Ransomware has long been on everyone’s mind and part of daily news coverage. Oneconsult’s Digital Forensics and Incident Response specialists are regularly asked to present background information on such cyber attacks, discuss them and address the current threat situation. A central element is to show that all industries, company sizes and private individuals are affected by ransomware attacks and the associated risks.
You can use the following references to find out more about the current activities of ransomware groups.
Where Can I Find Information on New Ransomware Attacks?
Twitter is a particularly good place to keep up to date on ransomware groups. For example, the following accounts tweet about the latest suspected and verified attacks:
A search for the Twitter hashtag #ransomware brings to light many more posts and opinions on the topic. But beware, the sheer volume of new tweets can quickly get you down and steal valuable time from actually defending yourself against such threats.
As a middle ground, the weekly article series “The Week in Ransomware” by BleepingComputer.com is recommended. It summarises the current trends and provides an up-to-date overview of the most interesting ransomware attacks – ideal reading at the beginning of the week.
Which Ransomware Group Did It?
Have you ever wondered which ransomware group was responsible for an attack? In addition to many paid intelligence services, ransom.wiki and ransom-db.com allow you to search for the names of affected organisations free of charge. As a result, you get the name of the responsible ransomware group in addition to various meta-information.
How Can I Use This Knowledge for My IT Security Activities?
The list of companies currently affected by ransomware is a valuable tool for raising awareness about cyber security. It is particularly impressive to go on Twitter in a presentation and discuss the latest news. The ransomware statistics page of ransom-db.com is also good for this purpose, as it gives a rough impression of the challenge and situation.
By observing which ransomware groups are particularly prevalent or active in your industry, you can enhance your protection measures. Various security companies and government organisations publish information on TTPs (Tactics, Techniques, and Procedures) and IOCs (Indicators of Compromise) for many of the known ransomware groups. You can then use these, for example, for the following IT security activities:
- If you use a SIEM, you can check whether you have suitable SIEM use cases or detection rules for the TTPs described. You can ask yourself the question: Are we logging enough to be able to detect the TTPs, and do we receive an alert when we detect them?
- You can use a Red Teaming project to simulate an attack of the relevant ransomware groups and test the interaction of your security measures.
- The TTPs and IOCs give you indications of the attackers’ current approach. With this information – especially in combination with MITRE ATT&CK – you can identify gaps in your protection measures. Ideally, you have overlapping security mechanisms in place (e.g. anti-malware software and security monitoring) that can identify any attacker activity, make it more difficult and trigger an alarm.
- In an incident response exercise, you can dry run the response to a successful compromise by these ransomware groups. This allows you to test your organisation’s readiness and practice with your incident response team how to effectively deal with an attack.
If you would like to learn more about ransomware groups, their publications on the darknet or the current threat situation, please do not hesitate to contact us. We will be happy to share our experience and assessments with you. Please use the contact form or call us with no obligation.
