Connect with us

GRTech

Cybercriminals Disabled or Wiped Out Logs in 82% of Ransomware Attacks with Missing Telemetry in Cases Analyzed – Sophos Finds

“Fast” Ransomware Attacks Hinder Fast Defender Response, says Sophos in thie report by SANDRA ANI

Published

on

Sophos’ Annual State of Ransomware

38% of “Fast” Ransomware Attacks in Report Occurred within 5 Days of Initial Access

Sophos, a global leader in innovating and delivering cybersecurity as a service, has released its Active Adversary Report for Security Practitioners, which found that telemetry logs were missing in nearly 42% of the attack cases studied. In 82% of these cases, cybercriminals disabled or wiped out the telemetry to hide their tracks.

The report covers Incident Response (IR) cases that Sophos analyzed from January 2022 through the first half of 2023.

Gaps in telemetry decrease much-needed visibility into organizations’ networks and systems, especially since attacker dwell time (the time from initial access to detection) continues to decline, shortening the time defenders have to effectively respond to an incident.

“Time is critical when responding to an active threat; the time between spotting the initial access event and full threat mitigation should be as short as possible. The farther along in the attack chain an attacker makes it, the bigger the headache for responders. Missing telemetry only adds time to remediations that most organizations can’t afford. This is why complete and accurate logging is essential, but we’re seeing that, all too frequently, organizations don’t have the data they need,” said John Shier, field CTO, Sophos.

In the report, Sophos classifies ransomware attacks with a dwell time of less than or equal to five days as “fast attacks,” which accounted for 38% of the cases studied. “Slow” ransomware attacks are those with a dwell time greater than five days, which accounted for 62% of the cases.

When examining these “fast” and “slow” ransomware attacks at a granular level, there was not much variation in the tools, techniques, and living-off-the-land binaries (LOLBins) that attackers deployed, suggesting defenders don’t need to reinvent their defensive strategies as dwell time shrinks. However, defenders do need to be aware that fast attacks and the lack of telemetry can hinder fast response times, leading to more destruction.

“Cybercriminals only innovate when they must, and only to the extent that it gets them to their target. Attackers aren’t going to change what’s working, even if they’re moving faster from access to detection. This is good news for organizations because they don’t have to radically change their defensive strategy as attackers speed up their timelines. The same defenses that detect fast attacks will apply to all attacks, regardless of speed. This includes complete telemetry, robust protections across everything, and ubiquitous monitoring,” said Shier. “The key is increasing friction whenever possible—if you make the attackers’ job harder, then you can add valuable time to respond, stretching out each stage of an attack.

“For example, in the case of a ransomware attack, if you have more friction, then you can delay the time until exfiltration; exfiltration often occurs just before detection and is often the costliest part of the attack. We saw this happen in two incidents of Cuba ransomware. One company (Company A) had continuous monitoring in place with MDR, so we were able to spot the malicious activity and halt the attack within hours to prevent any data from being stolen. Another company (Company B) didn’t have this friction; they didn’t spot the attack until a few weeks after initial access and after Cuba had already successfully exfiltrated 75 gigabytes of sensitive data. They then called in our IR team, and a month later, they were still trying to get back to business as usual.”

The Sophos Active Adversary Report for Security Practitioners is based on 232 Sophos Incident response (IR) cases across 25 sectors from Jan. 1, 2022, to June 30, 2023. Targeted organizations were located in 34 different countries across six continents. Eighty-three percent of cases came from organizations with fewer than 1,000 employees.

The Sophos Active Adversary Report for Security Practitioners provides actionable intelligence on how security practitioners should best shape their defensive strategy.

To learn more about attacker behaviors, tools and techniques, read the Active Adversary Report for Security Practitioners on Sophos.com.

