and reconnection attempts often flood queueing systems and cause indirect cascading service failures and long tail P99 (Where 99% of requests are faster) latencies climb for requests.  During major incidents, DevOps and SRE teams with APM or monitoring tools will be flooded with alert events showing anomalies across a number of applications and services dependent on the core datastores.

Ransomware Detection: Best Practices

Most organizations have different methodologies on how to detect Ransomware since there is no single solution that will effectively catch every attack quickly.  Ransomware-as-a-service (RaaS) developers are quickly adopting modern encryption, obfuscation techniques, and DevOps practices like continuous delivery, making it extremely difficult for endpoint protection solutions to identify ransomware. Since there is usually only a limited amount of data stored on a user device, protecting data in core enterprise datastores and business critical applications where there is often petabytes of data is crucial to business continuity.  In addition, many core data systems are not running any form of endpoint protection and have poor backup/restoration practices that can take days or weeks to recover from Ransomware due to manual workflows.

Datastore Ransomware Detection

A modern DevOps Data Platform like Delphix makes it easy for teams working on core server side data systems to detect unauthorized data, schema, and metadata changes in enterprise databases like Oracle, SAP, MS SQL Server, MySQL, and PostgreSQL.  It’s important that teams are able to not only implement ransomware detection but also instantly recover data right up to the point prior to an incident using automated API workflows with common DevOps CI/CD pipeline tools.

Detecting Ransomware Attacks to Non-Prod Data

Detecting ransomware is critical for all organizations but the attack surface for ransomware detection is quite large.  Attacks can originate from compromised end-user devices, server systems through chained zero-days (multiple unknown exploits used together as an attack vector), application attacks using compromised credentials or compromised identity systems, or attacks on non-production database environments with reduced security and controls.

Reducing Threat Surfaces

One way of reducing the threat surface is to masking data in non-production lower environments.  In addition, changing the operating pattern of non-production databases from always-on servers to on-demand purposely deployed ephemeral instances reduces makes data harder to steal and when stolen effectively worthless.  Ephemeral virtual databases can be deployed as a build and test workflow in a CI/CD pipeline where no direct user has credentials to the database server where they can perform open ended SQL queries over prolonged periods of time.

Multi-Level Data Protection

Modern data platforms such as Delphix use multi-level detection to check for ransomware that has penetrated your environment and ensures that data integrity is maintained across core enterprise systems.  Detection of one or more unscheduled change can trigger automatic data rollbacks in non-production environments or move data to an isolated recovery environment deployment using automated CI/CD pipeline tools.

• Block Level - Detect ransomware attacks on underlying storage systems access

• File Level - Detect ransomware attacks on active and backup database files

• Database Level - Detect ransomware attacks on database encryption such as Transparent Data Encryption (TDE)

• Data Level - Detect ransomware data changes in fields, columns, rows, schema, and metadata

API Ecosystem

Easy to use APIs are essential for integrating multiple solutions together as part of a cyber resilience plan. For example, Delphix’s APIs can be leveraged directly through our SaaS endpoint (https://api.delphix.com) or deployed privately within your own network using a docker image to deploy ca containerized API gateway to interact with engines deployed across on-prem, cloud, and hybrid environments. Outbound event triggered hooks can be sent during unscheduled data events to notify third party DevOps monitoring tools such as CISCO AppDynamics, Dynatrace, New Relic or trigger automations in ServiceNow, Jenkins, and Terraform.  Using APIs, teams can continuously deploy data inspection and verification workflows that automatically stand up hot virtual database spares with the latest version of trusted data so applications can quickly fail over to during incidents.

Tips for faster Ransomware Detection in Enterprise Data Systems

Detecting modern ransomware in enterprise data systems requires a new approach that focuses on quick recovery, continuous change data capture, improved data attack detection, and improved data compliance as a preventative.  Since most attacks have dwell times of over 23 days, the ability to inspect historical data changes and quickly recover illegitimately changed data is crucial for long term success.

