In my last article covering cybersecurity priorities for 2022, I talked about how Azure Sentinel has got us all excited about AI-powered cybersecurity, and the many reasons why it is our recommended solution for cloud security. Automating threat responses is high on the list of priorities as it frees up time to focus on being prepared for other threats. Which is why I want to cover ransomware, which has had a lot of publicity in the last year and clearly is a growing threat.

According to the UK National Cyber Security Centre, there were three times as many ransomware attacks in the first quarter of 2021 as there were in the whole of 2019. And research by PwC suggests that 61% of technology executives expect this to increase in 2022. Once again, we can largely blame this on the pandemic, and the growth in the amount of activity carried out online and in digital environments.

How to tackle ransomware?

Ransomware typically involves infecting devices with a virus that locks files away behind unbreakable cryptography and threatens to destroy them unless a ransom is paid, usually in the form of untraceable cryptocurrency. Alternatively, the software virus may threaten to publish the data publicly, leaving the organization liable to enormous fines.

Ransomware is typically deployed through phishing attacks – where employees of an organization are tricked into providing details or clicking a link that downloads the ransomware software (sometimes called malware) onto a computer. However, more recently, a direct infection via USB devices by people who have physical access to machines is becoming increasingly common. Worryingly there has been an increase in these types of attacks targeting critical infrastructure, including one at a water treatment facility that briefly managed to alter the chemical operations of the facility in a way that could endanger lives. Other ransomware attacks have targeted gas pipelines and hospitals.  

Education is the most effective method of tackling this threat, with research showing that employees who are aware of the dangers of this type of attack are eight times less likely to fall victim.

Azure Sentinel a cloud-native SIEM (Security Information and Event Management) platform is now able to detect potential ransomware activity using the Fusion machine learning model. Azure Sentinel uses built-in artificial intelligence (AI) technology to quickly analyse vast volumes of data across enterprise environments, hunting for potential threat actor activity.

It also employs machine learning tech known as Fusion to detect and trigger multi-stage attack alerts by identifying sets of suspicious activities and abnormal behaviour spotted at various attack stages.
Azure Sentinel couples several of these alerts to generate incidents even when there’s limited or missing information, making them highly difficult to catch otherwise.

The cloud-based SIEM now supports Fusion detections for possible ransomware attacks and triggers high severity multiple alerts possibly related to Ransomware activity detected incidents.

For instance, Azure Sentinel will generate ransomware attack incidents after detecting the following alerts within a specific timeframe on the same host:

• Azure Sentinel scheduled alerts (informational): Windows Error and Warning Events
• Azure Defender (medium): ‘GandCrab’ Ransomware was Prevented
• Microsoft Defender for Endpoint (informational): ‘Emotet’ malware was detected
• Azure Defender (low): ‘Tofsee’ backdoor was detected
• Microsoft Defender for Endpoint (informational): ‘Parite’ malware was detected

To detect potential ongoing ransomware attacks, Azure Sentinel can use the following data connectors to collect data from the following sources: Azure Defender (Azure Security Center), Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Cloud App Security, and Azure Sentinel scheduled analytics rules.

To learn more about this solution please get in touch.