GrassRoots.ng is on a critical mission; to objectively and honestly represent the voice of ‘grassrooters’ in International, Federal, State and Local Government fora; heralding the achievements of political and other leaders and investors alike, without discrimination. This daily, digital news publication platform serves as the leading source of up-to-date information on how people and events reflect on the global community. The pragmatic articles reflect on the life of the community people, covering news/current affairs, business, technology, culture and fashion, entertainment, sports, State, National and International issues that directly impact the locals.

GRTech

Sophos Named Customers’ Choice for Endpoint Protection Platforms (EPP) by Gartner

Sophos Achieved a 4.8/5.0 Rating for Both Categories and Rated as a Customers’ Choice for all Available Segments Within the Reports

Published

on

Sophos Intercept X

Sophos, a global leader of innovative security solutions for defeating cyberattacks, today announced it has been named Customers’ Choice in the Gartner Peer Insights Voice of the Customer for Endpoint Protection Platforms (EPP) and Network Firewalls reports.

This achievement includes 4.8/5.0 scoring ratings in both categories. Sophos is also rated a Customers’ Choice for all available segments within the two reports.

“Winning one Gartner Customers’ Choice is a great achievement, but winning two in crucial interrelated categories is incredible and a strong reflection of our relentless focus to deliver optimal security outcomes for our customers,” said Rob Harrison, senior vice president, Product Management – SecOps and Endpoint Security. “Endpoint protection that works seamlessly with network security is a winning formula to defend against today’s innovative and persistent adversaries who are consistently devising new techniques to carry out ransomware and other potentially business-ending cyberattacks. This synergy enhances threat detection, reduces response times, and simplifies management, ultimately fortifying organizations against complex cyber threats that require proactive prevention and automated interventions at multiple points on the attack chain.”

Sophos Intercept X customer quotes from the endpoint protection platforms report include:

  • “Sophos endpoint provides the most robust anti ransomware protection in the industry,” IT manager in the manufacturing industry.
     
  • “Sophos endpoint protection combines multiple prevention techniques to reduce the attack,” IT manager in the education industry.

  • “Intercept X provides us protection against various cyber threats using its combination of signature-based, behavioral and machine learning methods enduring protection against malware, ransomware and other malicious activities,” network and security engineer in the manufacturing industry.

  • “It’s a great experience to work with Sophos Intercept X due to its robustness and unparalleled capability against any exploits and ransomware. It is truly amazing that this product works seamlessly while handling any threats at the system end,” manager in the media industry.

Sophos Firewall customer quotes from the network firewall report include:

A complimentary copy of the Gartner Peer Insights Voice of the Customer: Endpoint Protection Platforms report is available here.

A complimentary copy of the Gartner Peer Insights Voice of the Customer: Network Firewalls report is available here.

Continue Reading

GRTech

Ransomware Recovery Costs for Energy and Water Sectors Rise to $3m in 1 Year, Sophos Survey Finds

49% of Ransomware Attacks Against These 2 Critical Infrastructure Sectors Started with an Exploited Vulnerability

Published

on

Sophos’ Annual State of Ransomware

Sophos, a global leader of innovative security solutions for defeating cyberattacks, today released a sector survey report, “The State of Ransomware in Critical Infrastructure 2024,” which revealed that the median recovery costs for two critical infrastructure sectors, Energy and Water, quadrupled to $3 million over the past year.

This is four times higher than the global cross-sector median. In addition, 49% of ransomware attacks against these two critical infrastructure sectors started with an exploited vulnerability.

Data for the State of Ransomware in Critical Infrastructure 2024 report comes from 275 respondents at energy, oil and gas, and utilities organizations, which fall under the Energy and Water sectors of CISA’s 16 defined critical infrastructure sectors.

The results for this sector survey report are part of a broader, vendor-agnostic survey of 5,000 cybersecurity/IT leaders conducted between January and February 2024 across 14 countries and 15 industry sectors.

“Criminals focus where they can cause the most pain and disruption so the public will demand quick resolutions, and they hope, ransom payments to restore services more quickly. This makes utilities prime targets for ransomware attacks. Because of the essential functions they provide, modern society demands they recover quickly and with minimal disruption,” said Chester Wisniewski, global Field CTO.