1. Identify unscheduled data structure (schemas, columns) changes

2. Find unscheduled table metadata changes

3. User/Group changes and rights escalation/removal

4. Unscheduled changes to TDE keys

5. Unscheduled removal of whole tables, columns, rows

6. Sudden loss of datastore access for applications

7. Exponentially increasing sync/backup times for database systems

8. File/Storage systems being encrypted with a new root storage key

9. Database backup files getting additional encryption

10. Backup system metadata/tables being deleted

How to Find Ransomware Insurance

Recent attacks have made it much more difficult for enterprises to find Ransomware insurance in 2021.  According to Fitch Ratings, the cost of standalone cyber coverage increased 29% in 2020. This is from both the increased demand for cyber protection and the loss ratio climbing over 25% year-over-year in 2020 to 72.8%. Although ransomware insurance can help to cover incident costs, rising premiums or cancelled policies because of high enterprise risk factors can put policies out of reach economically. We recommend that organizations invest in modernizing systems and investing in the necessary protection systems to reduce overall risk and impact during ransomware attacks.

FBI Ransomware Warning

The recent rise in crippling cyberattacks has led the FBI to issue a warning to organizations that paying ransoms directly or through cyber insurance plans to sanctioned countries in the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) list can incur major fines.  Recent cyber attacks led FBI director Christopher Wrayto to ask Congress for an additional $40M in funding for Cybersecurity.  In comparison, REvil alone collected $100M in the first 6 months of 2021.

Types of Coverage

Since the cost of a single Ransomware incident can be substantial without insurance, most organizations carry some form of cyber insurance. Unfortunately, not all policies are created equal and getting comprehensive coverage is extremely expensive. We instead recommend that organizations prepare for incidents by augmenting their insurance plans with a comprehensive ransomware protection solution to mitigate incident impact prior to an incident.

Four types of coverage you should have

• Data Recovery - When data is encrypted by ransomware, data recovery and systems restoration is necessary to regain business operations.  Policies often cover costs for data restoration through the use of 3rd party specialists to reduce incident downtime.

• Business Interruption - According to Coveware Inc, the average downtime for an attack is 23 days as of Q2 2021. Lost revenue during downtime can reach over $100M per day for some enterprises during ransomware attacks.

• Data Exfiltration - Over 80% of incidents include data theft.  The cost of incident response and investigation of breaches can be substantial without insurance. This often includes the cost of managing disclosure, liability, and other risks when sensitive data is exposed.

• Supply Chain Interruption - Recent attacks like the $50M ransomware attack to Quanta, an Apple supplier, demonstrated that suppliers as well as managed software vendors like Kaseya are susceptible to cyberattacks.  Dependent business interruption coverage protects against risks from dependence on third-party systems.

DevOps Data Platform for Ransomware Protection

Since there is no all encompassing solution to solve every aspect of Ransomware Protection, most organizations find themselves using a variety of products and vendors as part of their cybersecurity strategy.  All these tools must provide APIs so they can be integrated into the ecosystem of point solutions that DevOps and Information Security teams are using.

The Delphix DevOps Data Platform uses an API first approach that focuses on four key pillars for Ransomware Protection:

Continuous Data Protection

Data is continuously synchronized up to the second or transaction boundary to immutable Data Vaults where locked retention policies prevent data tampering or deletion. Data can be instantly recovered to reduce Recovery Point Objective (RPO) and Recovery Time Objective (RTO) during ransomware and cyberattacks by 10-100x.

Continuous Recovery

Minimize application downtime with instant data recovery using Delphix.  Using APIs, InfoSec teams can shift from reactive postures to proactive inspection, verification, and deployment of data to improve cyber resilience.  Teams can now quickly deploy data alongside applications and infrastructure in isolated recovery environments using APIs without the need for manual processes during incidents.

Continuous Detection

Integrate with APM and SIEM platforms or deploy custom workflows to detect issues automatically and re-deploy data using APIs with CI/CD pipeline tools such as Jenkins, Terraform, Chef, and Cloud Formation.

Continuous compliance

Prevent data-exfiltration from non-production environments by masking data and rendering it useless to cybercriminals.  Keep production and lower environments such as Dev, QA, and Testing in sync with fresh compliant data so that teams can quickly deploy application updates, patches, and security fixes.

Contact us to get started with Delphix’s free 90 day ransomware resilience plan.