Blog
Informative, up-to-date and exciting - the Oneconsult Cybersecurity Blog.

DFIR, Simple: Track Ransomware Attacks

Ransomware has long been on everyone’s mind and part of daily news coverage. Oneconsult’s Digital Forensics and Incident Response specialists are regularly asked to present background information on such cyber attacks, discuss them and address the current threat situation. A central element is to show that all industries, company sizes and private individuals are affected by ransomware attacks and the associated risks.

You can use the following references to find out more about the current activities of ransomware groups.

Track Ransomware Attacks

Where Can I Find Information on New Ransomware Attacks?

Twitter is a particularly good place to keep up to date on ransomware groups. For example, the following accounts tweet about the latest suspected and verified attacks:

A search for the Twitter hashtag #ransomware brings to light many more posts and opinions on the topic. But beware, the sheer volume of new tweets can quickly get you down and steal valuable time from actually defending yourself against such threats.

As a middle ground, the weekly article series “The Week in Ransomware” by BleepingComputer.com is recommended. It summarises the current trends and provides an up-to-date overview of the most interesting ransomware attacks – ideal reading at the beginning of the week.

BleepingComputer Website
BleepingComputer Website

Which Ransomware Group Did It?

Have you ever wondered which ransomware group was responsible for an attack? In addition to many paid intelligence services, ransom.wiki and ransom-db.com allow you to search for the names of affected organisations free of charge. As a result, you get the name of the responsible ransomware group in addition to various meta-information.

ransom-db Website
ransom-db Website

How Can I Use This Knowledge for My IT Security Activities?

The list of companies currently affected by ransomware is a valuable tool for raising awareness about cyber security. It is particularly impressive to go on Twitter in a presentation and discuss the latest news. The ransomware statistics page of ransom-db.com is also good for this purpose, as it gives a rough impression of the challenge and situation.

By observing which ransomware groups are particularly prevalent or active in your industry, you can enhance your protection measures. Various security companies and government organisations publish information on TTPs (Tactics, Techniques, and Procedures) and IOCs (Indicators of Compromise) for many of the known ransomware groups. You can then use these, for example, for the following IT security activities:

  • If you use a SIEM, you can check whether you have suitable SIEM use cases or detection rules for the TTPs described. You can ask yourself the question: Are we logging enough to be able to detect the TTPs, and do we receive an alert when we detect them?
  • You can use a Red Teaming project to simulate an attack of the relevant ransomware groups and test the interaction of your security measures.
  • The TTPs and IOCs give you indications of the attackers’ current approach. With this information – especially in combination with MITRE ATT&CK – you can identify gaps in your protection measures. Ideally, you have overlapping security mechanisms in place (e.g. anti-malware software and security monitoring) that can identify any attacker activity, make it more difficult and trigger an alarm.
  • In an incident response exercise, you can dry run the response to a successful compromise by these ransomware groups. This allows you to test your organisation’s readiness and practice with your incident response team how to effectively deal with an attack.

If you would like to learn more about ransomware groups, their publications on the darknet or the current threat situation, please do not hesitate to contact us. We will be happy to share our experience and assessments with you. Please use the contact form or call us with no obligation.

About the Author

After graduating with a master’s degree in computer science (MSc ETH CS), Gregor Wegberg joined Oneconsult in January 2017. In the first three years, he worked as a penetration tester and security consultant. Since February 2020, he has been our Head of Digital Forensics & Incident Response and supports our clients in all cybersecurity topics.

All Categories
News & Advisories
Pen Tester's Diary
DFIR Analyst's Diary

Published on: 03.03.2022

Share

Never miss the latest news on cyber security topics again? Sign up for our newsletter

Autor

Keine Beschreibung verfügbar.

Related articles

Never want to miss anything again?

Subscribe to our news feed on LinkedIn and register to receive our newsletter.

Sign up for our Newsletter
Privacy Statement

Don’t miss anything! Subscribe to our free newsletter.

Your security is our top priority – our specialists provide you with professional support.

Availability Monday to Friday 8:00 a.m. – 6:00 p.m (exception: customers with SLA – please call the 24/7 IRR emergency number).

Private individuals please contact your trusted IT service provider or the local police station.

  • What and who is affected?
  • Who discovered and reported the incident?
  • How and when was the incident noticed?
  • What did you observe?
  • What are you concerned about in connection with the incident?
  • What actions have already been taken?

For more information about our DFIR services here:

QR_CSIRT_2022_EN@2x
Add CSIRT to contacts