The growing threat of ransomware

According to the UK National Cyber Security Centre, there were three times as many ransomware attacks in the first quarter of 2021 as there were in the whole of 2019. And research by PwC suggests that 61% of technology executives expect this to increase in 2022. Once again, we can largely blame this on the pandemic, and the growth in the amount of activity carried out online and in digital environments.

How to tackle ransomware?

Ransomware typically involves infecting devices with a virus that locks files away behind unbreakable cryptography and threatens to destroy them unless a ransom is paid, usually in the form of untraceable cryptocurrency. Alternatively, the software virus may threaten to publish the data publicly, leaving the organization liable to enormous fines.

Ransomware is typically deployed through phishing attacks — where employees of an organization are tricked into providing details or clicking a link that downloads the ransomware software (sometimes called malware) onto a computer. However, more recently, a direct infection via USB devices by people who have physical access to machines is becoming increasingly common. Worryingly there has been an increase in these types of attacks targeting critical infrastructure, including one at a water treatment facility that briefly managed to alter the chemical operations of the facility in a way that could endanger lives. Other ransomware attacks have targeted gas pipelines and hospitals.

Education is the most effective method of tackling this threat, with research showing that employees who are aware of the dangers of this type of attack are eight times less likely to fall victim.

Microsoft Sentinel a cloud-native SIEM (Security Information and Event Management) platform is now able to detect potential ransomware activity using the Fusion machine learning model. Microsoft Sentinel uses built-in artificial intelligence (AI) technology to quickly analyse vast volumes of data across enterprise environments, hunting for potential threat actor activity.

It also employs machine learning tech known as Fusion to detect and trigger multi-stage attack alerts by identifying sets of suspicious activities and abnormal behaviour spotted at various attack stages.

Microsoft Sentinel couples several of these alerts to generate incidents even when there’s limited or missing information, making them highly difficult to catch otherwise.

The cloud-based SIEM now supports Fusion detections for possible ransomware attacks and triggers high severity multiple alerts possibly related to Ransomware activity detected incidents.

For instance, Microsoft Sentinel will generate ransomware attack incidents after detecting the following alerts within a specific timeframe on the same host:

  • Microsoft Sentinel scheduled alerts (informational): Windows Error and Warning Events
  • Azure Defender (medium): ‘GandCrab’ Ransomware was Prevented
  • Microsoft Defender for Endpoint (informational): ‘Emotet’ malware was detected
  • Microsoft Defender (low): ‘Tofsee’ backdoor was detected
  • Microsoft Defender for Endpoint (informational): ‘Parite’ malware was detected

To detect potential ongoing ransomware attacks, Microsoft Sentinel can use the following data connectors to collect data from the following sources: Defender for Cloud(Azure Security Center), Microsoft Defender for Endpoint, Microsoft Defender for Identity, Defender for Cloud Apps, and Microsoft Sentinel scheduled analytics rules.

To learn more about this solution please get in touch.

Growth hasn’t just happened on the ransomware attack front. With more and more connected devices, the IoT is a growing threat vector. Did you know that 77% of mid- to large enterprises use insecure smart devices in work settings? Stay tuned for the next episode where I talk about cybersecurity priorities in the context of edge computing.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
José Lázaro Pinos

Head of Cloud Security, Atech Cloud | Microsoft Security Solution Expert | IT Passionate | Security Sentinel