On Friday, 12 May 2017, a computer virus, called #WannaCry, spread all over the world. It encrypted data on infected machines and demanded ransom payments to decrypt the data. According to the Department of Health and NHS England, at least 34% of trusts in England were disrupted by the attack.
#Ransomware refers to software that holds data for a ransom and demands payment. If the victim pays a ransom, access to computer networks, mobile devices, and servers will be unlocked. Organisations like educational institutions, government agencies, and hospitals are often targets of ransomware. Both crypto ransomware and locker ransomware are types of ransomware. There are many types of ransomware. Using phishing scams as a method of ransomware attack is one of the most common methods. Specifically written emails are sent reminding recipients to open attachments and download documents. Vector ransomware installed through this action can take over the computer and infiltrate the whole network, locking out all users on that network as well. A ransomware attack’s goal is to compel the victim to pay a ransom in exchange for access to their data. Bitcoin is a cryptocurrency that cannot be traced and is typically demanded as payment for ransomware attacks. The victim receives an unlock code or decryption file once the payment was secured. This allows them to access the data on the computer network, mobile device, or server. Infection of computers, infiltration of company networks, and theft of data are common functions of ransomware, a form of social engineering.
The best security system in the world cannot guarantee that a company’s network traffic control rules will protect it from a ransomware attack, even with an updated antivirus or firewall. A network with multiple security layers has a greater chance of catching ransomware infection before it gets started since no security solution has 100% protection against it. It is recommended to employ a SIEM-based approach to detect ransomware in a network, since a SIEM-based approach will provide a single view of an organisation’s IT environment regarding its specific security events. Based on common signs of an APT, the following recommendations will help show you how a SIEM can tune your system in order to detect such an attack:
1) Monitoring deviations from baseline characteristics of traffic parameters. An increased traffic volume, malicious IP addresses, URLs, domains, as well as suspicious geographic destinations may indicate ransomware presence in a network. In SIEM, setting a baseline network traffic for the collector and the SIEM rule development is key to detecting deviations in traffic in case of abnormalities from the baseline.
2) Identifying escalation of user privileges and increased numbers of administrators logging on. SIEM can track successful and unsuccessful attempts to log on with administrative privileges from non-admin computers, and track the increased number of administrators logging on.
3) Monitoring unauthorised software installations using the audit log, as all software installations, both legitimate and malware, are usually logged in it.
4) Monitoring operating system audit logs for very high rates of file system modifications.
#Ransomware #Cybersecurity #SIEM #Protection