IBM QRadar SIEM helps detect ransomware before it can hold your data hostage
Ransomware has become one of cybercrime’s strongest business models, costing organizations billions of dollars every year. In a ransomware attack, cybercriminals steal or encrypt valuable data and then demand payment for its safe return. These attacks have evolved from a consumer-level nuisance into sophisticated malware with advanced encryption abilities, and no single industry, geography or size of business is immune.
Protecting your organization from ransomware and other types of malware requires a quick response. With every passing second, more files are encrypted and more devices are infected—driving up both the damage and the cost. IBM® QRadar® SIEM helps you detect these threats rapidly, so you can take immediate, informed action to prevent or minimize the effects of the attack.
In the battle against ransomware, early detection and prevention is essential. QRadar SIEM offers intelligent security analytics that give you actionable insight against critical threats.
of all cyberattacks are ransomware.¹
The average cost of a ransomware attack is USD 5.13 million.¹
Ransomware, like most malware, progresses through several phases. QRadar SIEM can spot known and unknown ransomware across these phases. Early detection can help prevent damage done in later phases. QRadar provides content extensions that include hundreds of use cases to generate alerts across these phases. Content extensions are delivered through the App Exchange and enable access to the latest use cases.
Most “known” malware and ransomware can be identified in the early phases. To detect unknown ransomware, QRadar SIEM offers use cases that focus on identifying ransomware behavior.
Visibility across endpoints, application servers (both on-premises and in the cloud), and network devices such as firewalls provides comprehensive coverage. This approach enables QRadar SIEM Use Case Manager to detect ransomware behavior patterns across your IT and OT infrastructure. The Use Case Manager also helps you visualize whether you have use cases—or rules—that cover these phases by leveraging the MITRE ATT&CK matrix.
Ransomware looks like other malware during this phase. It is using phishing techniques to lure your unsuspecting employees to click a link or file in an email, honeypot, social media or text message.
Example QRadar SIEM use cases to find distribution behaviors and known ransomware:
- File embedded in email
- Email or web communication with hostile host
- Suspicious email subject
This phase is the moment when the stopwatch starts. Ransomware is now in your environment. If the ransomware used a “dropper” to avoid detection in the distribution phase, this moment is when the dropper calls home and downloads the "real executable” and runs it.
Example QRadar SIEM use cases to find infection behaviors:
- Detection of a malicious file or process
- Detection of malicious IOC
- File decode or download followed by suspicious activity
The ransomware is scanning the machine to analyze the administrative rights it could obtain, make itself run at boot, disable recovery mode, delete shadow copies and more.
Example QRadar SIEM use cases to find staging behaviors:
- Attempt to delete shadow copies, backups
- Recovery disabled in boot configuration
Now that ransomware owns the machine from the starting phase begins a phase of reconnaissance of the network (attack paths), folders and files with predefined extensions and others.
Example QRadar SIEM use cases to find reconnaissance behaviors:
- Attempt to delete shadow copies, backups
- Data transfer size limits
The real damage begins now. Common steps involve duplicating each file, encrypting the duplicates and placing them where the original files were located. The original files might be exfiltrated and deleted from the system, which allows the attackers to extort the victim with threats of making their breach public, or even to leak stolen documents.
Example QRadar SIEM use cases to find encryption behaviors:
- Excessive file deletion or creation
- Suspicious number of files renamed or moved on the same machine (UNIX)
- Data transfer size limits
Damage is done and the user receives a notification on how to pay the ransom to obtain the decryption key. There is not a lot more to detect, except for the decryption instruction file creation.
Example QRadar SIEM use cases to find ransom notification behaviors:
- Ransomware decryption instruction created
Use cases to find ransomware are available in the following content extensions found on the App Exchange :
After the initial infection phase, time is critical. The sooner you detect, the sooner you can initiate your incident response (IR) plan. The better the IR plan, the quicker it is to stop ransomware from progressing through the phases. NIST and SANS have IR guidelines that have withstood the tests of time. There are a few key aspects of any IR plan.
Backups in place. Offline backs are critical in a ransomware attack. Make sure that you understand where those backups are and how to restore your systems. Include the steps on who to contact for each of your critical IT assets in your IR process.
Identified teams, tools and roles. As ransomware progresses through its various phases from initial infection into encryption, the composition of the response team changes. This escalation usually means more people across the organization need to get involved. Often, that might include engaging third-party services to help, or in the case of a breach, it typically means contacting legal, external regulators and customers.
Keeping an up-to-date contact list is important, but integrating those contact roles into your process is vital to an effective response. Paper and PDFs are adequate, but having the right tools and automation that provides the entire team access to the ransomware response process, actions and historical documentation is key.
A well-defined process and automation. An IR process can contain many tasks and can include multiple decision points. It is a good practice to align your process with phases outlined by NIST and SANS. For example, you can organize your IR process by the following phases:
- Discover and identification
- Enrichment and validation
- Containment and remediation
- Recovery and communication
QRadar SOAR provides playbooks to define your IR process and automate the many actions an analyst might need to execute to progress through the phases quickly. QRadar SOAR breach response can create the necessary regulator reporting tasks based on PI exposed.
Inventory of IT assets, owners, PI. When a system is infected, a security analyst needs to know the system owner and applications and data. Asset management solutions such as ServiceNow or SAP can help manage the contacts for systems. IBM Guardium® Discover and Classify can help find data sources and PI in each source. If a data breach occurs, analysts know whether any regulations are involved.
The city of Los Angeles, the LA Cyber Lab and IBM joined forces to deliver threat intelligence and strengthen vulnerable local businesses.
By hosting a QRadar SIEM on high-performance IBM FlashSystem® storage, data action (DA) offers improved security to alternative banks.
Threat detection from center to endpoint with QRadar SIEM protects your organization in various ways.
Incorporate IBM Security cyberthreat hunting solutions into your security strategy to counter and mitigate threats more quickly.
Integrate compliance packs into QRadar SIEM to ensure compliance and automate reporting.
Stop cyberattacks fast with QRadar SIEM’s near-real-time threat detection.
Learn how QRadar helps defend against growing threats while modernizing and scaling security operations through integrated visibility, detection, investigation and response.
Watch how QRadar SIEM helps an analyst investigate an offense, determine it as a threat, and send it to SOAR for remediation.
An effective threat-hunting approach to reduce the time from intrusion to discovery, decreasing the number of damage attackers can inflict.