6 Ways Intelligence Stops Ransomware

Posted: 9th December 2021

1. Intelligence finds your leaked credentials before threat actors use them.

Criminals are lazy. Rather than trying to breach your network, it is way easier to find your employees’ leaked credentials—whether hacked from past breaches or discovered in insecure databases. Threat actors compile these credentials into databases that help them in two ways. 

First, criminals can use credential databases for targeting by searching these databases by company name. Organizations with more credentials may indicate there is a higher likelihood that a password has been re-used by an employee for a personal purpose. Password reuse gives criminals an easy entry into your networks.

Second, criminals have so many credentials from the past few decades of breaches (literally tens of billions) they can leverage data science and machine learning. Criminals have huge databases called rainbow tables they can use to find the plaintext passwords from cryptographic hashes, like SHA1. 

Identity intelligence can help you find and remediate these leaked credentials before they are weaponized by criminals or ransomware actors. Whether through manual alerts to discover and investigate credentials or automated, API-ready intelligence to drive your security orchestration and automation (SOAR) processes, intelligence keeps your passwords private.

2. Intelligence can help identify exposed servers that ransomware actors use for access.

Nothing makes a criminal smile like an open door. Modern enterprises are complex, with hundreds of possible entry points over thousands of endpoints. Intelligence can help you identify your exposed attack surface, whether from accidental exposure of internal domains, cloud storage keys on code repositories, or unmonitored, owned IP address space which has been taken over for nefarious purposes.

Intelligence can even help identify if these resources are being advertised as “hacked” on the criminal underground. Criminals often boast or advertise access to certain companies or proprietary information on Tor-enabled forums and marketplaces, a.k.a. the so-called dark web. Proper monitoring for this type of exposure gives you added assurance for your security team.

3. Intelligence tracks botnet access brokers like Trickbot.

Botnet teams use tools like Trickbot to gain access to organizations and servers. Once access is established, these botnet teams serve as access brokers, selling their established access on corporate networks to ransomware teams to invade and exploit. Intelligence research teams, like our Insikt Group, track these and hundreds of other actors and tools, providing the most up-to-date information on their latest activities. 

More than monitoring, the latest intelligence helps teams like our Insikt Group create Yara and Sigma rules you can implement into your production Security Incident Event Monitoring (SIEM) tools, helping you speed detection of malicious tools based on their behaviors—not just their signatures—giving you intelligence that drives action in your organization.

4. Intelligence finds new vulnerability exploits before they get weaponized.

Vulnerabilities are a perpetual challenge to all organizations, but not all vulnerabilities are created equal. Intelligence helps you identify and prioritize vulnerabilities based on the threat to your network and technology stack. Exploited vulnerabilities mentioned on dark web criminal forums, or advertised proof-of-concept exploit code for sale, show you early warnings on criminal intent-to-use. Ransomware actors continually improve their malware access and persistence using new exploits. 

Intelligence tracks real-world weaponization of vulnerability exploits, such as our proprietary harvesting of code samples and our malware sandbox showing which vulnerability exploits are appearing in the wild. Risk scoring to show you which vulnerabilities are being actively exploited helps you patch before a breach.

5. Intelligence hunts ransomware tools on your network to detect them fast.

If ransomware actors get into your network, speed is essential to defense. Earlier in this post we talked about how intelligence can help you discover and defend against ongoing attacks by assisting threat hunting efforts. But ongoing attacks are often enabled by external infrastructure command & control servers (C2). 

Intelligence can provide immediate, up-to-date context on malicious infrastructure, like ransomware C2 IP addresses or IP addresses which appear to be serving malicious content. And at-a-glance context, like our Risk Rules, can save your security operations teams precious moments when defending against ransomware attacks.

6. Intelligence finds and tracks victims so you can have confidence in your supply chain.

Unfortunately, ransomware continues to be a plague threatening nearly every organization around the world. Intelligence can help you identify the numerous victims of ransomware attacks, and bolster your security team efforts to ensure a secure supply chain. For example, our Third Party Intelligence can help track companies in your supply chain, from vendors and partners to potential merger and acquisition targets, illuminating possible security flaws or cyber attack events like ransomware attacks for further investigation by your security teams. And our Insikt Group continually tracks, and even interviews, the criminals behind ransomware gangs to provide you and your team the best insights into their intentions and activities. 

Intelligence is a powerful way to drive prevention efforts against ransomware, while helping strengthen security efforts overall. At Recorded Future, our mission is to enable defenders, and we believe intelligence can be one of the most substantial tools in your arsenal. 

To learn more about the state of ransomware going into 2022 view our webinar, "What Intelligence Tells Us About Ransomware in 2021 — And What to Expect Next."