Ransomware has become one of cybercrime’s strongest business models, costing organizations billions of dollars every year. In a ransomware attack, cybercriminals steal or encrypt valuable data and then demand payment for its safe return. These attacks have evolved from a consumer-level nuisance into sophisticated malware with advanced encryption abilities, and no single industry, geography or size of business is immune.
Protecting your organization from ransomware and other types of malware requires a quick response, because with every passing second, more files are encrypted and more devices are infected—driving up both the damage and the cost. IBM QRadar SIEM helps you detect these threats rapidly, so you can take immediate, informed action to prevent or minimize the effects of the attack.
Read the 2024 Cost of a Data Breach report
2024 Gartner report: IBM named a Leader for the 14th consecutive time. Read the report.
Check out the X-Force Threat Intelligence Index 2024 report
Read the 2024 Threat Intelligence Index
In the battle against ransomware, early detection and prevention is essential. QRadar SIEM offers intelligent security analytics that give you actionable insight against critical threats.
of all cyberattacks are ransomware.¹
The average cost of a ransomware attack is USD 5.13 million.¹
Organizations with security AI and automation identified and contained a data breach 108 days faster.¹
Ransomware, like most malware, progress through several phases. QRadar SIEM can spot known and unknown ransomware across these phases. Early detection can help prevent damage done in later phases. QRadar provides content extensions that include hundreds of use cases to generate alerts across these phases. Content extensions are delivered through the App Exchange and provide the ability to get the latest use cases.
Most “known” malware and ransomware can be found in the early phases. To detect unknown ransomware, QRadar SIEM provides use cases that focus on detecting ransomware behaviors. Visibility across endpoints, application servers (on premises and cloud) and network devices (firewalls) enables QRadar SIEM Use Case Manager to detect ransomware behavior patterns that span your IT and OT infrastructure. The Use Case Manager can help you visualize if you have use cases, or rules, that span these phases by using the MITRE ATT&CK matrix.
Ransomware looks like other malware during this phase. It is using phishing techniques to lure your unsuspecting employees to click on a link or executable in an email, Honeypot, social media or text message.
Example QRadar SIEM use cases to find distribution behaviors and known ransomware:
This is the moment the stopwatch starts. Ransomware is now in your environment. If the ransomware used a “dropper” to avoid detection in the distribution phase, this is when the dropper calls home and downloads the "real executable” and runs it.
Example QRadar SIEM use cases to find infection behaviors:
The ransomware is scanning the machine to analyze the administrative rights it could obtain, make itself run at boot, disable recovery mode, delete shadow copies, and more.
Example QRadar SIEM use cases to find staging behaviors:
Now that ransomware owns the machine from the starting phase, it will begin a phase of reconnaissance of the network (attack paths), folders and files with predefined extensions, and others.
Example QRadar SIEM use cases to find reconaissance behaviors:
The real damage begins now. Typical actions include: create a copy of each file, encrypt the copies, place the new files at the original location. The original files might be exfiltrated and deleted from the system, which allows the attackers to extort the victim with threats of making their breach public, or even to leak stolen documents.
Example QRadar SIEM use cases to find encryption behaviors:
Damage is done and the user receives a notification on how to pay the ransom to obtain the decryption key. At this point there is not a lot more to detect, except for the decryption instruction file creation.
Example QRadar SIEM use cases to find ransom notification behaviors:
Use Cases to find ransomware are available in the the following Content Extensions found on the App Exchange (link resides outside ibm.com):
After the initial infection phase, time is critical. The sooner you detect, the sooner you can initiate your incident response (IR) plan. The better the IR plan, the quicker it is to stop ransomware from progressing through the phases. NIST (link resides outside ibm.com) and SANS (link resides outside ibm.com) have IR guidelines that have withstood the tests of time. There are a few key aspects of any IR plan.
Backups in place. Offline backs are critical in a ransomware attack. Make sure you understand where those backups are and how to restore your systems. Include the steps on who to contact for each of your critical IT assets in your IR process.
Teams, tools and roles identified. As ransonware progresses through its various phases from initial infection into encryption, the composition of the response team changes. This usually means more people across the organization need to get involved. Often, that may include using third-party services to help or, in the case of a breach, it may mean contacting legal, external regulators and customers. Knowing who to contact and when is critical. Keeping an up-to-date contact list is important, but integrating those contact roles into your process is vital to an effective response. Paper and PDFs are adequate, but having the right tools and automation that provides the entire team access to the ransomware response process, actions and historical documentation is key.
A well-defined process and automation. An IR process can contain many tasks and can include multiple decision points. It is a good practice to align your process with phases outlined by NIST and SANS. For example you can organize your IR process by the following phases:
QRadar SOAR provides playbooks to define your IR process and automate the many actions an analyst may need to execute to progress through the phases quickly. QRadar SOAR breach response can create the necessary regulator reporting tasks based on PI exposed.
Inventory of IT assets, owners, PI. When a system is infected, a security analyst needs to know the system owner and applications and data. Asset management solutions such as ServiceNow or SAP can help manage the contacts for systems. IBM Guardium Discover and Classify can help find data sources and PI in each source. So in the event of a data breach, analysts know if any regulations are involved.
The city of Los Angeles, the LA Cyber Lab and IBM joined forces to deliver threat intelligence and strengthen vulnerable local businesses.
Integrating data, analyzing logs and prioritizing incidents helps Vietnam's real estate investment and development firm detect and respond to threats.
By hosting a QRadar SIEM solution on high-performance IBM FlashSystem® storage, Data Action (DA) offers improved security to alternative banks.
Threat detection from center to endpoint with QRadar SIEM protects your organization in a number of ways.
Incorporate IBM Security cyberthreat hunting solutions into your security strategy to counter and mitigate threats more quickly.
Integrate compliance packs into QRadar SIEM to ensure compliance and automate reporting.
Stop cyberattacks fast with QRadar SIEM’s near-real-time threat detection.
Learn how QRadar helps defend against growing threats while modernizing and scaling security operations through integrated visibility, detection, investigation, and response.
Watch how QRadar SIEM helps an analyst investigate an offense, determine it as a threat, and send it to SOAR for remediation.
An effective threat-hunting approach to reduce the time from intrusion to discovery, decreasing the amount of damage attackers can inflict.