Ransomware can be better dealt with, if security teams have a better and clear view of suspect behaviour on the network.

Speaking to Infosecurity, Sophos chief product officer Dan Schiappa and principal research scientist Chester Wisniewski said a lot of issues can be dealt with if they detect how tools are being used in an unpredictable manner. Wisniewski said: “So if you see Powershell or a scanner running outside of planned maintenance, or IT needs permission to run a sniffer, those are easy to detect and if the SOC knows when maintenance is happening, they know it is bad.

“This requires discipline and while most companies don’t have SOC, and need to be investigated and look into and this is most challenging for companies.”

As Sophos publishes a multi-part research series on the realities of ransomware, Wisniewski said that the state of cybersecurity means we worry less about our parents laptop than we did ten years ago, as there is less Flash and Java use, but if you are targeted with ransomware “it is a bad day and you never find out the truth on how [the attacker] got in and hard to learn from mistakes.”

Schiappa said there is more of a nation state approach being taken by the adversary, where they are more hands on and using existing tools, doing reconnaissance and finding out which data they can ransom. He said the best detection strategy is a combination of AI used in a variety of ways, including running deep learning neural network models coupled with human intelligence.

“Look at endpoint detection and response (EDR) for example, it is learning to look for indicators of compromise and a certain chain of events that allows the analyst to scale quickly,” he said.

Among the new research by Sophos, a detailed look at new detection evasion techniques used by the WastedLocker ransomware reveals the Windows Cache Manager and memory-mapped I/O are leveraged to encrypt files. In particular, it uses memory-mapped I/O to encrypt a file, making it harder for behavior based anti-ransomware solutions to keep track of what is going on.

Wisniewski said the likes of WastedLocker takes evasive tactics to a new level and in finding ways to bypass behavioral anti-ransomware tools. “This is the latest example of attackers getting their hands dirty, using new maneuvers to manually disable software as a precursor to a full blown ransomware attack.

“The longer attackers are in the network, the more damage they can inflict. This is why human intelligence and response are critical security components to detect and neutralize early indicators that an attack is underway. Organizations need to know about escalating trends and harden their perimeter by disabling remote access tools like RDP whenever possible to prevent crooks from gaining access to the network, a common denominator in many ransomware attacks that Sophos analyses.”

Wisniewski called WastedLocker the most sophisticated attack he had seen outside of those used by nation states. “Not only successful as a large dollar game, but WastedLocker is investing in being as silent as possible.”