Ransomware attacks are on the rise and continue to be a disruptive force affecting everything from financial institutions to higher education. Ransomware massively increased in 2021, and a new report reveals some concerning insights about it. In 2022 isn’t gonna change at all. Even it will be worse.

New data shows just how common and damaging the attacks have become—nothing new here.

Blue teamers and defenders try to prevent and “rub off” on cyber-attacks to stop ransomware attacks in any way. This post will take you into the world of Microsoft XDR and show you the various ways to protect, identify, create friction with adversaries, and minimize the attack area, thereby making Ransomware attacks isolated and minimal.

Ransomware is Here to Stay

There are many cybersecurity reports and facts from the previous year (2021), Here are some of them:

Nation-state actors engage in new reconnaissance techniques that increase their chances of compromising high-value targets. Criminal groups targeting businesses have moved their infrastructure to the cloud to hide among legitimate services. Attackers have developed new ways to scour the internet for systems vulnerable to Ransomware.

Ransomware is the most common reason behind our incident response engagements from October 2019 through September  2020.

The Department of Homeland Security, FBI, and others have warned us all about Ransomware, especially its potential use to disrupt the 2020 elections. What we’ve seen supports the concerns they’ve raised.

Encrypted and lost files and threatening ransom notes have now become the top-of-mind fear for most executive teams.

Attack patterns demonstrate that cybercriminals know when change freezes, such as holidays, will impact an organization’s ability to make changes to harden their networks. They’re aware of business needs that will make organizations more willing to pay ransoms than incur downtimes during billing cycles in the health, finance, and legal industries.

Attackers have exploited the COVID-19 crisis to reduce their dwell time within a victim’s system, compromising, exfiltrating data, and, in some cases, ransoming quickly, apparently believing that there would be an increased willingness to pay as a result of the outbreak. In some instances, cybercriminals went from initial entry to ransoming the entire network in under 45 minutes.

At the same time, we also see that human-operated ransomware gangs perform massive, wide-ranging sweeps of the internet, searching for vulnerable entry points, as they “bank” access – waiting for a time is advantageous to their purpose.

1 in 10 companies who faced ransomware attacks did pay the amount they were asked to while 22 percent of the companies said that they believed it was morally wrong to pay the amount no matter how crucial their data was.

While individual campaigns and ransomware families exhibited distinct attributes described in the sections below, these human-operated ransomware campaigns tended to be variations on a standard attack pattern.

Ransomware-as-a-service is a subscription that allows affiliates to use ransomware tools that are already developed to carry out ransomware attacks.

Ransomware and the tactics that hackers use to carry out attacks is evolving — but luckily, so are the defenses. In recent years, a new ransomware has been discovered, including Darkside, Conti, REvil, NetWalker, and others.

They unfolded in similar ways and generally employed the same attack techniques. Ultimately, the specific ransomware payload at the end of each attack chain was almost solely a stylistic choice.

While we’ve got hundreds of Ransomware types and versions, we need to make sure that we’ve got the right tools to achieve the goals – minimize the attack surface area!

Discovery Method

How can Microsoft Defender for Cloud Apps (MDCA) assist with identifying, protecting, creating friction, and mitigating ransomware attacks? Defender for Cloud Apps Discovery analyzes traffic from any Defender for Cloud Apps integration if it is the app connector (Native integration), through CASB-Endpoint integration, and others including security ecosystem, such as zScaler integration.

So, how can we achieve the goals of identifying and mitigating Ransomware attacks? We must ensure that we’ve got the required platforms and integrations. From this point, we could create policies, notifications, and automation.

Discovery Integration

The Defender for Cloud Apps discovery methods can be via the various integration with Google, Box. This post will show the methods with Office 365 and Defender for Endpoint (CASB-Endpoint solution).

The Native Integration

The Defender for Cloud Apps

App connectors allow you to onboard the following cloud SaaS platforms and monitor your organization’s data that is being shared with each platform:

• Office 365
• Azure
• AWS
• Box
• Dropbox
• G-Suite
• Google Workspace
• Okta
• Salesforce
• ServiceNow
• And much more

For example, using App Connectors allows enabling Conditional Access App Controls.