“Unfortunately, public utilities are not only attractive targets but vulnerable to attacks on many fronts, including the requirement for high availability and safety, as well as an engineering mindset focused on physical security. There’s a preponderance of older technologies configured to enable remote management without modern security controls like encryption and multifactor authentication. Like hospitals and schools these utilities are frequently operating with minimal staffing and without the IT staffing required to stay on top of patching, the latest security vulnerabilities and the monitoring required for early detection and response.”

On top of growing recovery costs, the median ransom payment for organizations in these two sectors jumped to more than $2.5 million in 2024—$500,0000 higher than the global cross-sector median.

The Energy and Water sectors also reported the second highest rate of ransomware attacks. Overall, 67% of the organizations in these sectors reported being hit by ransomware in 2024, in comparison to the global, cross-sector average of 59%.

Other findings from the report include:

  • The energy and water sectors reported increasingly longer recovery times. Only 20% of organizations hit by ransomware were able to recover within a week or less in 2024, compared to 41% in 2023 and 50% in 2022. Fifty-five percent took more than a month to recover, up from 36% in 2023. In comparison, across all sectors, only 35% of companies took more than a month to recover
  • These two critical infrastructure sectors reported the highest rate of backup compromise (79%) and the third highest rate of successful encryption (80%) when compared to the other industries surveyed

“This once again shows that paying ransom payments almost always works against our best interests. An increasing number (61%) paid the ransom as part of their recovery, yet the amount time it took to recover was extended. Not only do these high rates and amounts of ransoms encourage more attacks on the sector, but they are not achieving the claimed goal of shorter recovery times,” said Wisniewski.

“These utilities must recognize they are being targeted and take proactive action to monitor their exposure of remote access and network devices for vulnerabilities and ensure they have 24/7 monitoring and response capabilities to minimize outages and shorten recovery times. Incident response plans should be planned in advance, the same as for fires, floods, hurricanes and earthquakes, and be rehearsed on a regular schedule.”
Read the full State of Ransomware in Critical Infrastructure on Sophos.com.

Continue Reading

GRTech

SHELT SI Achieves Cisco Select Partner Certification

Published

on

SHELT and CISCO

SHELT System Integration (SHELT SI) has announced its achievement of Cisco Select Partner certification in Nigeria, marking a significant milestone in its commitment to delivering top-tier networking and security solutions to businesses across the region.

This certification underscores SHELT SI’s dedication to excellence in providing innovative networking and security solutions tailored to meet the evolving needs of the market.

The Cisco Select Partner certification is a validation of SHELT SI’s technical expertise and commitment to customer satisfaction, as well as its ability to deliver cutting-edge networking and security solutions that drive business success. With this recognition, SHELT SI is affirming its ability to further enhance its offerings and support its clients in navigating the complexities of the digital landscape.

Cisco Nigeria General Manager Sebastine Nzeadibe comments: “We are delighted to welcome SHELT SI to the ranks of Cisco Select Partners in Nigeria. Their demonstrated commitment to excellence and customer satisfaction aligns perfectly with our values, and we look forward to collaborating closely together to empower businesses with transformative networking and security solutions.”

Youssef Abillama, CEO of SHELT, comments: “Achieving this certification strengthens our relationship with CISCO and is a testament to our team’s dedication and expertise in delivering best-in-class solutions. This milestone reinforces our commitment to empowering businesses in Nigeria with innovative technology solutions that will enable them to thrive in the digital age through cutting-edge technology solutions.”

SHELT’s Country General Manager, Walid Bou Abssi, added, “The Cisco Select certification empowers us to provide an increased level of support and further enhances our ability to address the requirements of our clients’ evolving needs in Nigeria. It is an acknowledgement of the ability of our pre-sales, sales, and client support teams to design, quote, deploy, and support Cisco solutions.”

Continue Reading

Trending