Webinar

The Latest Ransomware Threats and How to Defend Against Them with Microsoft Defender and MXDR

This is the latest ransomware threats and how to defend against them with Microsoft Defender and MXDR. And we’re joined by Drew Perry, chief innovation officer at Ontinue. Thank you, Drew. I’ll kick things off to you to get us started. Yeah. Thank you, Chris, and I thank you for everyone for joining today. And first of all, we’re just gonna step back a little bit in time. So ransomware as a threat has evolved quite significantly over the past ten or fifteen years. In our day to day role at Ontinue as a managed service provider on the Microsoft security portfolio, we’re seeing all sorts of threat actors targeting our customer base, and we are helping them successfully prevent incidents and prevent ransomware scenarios. But if we look back in time to the early days of ransomware, we’ve come a very long way. Some of us might remember the first variations of this around CryptoLocker back in twenty thirteen, where it was quite an opportunistic situation where you might have a family member or a small business have a single device that gets locked up with all those precious files and photos, and you get a ransom demand, make a payment in Bitcoin. Since then, things have evolved quite significantly along the chains of back in the day of NotPetya and other types of malware that got released in twenty seventeen and evolved into more of a human operated operation. So where teams and cyber gangs are working together to exfiltrate data, to sell access into companies through data brokers, or even install malware just for that initial access to be able to pass it on to someone else to do bad things in your environments. And we feel that since around twenty nineteen or twenty twenty, this has evolved into a massive operation. And especially what we’re seeing day to day around a lot of info stealers and that type of malware. I’ll just point you towards a little bit of research that our very own Rhys Downing has done from our Cyber Defense Center here Ontinue around the particular piece of malware called Luma Stealer. So feel free to go there, read this report in much more detail, and implement some of these controls yourself to prevent yourself having a bad time. As I said, we’re stepping back about five years here to look at the ransomware threat in the pre Ukraine invasion days. So back then, we had a different administration in the US, we had a very different threat landscape. But fundamentally, not a lot has changed since then, where we’ve got two global superpowers almost at war or cyber war, at least. So back then, there was a lot of denying around extortion, denying around threat actors being based out of the likes of Russia. And we had a US administration that was starting to put pressure to actually do something about this threat. But really, what could they do? They could attempt to shut down the structure. They could up the ante by implementing more sanctions. But really is this going to work? Or did it work looking back over the past five years or so? I would like a guess, but we’ll get into that a little bit later. But at the time there was a lot of discussion in the US around should things be taken up then to the next level to actually disrupt the cyber gang and ransomware operators infrastructure? So should an intelligence agency or a nation state really be targeting this infrastructure to take it down and shut down things. At the time, the US president quite simply stated, yes. And what could they do? They could capture a lot of cryptids. So if any information had been encrypted, we could very easily distribute out a decrypt it, unlock that before a ransom payment was made. We could have deleted some of that stored data to prevent an extortion activity being carried out, or maybe even intercepting and collecting the Bitcoin and crypto wallets, where payments had been made to actually get some restitution to redistribute those funds back to the victims. All of these incredibly complex operations, and not that easy to carry out, even if you are at a nation state level. So the question was, would the US and others attack these servers? The problem is at a high level where diplomacy is involved and sanctions are involved, you’ve got to have both parties coming to the table. And like the image before, the two fists at going to war here, if one’s not playing ball, it’s not really gonna work. And the response at the time from Putin was, I haven’t received any of these reports on these cyberattacks. I don’t believe this is going on. Basically, I don’t know what you’re talking about. It was pretty clear looking back over the last five year period that the response is obvious when significant amounts of money is being made from the extortion activities of these cyber gangs. Ransomware operators basically getting suitcases full of cash. Maybe that’s a bit of an exaggeration, but they’re getting significant amounts of money for doing these jobs. We are treating this as a day to day job, like a pen tester or like someone who’s doing an unauthorized security assessment against basically your IP addresses. And the amount of money is quite staggering. And if we look back to from even twenty twenty, where annually the revenue generated from these types of activities was in the range of three fifty million dollars in that year alone. And if we put that and look at that today, this is now growing to eight fifty million dollars these types of opportunities, these types of activities and the market associated with it. And that’s not even factoring in if they receive these ransom payments and Bitcoin back then, how much it would have appreciated just purely for upholding that crypto time. But again, that is another story. And each of these different gangs have very similar tactics and techniques. They are mostly all going after stolen credentials, reusing those, sending phishing emails, thus still actively probing external IP addresses and your external infrastructure or things like exposed RDP ports, SSH ports, and that taking that information from the Infostealer malware, and then using that to simply log in to your environment