Businesses need both artificial and human intelligence to fight cybercriminals targeting organizations with evolving ransomware. That includes the newly emerging WastedLocker ransomware.

That’s according to new research by Sophos. WastedLocker ransomware makes it harder for behavior-based antiransomware software to keep track of what’s going on. It encrypts networks and demands millions of dollars in bitcoin in exchange for the decryption key.

Malicious hackers used WastedLocker ransomware in an attack on Garmin. They went after the GPS technology giant for $10 million.

Chet Wisniewski is Sophos‘ principal research scientist. He said about 90% of the incidents involving Sophos’ rapid response team are “one of these high-value ransom events.”

Sophos’s Chet Wisniewski

“The thing that teams are struggling to handle on their own are these events,” he said. “Part of that is the ability to quickly analyze the data that endpoint detection and response (EDR) products are gathering.”

How WastedLocker Works

With WastedLocker ransomware, the attacker gets a foothold in the door through phishing attacks or a VPN vulnerability, Wisniewski said. They then drop their tools, and in a few days start hunting for valuable things to look up or steal.

“We’re starting to be able to detect these attacks in that early stage where they may not have triggered any antivirus alerts or those kinds of things yet,” he said. “If we can catch it at that stage with effective threat hunting, we can then go and search across all of our customers’ EDR and see every one  that attacker may have a foothold with.”

The problem is, information sharing is a little slow. Because of that, it’s hard to take action until you’ve seen it yourself, Wisniewski said.

“And so one of the advantages that MSPs, MSSPs and organizations like us have is being able to see that across a large number of clients and have our staff very familiar with any one of those given attackers and know exactly what they’re looking for,” he said. “It takes a little longer for individual enterprises to figure out how Revil (ransomware) looks because if they’ve never been attacked by them they’ve got no experience.”

Strategic Delay

That delay between getting a foothold and initiating an attack is likely strategic, Wisniewski said. And it’s not like many organizations have the ability to spot them before an attack starts, he said.

“Most of the time, most organizations are not actively threat hunting, so they can get away with staying dormant for a very long time without being caught,” he said. “They can get away with what their doing three-quarters of the time, so why change tactics? There are plenty of victims out there as far as the crooks are concerned.”

There are also varying motives for attackers out there, Wisniewski said. But there are indicators that suggest a number of these groups come in solely to do the ransoms.

“There’s some indication that they may be stealing intellectual property first, then saying,  ‘We may do some ransom on the way out and get some money out of these guys,'” he said.

Early Attack Indicators

Sophos has identified five clear indicators that attackers are lurking in networks and hiding under the radar to scan systems, install backdoors and steal information. Those include:

“If you took these five things to heart, you’d have an incredibly high percentage chance of detecting that initial breach right away,” Wisniewski said. “Obviously most organizations put all of their effort into prevention, and not enough into detection and response. If you’ve got a human adversary, prevention is never going to be 100% effective. We really need to start pushing IT people toward understanding that they need to find more balance between protection, and detection and response.”

Sophos’ Dan Schiappa

Dan Schiappa is Sophos’ chief product officer. He said the combination of AI and human intelligence is critical to make sure no stone is left unturned.

“Something may evade a protection technology but be seen by a threat hunter in the human capacity,” he said.

There’s also a “massively heightened” attack vector against critical infrastructure tied to remote working, Schiappa said.

“In a lot of cases, what they’re doing is getting into those devices and then knowing they have access to a bunch of resources from those launching ransomware attacks,” he said. “And so this combination of AI and human intelligence come together to really build the best response and protection against that.”