Date : 6-Aug-2020
Location: Kuala Lumpur

Organization:

Sophos, a global leader in next-generation cybersecurity.

Key Takeaways:

• Sophos today published a multi-part research series on the realities of ransomware, including an industry-first detailed look at new detection evasion techniques in WastedLocker ransomware attacks that leverage the Windows Cache Manager and memory-mapped I/O to encrypt files.
• A complementary article examines the evasion-centric arms race of ransomware, providing a months-long review of how cybercriminals have been escalating and markedly changing evasion techniques, tactics and procedures (TTPs) since Snatch ransomware in December 2019.  

Spokepersons:

Chester Wisniewski, principal research scientist, Sophos,said,ransomware is not going away and is growing in terms of sophistication. Human intelligence and response are critical security components to detect and neutralize early indicators that an attack is underway.  

• The combination of these changing attacker behaviors and remote and/or hybrid working environments due to the global COVID-19 pandemic is signaling an urgent need for organizations to prioritize IT security.
• Businesses also need to future-proof security implementations in anticipation of always-adapting adversaries, disintegrating boundaries and the expanded attack surface caused by COVID-19.
• WastedLocker uses a trick to make it harder for behavior based anti-ransomware solutions to keep track of what is going on: using memory-mapped I/O to encrypt a file - more info.
• Ransomware’s evasion-centric arms race.
• 5 signs you’re about to be hit by ransomware.
• The realities of ransomware: extortion goes social.
• Ransomware: why it’s not just a passing fad.
• Sophos Double-Down The Ransom Cost. 
• The Cybersecurity Landscape Is Expanding and Evolving Yet The Future Seems Uninspiring.
  

Best Practices:

• Shut down internet-facing remote desktop protocol (RDP) to deny cybercriminals access to networks
• If you need access to RDP, put it behind a VPN connection.
• Use layered security to prevent, protect and detect cyberattacks, including endpoint detection and response (EDR) capabilities and managed response teams who watch networks 24/7
• Be aware of the five early indicators an attacker is present to stop ransomware attacks.

Editor's comments:

• RDP cannot be totally disabled, otherwise,remote workforce couldn't happen. RDP should be restricted to internal network and administrators only.
• Apps must be adopt cloud as first priority,leveraging on best practice such as token-based authentication instead of session-based authentication which consists of login and password.