if your controls are not implemented correctly. And some of these gangs, as I say, are more successful than others. But looking back, there has been quite a bit of success over the past few years in targeted takedown operations. One example is Evil Corp or R Evil, and they, through ongoing international operation led by the NCA, were able to be successfully taken down from an infrastructure perspective. But then from an individual perspective, they were simply sanctioned. And again, I just don’t think this is enough really to stop this type of threat. We see these operations being successful in taking down the infrastructure, but obviously another gang crops up. There’s still money to be made because payments are still being made. And things are changing in that space. Here in the UK, there’s discussions around making ransom payments illegal. Again, I don’t know the pros and cons of that, if it will actually be successful, but at least things are moving in the right direction to prevent this threat in the future. We can’t just wait for governments. We can’t just wait for sanctions to be effective, and we can’t just wait for these cyber gangs to change direction. So they’re still carrying out the same types of attacks. They’re sending those phishing emails. They’re probing your external infrastructure. They’re landing in your environment with and reusing those stolen credentials, installing malware, pivoting through your environment to exfiltrate sensitive data, lock that up, and demand extortion. And we’re seeing less extortion attempts these days and more just maintaining that persistence for other activities. And interestingly, there’s been a lot of noise about AI assisting threat actors here. With the release of OpenAI’s open source model and earlier this year, with the likes of DeepSeek and their models being released and the capabilities of open source increasing from a large language model perspective, this is now finding its way into ransomware groups. But I would argue that it’s very early days and a lot of articles and a lot of noise has been made about this AI threat of ransomware. But I still don’t think it’s actually to a point that we need to be overly concerned around an AI bot or AI agent being the main threat actor that targets you these days. Because ultimately, if this happens to your screens all around the office, you know, you’re going to have a very bad time. As I said, a lot of this can be prevented. And we leverage here at Ontinue with our customers, the Microsoft security product portfolio, and it’s very specifically Microsoft Defender XDR and Microsoft Sentinel. If you implement these controls and back it up with a lot of proactive monitoring and automation with attack disruption, you can avoid this type of situation in your environment where you’ve got major downtime, you’re in crisis mode, and your business cannot operate. And there’s three ways I just want to talk about for a quick win here today. If you happen to use Defender or Microsoft Defender, if you happen to have an E3 or an E5 license, you can use a lot of these capabilities today to prevent this happening to you. And the first one I wanna talk about is implementing tamper protection. So tamper protection and the Microsoft Defender for Endpoint is a policy that you can enable to ensure that if a threat actor or someone malicious lands on an endpoint, they can’t just simply disable Defender. They can’t just disable that control and then carry out their malicious PowerShell or whatever they want. And this really makes it difficult for attackers to move forward if they can’t disable the control that’s going to get them identified. And then moving on from that, if they do happen to manage to bypass that first control around Defender on Airpoint, the second piece is enabling attack disruption. So attack disruption is where things like an endpoint will be automatically isolated under a certain scenario. Anything ransomware linked, it can do that. And to do this, you have to have a few specific things in place configured. The first is you should have your device groups set up correctly in Defender. So all your assets are tagged, they’re all categorized, and those groups are enabled and configured correctly. And the second piece is you need to have full automation turned on for those device groups. And if you do those two things and enable attack disruption, that’s that second piece here that really locks down your environment to make sure attackers can’t move around because they’re being disrupted. And the final thing here is actually leveraging something in Defender for Cloud around app governance. And app governance makes sure that your identities are more properly protected. Only the right applications can be used in your environment. Because what we are seeing is attackers land in that environment. They register a malicious app in Azure. They push that out or use that to steal credentials and then silently use those permissions associated with the app to move around your environment. And it’s quite a blind spot that we see where not everyone’s enabling the right monitoring and the right visibility to detect when that happens. And And as I say, these are just three core recommendations to be made that you can go away today, turn on relatively easy without too much impact and be in a much more secure state. And then finally, if you want to up things to an entirely next level, I recommend working with a managed security provider, much like us, to get that twenty four by seven coverage. Here at Ontinue, we use a lot of AI and automation to speed up detection and response. We take the capabilities of Defender to an even further level to ensure that full prevention and coverage. And then we work with our customers to ensure that these controls are enabled right from the start. So if you make an investment in Microsoft security, the E5 license, we help you ensure that investment is worth it. So we work with you and give you a named cyber advisor to ensure that you’re implementing the right controls to prevent these types of cyber attacks. And ultimately, we’re here to work with you to ensure that a scenario like all your