Ransomware is one of the biggest cyber threats organizations battle in today’s environment. According to Kroll, a Division of Duff & Phelps, ransomware was the most observed threat in 2020, accounting for over one-third of all cases as of September 1, 2020.

Notably, Kroll found that Ryuk and Sodinokibi, perennially the most observed variants in Kroll’s cases, were joined by Maze as the top three ransomware variants so far in 2020. To get some insight on ransomware trends in 2021, as well as how cybercriminals execute this type of attack, we spoke to Wade Lance, Field CTO of Illusive Networks.

Security magazine: What is your title and background?

Lance: I am the field CTO at Illusive Networks, and I have an extensive background in advanced cyber-attack detection and endpoint solutions, with a specialty in cyber deception methods and platforms. I’ve been involved with bring products and technologies to market in education, healthcare and information security for over 20 years.

Security magazine: What are your predictions on ransomware for 2021?

Lance: Unfortunately, ransomware will continue to be a growing issue in 2021. New threat actors will begin to leverage ransomware in new and creative ways, which will expand the number of organizations that are being targeted. We should expect to see more sophisticated breaching efforts like social engineering and phishing that will end with ransomware attacks. In other words, we’ll see more targeted use of ransomware. We should also expect to see increasing use of "leak and lock" attacks that combine data theft with encryption. New vertical markets that attackers haven’t given much attention to at this point are likely to become targets as well.

Security magazine: Can you explain what lateral movement looks like and how it works?

Lance: Cybercriminals infiltrate networks to get an initial “beachhead” and then systematically move within the network by moving laterally. Using various tools and methods, they look to gain more privileges that will allow them to access the most sensitive systems in the network. This process allows the attacker to gain intimate knowledge of the environment and eventually find the organization’s crown jewels.

To move laterally, attackers need two things. They need paths from one system to the next, and they need the credentials or identities that can access those systems. The need for credentials consumes a lot of their attention so they tend to use a number of different tools and methods to dig for passwords and invent new ways to compromise Active Directory and other authentication systems.  Attackers now leverage “living off the land” methods to avoid detection and make their behavior appear like normal network activity.  This approach is why attackers continue to be successful.

Security magazine: What are some steps to detecting and blocking lateral movement?

Lance:  An active defense approach can be used to trap and paralyze attackers and prevent them from succeeding in getting the valuable data they seek. This involves a combination of attack surface reduction and deception that helps limit lateral movement and provide detection of ransomware adversaries early in the attack lifecycle. 

Active reduction of the attack surface is accomplished through constant attack pathway discovery and elimination. And by using deception, ransomware attackers are redirected away from production hosts, so lateral movement attempts are detected early in the campaign before the ransomware is deployed.