Skip to main content

Busting Ransomware’s Billion-Dollar Boom with Network Observability and Security

by Mal Fitzgerald

Ransomware-as-a-service (RaaS) is the first example of a specific threat becoming a financially viable business model. The subscription model approach has propelled ransomware to be one of the most pervasive cyber threats of our time, evolving over the last decade to include mainstream SaaS capabilities that enable user success, such as 24/7 helpdesk support, training, and documentation. 

Initially, ransomware victims hesitated to pay the ransom because cybercriminals were not reliably restoring access to ransomed data. Now, business is booming as threat actors follow through on their promises in exchange for larger payouts. The latest research indicates that ransomware payments in 2024 are on track to hit or even exceed $1 billion globally – a record first reached in 2023. 

So, why has ransomware remained a thorn in the side of organizations for so long, and what can you do to improve your detection and response of ransomware before you have to pay massive ransoms or suffer a catastrophic loss of data?

Some technology megatrends can help explain ransomware’s success:

The cloud has massively increased your attack surface. Before the mass migration to the cloud, network architectures had clear lines of access between trusted and untrusted networks. This meant easier management of access and control of all of your network assets. However, as more organizations adopted a multi-cloud strategy, cloud resources became the biggest targets for cyberattacks. 

    • The top targets are SaaS applications (31%), Cloud Storage (30%), and Cloud Management Infrastructure (26%)
    • The leading causes include human error and misconfiguration (31%) and exploiting known vulnerabilities (28%). 

Vulnerability management is hard. Nearly 29,000 new CVEs were published in 2023, an average of 80 per day. Even well-resourced companies can’t keep up, so they try to use threat intelligence and context data to understand which vulnerabilities pose a real threat to the organization so they can prioritize them for remediation.  Meanwhile, the time to exploit vulnerabilities continues to shrink; in 25% of cases, exploits were available on the same day as the disclosure of the vulnerability itself, and 75% were exploited within 19 days. So while organizations struggle to figure out what and when to patch, threat actors are becoming more efficient.

Not every device on your network has an agent on it. Since its inception, the ransomware epidemic has been viewed as an endpoint issue and an agent as the solution. However, organizations have a complex mix of endpoints, including smartphones, printers, wireless access points, and other devices that typically can’t support an agent. There are also devices you aren’t aware of or don’t control, so you can’t put an agent on them. Ultimately, there can be hundreds or thousands of devices that go unmonitored.

Limited visibility. Your ability to defend against ransomware relies on your ability to confidently say what’s on your network. But this is hard to do when assets and workloads are spread across multiple cloud environments, each monitored by different tools. It is hard to synthesize that information to create a comprehensive picture of what is active on your network at any given time, let alone what it is doing and what’s happening to it should a threat actor make it onto your network. 

What can you do to improve detection and response of ransomware?

Once a threat actor passes through the initial infrastructure and is inside your environment, the ransomware attack begins to unfold. That’s where Netography’s compromise-centric approach to network security comes in.

The Netography Fusion® platform leverages VPC and VNet cloud flow logs to detect behavioral changes in network activity that are traditionally part of an attack pattern consistent with a ransomware campaign. Fusion aggregates and normalizes multiple sources of metadata without the burden of deploying sensors or agents:

  • Cloud flow logs from all five major cloud providers (Amazon Web Services, Microsoft Azure, Google Cloud, IBM Cloud, and Oracle Cloud).
  • On-prem flow logs (NetFlow, sFlow, and IPFIX) from routers, switches, and other physical or virtual devices. 
  • DNS logs from AWS  Route 53 and Google Cloud

We then enrich flow data with dozens of operational context attributes from applications and services in your tech stack to provide a real-time, contextualized picture of what is happening. The context attributes enable Your SecOps, NetOps, and CloudOps teams to understand the significance of any activity without having to consult other teams or tools.

Fusion uses this enriched flow and DNS data to detect the anomalous activity that could indicate several stages of active ransomware campaigns, enabling your teams to initiate response workflows in real-time:

1. Moving through the network

Typically, we think of ransomware as moving fast because it takes no time to encrypt files. But the reality is that ransomware can lay dormant inside the network for weeks or months as the threat actor identifies where your sensitive data resides. During this time, flow data can reveal anomalous activity such as:

  • Network scanning and enumeration usage to map and probe the network.
  • Unauthorized access attempts, such as SSH brute force attempts to access restricted areas and unauthorized lateral movement within the network.
  • Unusual communication patterns, such as potential botnet activity through irregular traffic patterns.

2. Gathering data

Once the threat actor locates the desired data, they typically transfer it to a known trusted file/data-sharing service for encryption. Flow data can point to activities that indicate your sensitive data is at risk:

  • Unusual data transfer rates and protocols that flag devices or ports that have never connected to network/file shares. 
  • Data harvesting, including early signs of large data access or movement to a file/data share service within the network, may be a precursor to data encryption and theft.

3. Exfiltrating data

The final step is exfiltrating the encrypted data so that the threat actor can threaten to expose the data if the victim doesn’t meet payment demands. Fusion uses flow data to spot tell-tale signs of data exfiltration: 

  • Data transfers at unusual rates and times of day.
  • The use of non-standard protocols like DNS tunneling, proxy and VPN usage, and use of TOR networks. 

Between the potential for huge financial gains and dozens of active RaaS groups to contend with, ransomware attacks aren’t going away anytime soon. Fortunately, Netography’s compromise-centric approach and frictionless detection helps you accelerate detection and response so that once ransomware infiltrates your network and attempts to inflict pain, you have a much greater chance of thwarting it.