screens are locked up never occurs in business. So that about wraps it up for today. I just want to reiterate, a couple of core things there around leveraging your Defender environment, and that’s turning on that tamper protection, ensuring you’ve got your device group set up for full automation, and then turning on that app governance to detect if malicious apps are installed and identities are being stolen that way. So let’s look across into the chat now and see if there’s any questions that have dropped out. Hey Drew thank you for that. No questions from the chat yet, but one one thing I do want to mention, I think you mentioned this a little bit, but I think it’s worth repeating at Ontinue, our managed XDR service. We also include a add on service for phishing. Just recognizing that the phishing attack vector is one of the most common routes that ransomware attackers take and ensuring that you have taken advantage of every opportunity to configure your Microsoft m sixty five licenses to fully account for any kind of phishing attacks is a great way to defend against ransomware attacks. Yeah. I agree with that, especially around you’ve got your security baseline configurations in Office three sixty five, which are a good start, but there’s a lot more to be configured there to prevent phishing emails even arriving in the first place. But it also goes into other more preventative side of things. Like, it’s like little things like ensuring that external emails have a banner on it, reminding your users that this is an external email. Or when an email arrives from someone who you don’t email often and that warms you directly in your client there. So there’s always these opportunities to add these little extra controls to lower the risk and increase the like, decrease the likelihood of a successful attack. And, yeah, this is exactly the thing we do day in, day out because yes, spear phishing and phishing emails is one, again, one of the core attack vectors that ransomware operators or data brokers and initial access brokers use to get into environments still credentials. Hey, Drew, one question for you. Are you seeing ransomware attackers specializing in specific industries or specializing in any other kind of dimension around who they’re going after, who their targets are, or how they’re launching operations. Are they getting sophisticated or targeted in those ways, either by industry or some other dimension of targeting? I think it depends on the specific group we’re talking about here. Some have quite a lot of success in certain industries and they double down on that. What we’re seeing is still quite a lot of opportunistic attacks. We’re seeing other groups like the likes of Scattered Spider who are carrying out sophisticated social engineering attacks to get into companies through, their help desk systems and external consultants. And then based on that, leveraging social engineering to move around the environment. An example of that is the news that’s just come out around Jaguar, being compromised by the same threat actor group that M and S was done here in the UK recently. And again, it’s highly likely that as a sophisticated social engineering attack, but again, they’re just being quite opportunistic, even though recently a lot of their attacks have been going after companies in the retail sector. But we find that certain industries, they group certain tools together, they have certain service providers that are common, that could be vulnerable in common ways. So to sum up, I feel that most groups are quite opportunistic still, but it really depends on who they’re targeting and what they’re going after. Thanks. And one more question here, and this is about the question of to pay or not to pay. I think one of the issues with getting hit with ransomware has been this idea of double extortion. So you might get you might pay the ransomware attacker just turns around and sells your credentials to the next highest bidder, and then you get hit again right away. So what’s your advice or what’s your take on when you have gotten that red screen with the skull and crossbones? How do you make that decision of whether to pay or not pay? And how do you defend yourself against a double extortion type of a situation? Yeah. I think it’s always my advice is always don’t pay. Yeah, I know the intricacies of that is much more nuanced than the reality of we’re now losing millions a day. What can we do to get this back? I think a lot of organizations are getting better prepared for this type of scenario. I think more and more are having better resiliency, resilience planning, better incident response plans. And the nature of modern cloud services means you can spin things up significantly faster to rebuild at pace. So I think we’re seeing more and more companies not pay, or I’m seeing that from other incident response engagements that I’ve been aware of. And it all comes down to that resiliency thing of re spinning up infrastructure. So if you can rebuild, do it, do not pay. But if you have to, then yeah, you’re highly likely to be double extorted. But I think even the risk of that is reducing because the type of stuff that’s being stolen from databases, company records, company information, personal information, Once it’s out there, it’s out there. And I think you can’t do a lot about it after the fact. So it’s all about that rebuilding. Hopefully, what you’re seeing or what you’re commenting on means the payments to ransomware groups will start to go down over time and will diminish the persistence of this threat. Drew, thank you so much for this presentation. I think that’ll wrap us up for today. Thank you everybody for joining. And if you if you are looking for support managing your instance of Microsoft Defender, if you’re looking to get more out of your Microsoft security investments, if you’re looking for a partner who can help increase your security posture, improve your prevention, and save you time, and your ability to get value out of your existing investments, please reach out to us at ontenu dot com. And I think with that, we can let everybody go a few minutes early today, and I thank you all again for joining.

