Seeing the Wolf in the Herd: Analytics In the Age of Ransomware

Seeing the Wolf in the Herd: Analytics In the Age of Ransomware

In 2019, one of the most severe ransomware attacks ever reported happened to a Scandanavian aluminium supplier, costing almost €75 million in damages. But they’d rather that then pay the ransom. Also, it’s a tale of how predictive analytics is coming to the fore in ransomware prevention. This is their story.

It was a sunny but cold day in Oslo, the kind that—after a dark winter—are the favourite kinds for Scandinavians. It was a Monday, March 18th and everything at Norsk Hydro was as it should be: meetings of various sorts; the massive industrial hum coming from the processes on the work floor; colleagues exchanging small talk in the hallways. There was nothing unusual, nothing outwardly wrong.

Yet that calm and mediocre normalcy hid the real truth. The fact was that there was a brewing storm of cataclysm happening in the networks of Norsk Hydro, penetrating all its servers, its terminals and databases. For weeks—unbeknownst to anyone—a ransomware had been imbedding and propagating through the whole system, had been encrypting the hard drives of anything it touched. And once it did, it waited, like a jaguar in the shadows… and struck just as the clock ticked over at midnight to March 19th.

The beast awakens
The IT staff and managers didn’t know that they’d be hit with one of the costliest ransomware attacks in the world that day. That’s partially because ransonware is becoming a massive cyber criminal business with the criminals knowing that many companies will—once they calculate the cost to lost productivity that cleaning out ransomware will bring—pay up. Equally, the companies keep quiet about it as well not wanting to panic their customers or shareholders. They also don’t turn to law enforcement who is woefully unequipped to handle such crimes. “It’s become a simple business case for many organisations to pay, and at this point it’s a known secret that this is happening,” says Josh Zelonis, cyber-security analyst at Forrester.

What makes the Norsk Hydro attack so important is that they went against that trajectory: they refused to pay the ransom and went public with the attack. On March 19th, the IT administrators started to become flooded with service calls that computers were freezing up. They opened up a terminal and read the menacing message. Chief information officer Jo De Vliegher described to the BBC how he opened the ransom note that appeared on computers all over the company. It read: “Your files have been encrypted with the strongest military algorithms… without our special decoder it is impossible to restore the data.” He nodded to his team and made a decision. That all the computers will be taken offline and that they work offline—on paper and pen—to run the world’s most sophisticated industrial machinery. Old colleagues who knew how to run such processes the ‘old fashioned way’ were brought back in. Other processes simply had to stop.

LockerGoga revealed
On a technical level, the attack has been attributed to the LockerGoga ransomware family. NorCERT sent out warnings to other Norwegian organizations, in which they shared that the attack on Hydro was combined with an attack against its Active Directory (AD). “The hackers reportedly used both the ransom virus, blocking access to all information on a computer, while also attacking Hydro’s user- and log-in systems,” News in English reported.

“LockerGoga is also relatively new, having been first confirmed in January 2019. The simplicity of its processes doesn’t trigger your typical anti-virus or anti-malware detectors. And because of its sudden advent, anti-virus and anti-malware vendors were slow to pick it up. In addition, the fact that 22% of devices meant to have anti-virus/anti-malware tools are, in fact, missing such tools,” Josh Mayfield, Director of Security Strategy at Absolute, told Help Net Security earlier this year.

Predictive Analytics as cure
This also brings up a technical need for analytics to play a part in the solution. It is thought that with predictive analytics, it brings the technology more into a savior category then a staple. It elevates the ability of the technology to detect changes in data, which points to outbreak of ransomware and then allows the IT administrator to refer back to the last legitimate backup point.

Predictive analytics is a necessity because the malware of tomorrow is unknown and will surely evolve to our detriment. When traditional cyber defense technology is rendered ineffective or human error is at play, predictive analytic cyber defense technology becomes the last line of defense for an organization. The majority of cyber defenses in an organization is built around signature-based models of “known” malware, whereas predictive analytics is built around the “unknown”, establishing a pattern of life within the organization and protecting them from malware and other abnormal activity as well.

Stefan Brodin, Commercial Solutions Manager at Clavister, states that by using analytics in a dynamic way, even ransomware patterns of behaviour can be identified. “Using predictive analytics and tools like AI or ML, we can see the malware morphing and behaving in certain ways. For Clavister, we use our Clavister InCenter tool for analytics and are implementing more alerting and scorecard functions to spot anomalies. The hope is that these analytics would allow organizations to detect ransomware—especially ones embedded in SSL encrypted traffic that our Clavister NetEye finds—and allow them to take action before it’s too late. The idea would also be that, if needed, you could revert back to the last legitimate backup point to decrease down time,” he explains. “It’s a constant battle, trying to use the right tools to match this level of threat. But analytics is one that we see promise in.”

Don’t pay it forward
Back at Norsk Hydro, Mr De Vliegher said he tries not to think of the hackers and takes no satisfaction in knowing he foiled their plans.
“I think in general it’s a very bad idea to pay,” he says. “It fuels an industry and it’s probably financing other sorts of crime. It goes against our company values and we have good foundations and good people.
“But I understand why, for some companies who are less secure, this can be the only option.” His words are echoed by Europol’s head of the European Cybercrime Centre, Steven Wilson. “Companies need to understand that if you continue to pay a ransom it perpetuates the crime,” he says. “It encourages the criminals to commit further crimes. “If you pay, you’re fueling organised crime on a global basis.”

Read more about security analytics here

Related products
Clavister InCenter
Clavister NetEye