Insider or outsider: the ransomware conundrum

Security operations teams in large organisations around the world are struggling to defend their networks against ransomware, either from targeted human-operated attacks or highly automated opportunistic campaigns. Such threats will specifically target particular companies by spear-phishing key people or actively scanning their networks for vulnerabilities. Others adopt a spray-and-pray approach, such as sending malicious resumes to human resources teams or mass scanning the whole internet when new vulnerabilities are disclosed and actionable.

The global ransomware supply chain is becoming increasingly advanced and optimised for attackers. In some cases, different people will conduct the phishing attacks or exploit vulnerabilities to gain access, selling it to cybercriminals and fraudsters who wish to ransom businesses or steal their data. Once adversaries are inside a network, they escalate privileges and move to their target just like an insider threat. They use the same tools and commands as a disenfranchised system administrator might to encrypt the entire company network or exfil data.

The only difference is, at early stages, they’re not yet authenticated and they don’t have legitimate credentials. Therefore, attackers immediately seek to escalate privileges and move laterally to things that matter. In ransomware attacks, they race to an administrative level of credentialing which allows them to very quickly broadcast malicious software to lock up key portions or even all a corporate network. Understanding how privilege escalation and lateral movement works is crucial because such techniques allow ransomware groups to get administrative rights and behavioural analysis solutions can’t detect many of the key approaches.

“The goal of an external attacker is to become authenticated traffic on a network. Once they do that, it’s very difficult to differentiate them from legitimate authenticated traffic,” says Jason Crabtree, co-founder and chief executive of technology company QOMPLX.

The goal of an external attacker is to become authenticated traffic on a network

“Authentication is fundamental to understanding who is doing what on a network, and whether or not actions and activities are being taken by the appropriate people. But simple perimeter hygiene and edge-hardening activities will not prevent ransomware attacks. Though important, multi-factor authentication is also insufficient on its own because of the plentiful ways of bypassing it, especially within enterprises that have directory services and single sign-on enabled, which is practically all of them.”

QOMPLX looks at all of the details that are associated with who did what to whom in the network, recording and validating every single log-on or authentication event. “We do that with a finer grain comb than any other provider,” says Crabtree, “We don’t just have the metadata, but we also analyse and validate things like the Kerberos protocol with stateful streaming analytics.” QOMPLX statistics

The company then combines all of that data from active directory and authentication with other data feeds from existing security appliances to allow organisations to contextualise the information and achieve a greater understanding of the malicious activity in their IT. Due to the growing frequency and severity of ransomware attacks, QOMPLX has also built an elite special situations advisory services group for helping large organisations respond to ransomware threats, while simultaneously aiding in containment, eradication, restoration and sustainable uplift of security programmes.

“QOMPLX’s special situations advisory group is really focused on helping companies get well and stay well, as opposed to incident response or simply getting an audit, assessment or pen test,” says Crabtree. “Those do not get to the core issues with sustainable programmes and practices supported by very advanced technology that provides deep amounts of visibility and a single source of truth.

“That truth has to be continually updated and remain ground truth, rather than outdated risk registers, which are often very optimistic views of the health and state of a network or security programme. Organisations can then look at contextual challenges to re-authenticate, including with active measures triggered by our platform, like biometric multi-factor re-authentication requests, but doing that before the basics is foolish because it’s easily bypassed if the fundamentals aren’t right.”

For more information please visit