News & Media

DFIR, Simple: Track Ransomware Attacks

Ransomware has long been on everyone’s mind and part of daily news coverage. Oneconsult’s Digital Forensics and Incident Response specialists are regularly asked to present background information on such cyber attacks, discuss them and address the current threat situation. A central element is to show that all industries, company sizes and private individuals are affected by ransomware attacks and the associated risks.

You can use the following references to find out more about the current activities of ransomware groups.

Where Can I Find Information on New Ransomware Attacks?

Twitter is a particularly good place to keep up to date on ransomware groups. For example, the following accounts tweet about the latest suspected and verified attacks:

A search for the Twitter hashtag #ransomware brings to light many more posts and opinions on the topic. But beware, the sheer volume of new tweets can quickly get you down and steal valuable time from actually defending yourself against such threats.

As a middle ground, the weekly article series “The Week in Ransomware” by BleepingComputer.com is recommended. It summarises the current trends and provides an up-to-date overview of the most interesting ransomware attacks – ideal reading at the beginning of the week.

BleepingComputer Website

Which Ransomware Group Did It?

Have you ever wondered which ransomware group was responsible for an attack? In addition to many paid intelligence services, ransom.wiki and ransom-db.com allow you to search for the names of affected organisations free of charge. As a result, you get the name of the responsible ransomware group in addition to various meta-information.

ransom-db Website

How Can I Use This Knowledge for My IT Security Activities?

The list of companies currently affected by ransomware is a valuable tool for raising awareness about cyber security. It is particularly impressive to go on Twitter in a presentation and discuss the latest news. The ransomware statistics page of ransom-db.com is also good for this purpose, as it gives a rough impression of the challenge and situation.

By observing which ransomware groups are particularly prevalent or active in your industry, you can enhance your protection measures. Various security companies and government organisations publish information on TTPs (Tactics, Techniques, and Procedures) and IOCs (Indicators of Compromise) for many of the known ransomware groups. You can then use these, for example, for the following IT security activities:

  • If you use a SIEM, you can check whether you have suitable SIEM use cases or detection rules for the TTPs described. You can ask yourself the question: Are we logging enough to be able to detect the TTPs, and do we receive an alert when we detect them?
  • You can use a Red Teaming project to simulate an attack of the relevant ransomware groups and test the interaction of your security measures.
  • The TTPs and IOCs give you indications of the attackers’ current approach. With this information – especially in combination with MITRE ATT&CK – you can identify gaps in your protection measures. Ideally, you have overlapping security mechanisms in place (e.g. anti-malware software and security monitoring) that can identify any attacker activity, make it more difficult and trigger an alarm.
  • In an incident response exercise, you can dry run the response to a successful compromise by these ransomware groups. This allows you to test your organisation’s readiness and practice with your incident response team how to effectively deal with an attack.

If you would like to learn more about ransomware groups, their publications on the darknet or the current threat situation, please do not hesitate to contact us. We will be happy to share our experience and assessments with you. Please use the contact form or call us with no obligation.

About the Author

After graduating with a master’s degree in computer science (MSc ETH CS), Gregor Wegberg joined Oneconsult in January 2017. In the first three years, he worked as a penetration tester and security consultant. Since February 2020, he has been our Head of Digital Forensics & Incident Response and supports our clients in all cybersecurity topics.

Don’t miss anything! Subscribe to our free newsletter.

Your security is our top priority – our specialists provide you with professional support.

Availability Monday to Friday 8:00 a.m. – 12:00 p.m. and 1:00 p.m. – 5:00 p.m (exception: customers with SLA – please call the 24/7 IRFA emergency number).

Private individuals please contact your trusted IT service provider or the local police station.

For more information about our DFIR services here:

qr_code_emergency_2022
Add CSIRT to contacts