Report: 60% of Security Threats Are Precursors to Ransomware

Missed a session at the Data Summit? View here on demand.

New research from Red Canary has shown that by developing robust detection coverage for the techniques that adversaries most commonly abuse, security teams can achieve deep defenses against the many threats using these techniques and the broader trends that dominate the infosec landscape.

The report is divided into three tiered sections: trends, the threats that make up these trends, and the MITER ATT&CK® techniques used by those threats. Each section provides comprehensive guidance that security teams can use to mitigate, prevent, or detect the malicious activity described in the report.

The biggest trend in 2021 was, unsurprisingly, ransomware. Counterintuitively, Red Canary doesn’t detect much ransomware, and the reason for that is probably the report’s main conclusion. Ransomware is almost always the final payload delivered by malicious software or earlier-stage activity; if you detect the threats that deliver the ransomware, stop the ransomware before it arrives. So, how do you detect those threats? Focus on the techniques opponents are most likely to use.

Graphic.  Ransomware is divided into three threats: cobalt strike, Qbot and SocGholish.  Cobalt Strike can be fought with Powershell, Rundll32 and obfuscated files or info.  Qbot can be defended with ingress tool transfer, masquerading and Rundll32.  SocGholish can be combated with masquerading, Powershell and Ingress Tool Transfer.

Of the top 10 threats identified by Red Canary in 2021, 60% are precursors to ransomware (i.e. threats known to deliver ransomware as a follow-on payload). Even more amazing is that 100% of the best ATT&CK techniques have been used during a ransomware infection attempt.

For example, a significant number of ransomware infections involve the use of a command-and-control (C2) product called Cobalt Strike, which is Red Canary’s second-largest threat. Cobalt Strike, in turn, uses ATT&CK techniques such as PowerShell, Rundll32, Process Injection, Obfuscated Files of Information, and DLL Search Order Hijacking, all of which are in the top 10. If you develop broad detection coverage for those techniques, then you got a great opportunity to detect Cobalt Strike and prevent ransomware infections.

The report is based on an analysis of the more than 30,000 confirmed threats detected in Red Canary’s customer base in 2021.

Read the full report from Red Canary.

VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more

This post Report: 60% of Security Threats Are Precursors to Ransomware

was original published at “”