App Controls use a reverse proxy architecture that integrates natively with Azure AD’s Conditional Access feature.

After onboarding apps, you can then create rich access management rules that behave as though the data is stored natively in Microsoft’s cloud even though it’s already left your Office 365 tenant.

Office 365 Apps from Cloud Discovery dashboard and the relevant data.

Once Microsoft Cloud App Security discovers the Office 365 apps, any file will be scanned.

If some file is infected or changes abnormally, MCAS will alert, show detailed information, and mitigate based on MCAS policies and Power Automate.

How is MCAS working with files? It’s essential to know how MCAS works with files because of the policies based on file queries.

Within Microsoft Cloud App Security, there are two scans. The first scan is called the “at rest scan,” which is ongoing and will scan your files from the oldest to the newest.

The second scan is called the “near real-time scan,” and once a file has been changed or added, it will be scanned through this queue, then it will go through the content scan engine or the third party DLP engine, and depending on what you choose after your files have been scanned.

Then it will be able to gather information and then take the appropriate governance actions when needed.

If there is a policy match, you’ll see these alerts within Microsoft Cloud App Security, so you could also get a text or email notification, and we can also send these alerts to your SIEM.

The following architecture describes the main components and actions for Data and File Control.

Now we’ve got the Cloud Discovery for Office 365, including user OneDrive for Business folders, SharePoint Online sync folders, and we know how the file works in MCAS.

We can create the MCAS policies and even add the Power Automate to mitigate the attack by specific actions.

Protect Ransomware with MCAS Policies

We need some requirements to alert and mitigate Ransomware attacks with Microsoft Cloud App Security. We need two policies – one policy for the ransomware file changes and the second for the ransomware note file.

Before starting with Microsoft Cloud App Security policies, we must make sure that we’ve got the following requirements:

• Microsoft Cloud App Security License
• Cloud DIscovery for Office 365 Apps
• OneDrive for Business for user folders (standard folders)
• Power Automate with a dedicated user.

We can continue with MCAS policies once we’ve got all those requirements.

Potential Ransomware Activity

The first policy is for infected files and alerts when a user uploads files to the cloud that might be infected with Ransomware.

The policy is based on File and Threat detection.

The filter needs to be with the following settings:

• Repeated Activity with Minimum repeated activities with 50 and within a timeframe of a 1 minute
• Count unique target files or folders per user
• The Activity matching required the following settings:
  • Activity type with upload actions
  • Files and folders name with all ransomware extension

Note: The repeated activities based on Ransomware encryption speed

Tip: Relevant Ransomware extension list

Once the extension is configured, we need to configure the alert with a specific email group and provide a Daily alert limit.

You can also send the alert to Power Automate and take action on the alert, for example, to quarantine all infected files.

The last actions are the Governance actions, and you can Suspend the user to Request the user to sign in again or Confirm the user compromised.

TIP: If you’re working with Power Automate or Governance Actions, you must ensure the policy is accurate to avoid user work disruptions.

Ransomware Note Alert

The second policy is to identify if the Ransomware put some note files with decrypt and recover instructions.

The ransomware note file is located on My document or C drive, so the alert will only occur if the ransomware note is with the OneDrive sync folder, such as My Documents.

The Ransomware Note Alert policy is based on file queries and Threat detection.

The filter will be with Single activity and upload actions for OneDrive for Business and SharePoint Online.

The Files and Folders name will be for all ransomware notes, and you can add a relevant note from the Ransomware Note.

TIP: You can check if you don’t upload a ransomware file with the Preview result.

Once you’ve configured both policies, you can carefully simulate Ransomware to ensure that both policies are configured correctly.

Once you perform a ransomware simulation, the MCAS portal’s alert will look like the following example.

In conclusion, MCAS’s policy allows ransomware identification and user mitigation without additional security tools.

Suppose there are additional security tools such as Microsoft Defender for Endpoint. In that case, you can get a different option of machine isolation and app blocking, and other prevention on the user side.

More MCAS blog-posts

References

Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk.

More information at Microsoft Digital Defense Report