In recent years, ransomware has emerged as one of the most formidable threats to both individuals and organizations. As cyber gangs and threat actors evolve their tactics, protecting sensitive data has never been more crucial. With the rapid advancements in the digital threat landscape, implementing effective defense mechanisms is imperative. Here’s a comprehensive look at the latest ransomware threats and how services like Microsoft Defender and a managed XDR service (MXDR) can help shield your organization.

The Evolution of Ransomware

Ransomware has undergone a significant transformation since the early days of CryptoLocker in 2013. Initially, attacks were opportunistic, targeting individual devices or small businesses. Victim scenarios included locked devices demanding Bitcoin payments to regain access to precious files.

Fast forward to the present, where ransomware attacks have become more organized and sophisticated. Cyber gangs now operate as structured teams, exploiting data, selling access through brokers, and deploying malware to gain initial entry into systems. Since around 2019, there has been a marked shift towards large-scale operations targeting businesses and exploiting vulnerabilities.

The Changing Threat Landscape

Reflecting on the past few years, we see a landscape where cyber warfare is intertwined with geopolitical tensions. With accusations flying between global powers regarding cyber attacks, the complexities of international diplomacy often hinder decisive action. Persistent denial from involved parties further complicates resolving cyber threats through sanctions or governmental intervention.

Despite increased efforts to clamp down on cybercrime, ransomware operators continue to thrive, capitalizing on lucrative extortion schemes. Between 2020 and today, annual revenues from these malicious activities have skyrocketed from $350 million to $850 million, demonstrating the ongoing profitability of ransomware.

Common Attack Vectors

Ransomware gangs employ various tactics to gain access to systems. Stolen credentials, phishing emails, and probing exposed infrastructure are among the most common methods used. As organizations bolster defenses, malicious actors adapt, often shifting towards maintaining a foothold within environments for ongoing malicious activities.

AI has also permeated the ransomware domain. While there is much discussion about AI’s potential impact, it’s crucial to recognize that the stage is still early, and AI-driven threats are not yet a primary concern. Nonetheless, vigilance and proactive measures remain essential.

Key Defensive Measures

Leveraging the power of Microsoft Defender and MXDR can significantly fortify your defenses against ransomware:

Tamper Protection: This feature in Microsoft Defender for Endpoint prevents unauthorized deactivation of security controls, thwarting malicious attempts to disable defenses.
Attack Disruption: By configuring device groups and enabling full automation, Defender can isolate endpoints under attack, preventing lateral movement and containing threats.
App Governance: Monitor and limit application permissions to block the deployment of harmful applications that could compromise credentials.

Industry Observations and Strategic Responses

While some ransomware groups appear industry-agnostic, others narrow their focus based on industry vulnerabilities. Opportunistic attacks remain prevalent, with social engineering tactics becoming increasingly common.

When faced with ransomware, organizations grapple with the decision to pay or not to pay. The ethical and strategic guidance typically advises against payment, emphasizing resilience strategies, robust incident response plans, and leveraging cloud services for quick recovery.

Navigating Future Threats

Combating ransomware is an ongoing battle requiring constant vigilance and adapting to new threat models. By leveraging established security technologies and working with managed security providers, organizations can enhance their defensive posture and minimize downtime.

Ultimately, staying informed and proactive is the key. Investments in security tools and services like Microsoft Defender and MXDR, when used effectively, can safeguard your organization’s critical assets against the ever-evolving threat of ransomware.

For those seeking support in managing Microsoft Defender or enhancing their security strategies, partnering with a knowledgeable provider can lead to improved security and peace of mind.