How to Create a Ransomware Recovery Roadmap

Ransomware attacks have become an omnipresent threat to organizations worldwide, posing significant risks to data integrity, financial stability, and organization continuity. As cybercriminals continue to evolve their tactics and target organizations of all sizes and industries, it’s imperative for organizations to strengthen their defenses and protect themselves against ransomware incidents.

Organizations must also be equipped with a detailed recovery plan to mitigate the impact of such incidents effectively. In this blog, we delve into the essential steps and solutions for recovering from ransomware attacks and restoring organization operations quickly and securely.

Strengthening Your Ransomware Recovery Arsenal

While recovering from a ransomware attack requires a strategic and methodical approach, having the right tools and solutions in place can significantly expedite the process and enhance overall resilience. Here are some key solutions to consider integrating into your recovery plan:

  1. Endpoint Detection and Response (EDR) Solution: Implement EDR solutions to enhance containment and isolation efforts by swiftly detecting and responding to ransomware threats at the endpoint level. These solutions provide real-time visibility into endpoint activities, enabling rapid containment and mitigation of ransomware incidents.
  2. Secure Backup and Recovery Solutions: Deploy secure backup and recovery solutions that adhere to best practices, ensuring the integrity and cleanliness of backups. Look for solutions that offer immutable backups and robust encryption to safeguard against ransomware attacks and ensure seamless data restoration.
  3. Security Operations Platform: Invest in automated tools that can swiftly assess the extent of the damage caused by the ransomware attack. These tools used algorithms to identify compromised systems and data, providing actionable insights for prioritizing recovery efforts.
  4. Threat Intelligence Services: Enlist the support of threat intelligence services to stay informed about the latest ransomware trends, tactics, and techniques employed by threat actors. Leveraging actionable threat intelligence can help organizations proactively adapt their cybersecurity defenses to counter emerging ransomware threats effectively.
  5. Security Awareness Training: Prioritize security awareness training for employees to empower them to recognize and respond to ransomware threats effectively. Investing in comprehensive security awareness programs can help foster a culture of cybersecurity awareness within the organization, reducing the risk of successful ransomware attacks.
  6. Cyber Warranty Coverage: Consider obtaining cyber warranty coverage to mitigate the financial impact of ransomware attacks and facilitate recovery efforts. Cyber warranties are often provided through managed detection and response (MDR) providers. The warranties can provide financial assistance for ransom payments, data restoration costs, and other expenses associated with recovering from ransomware incidents.

By incorporating these solutions into your ransomware recovery plan, you can enhance your organization’s resilience and expedite the recovery process in the event of a ransomware attack. Remember to regularly review and update your recovery plan to adapt to evolving ransomware threats and ensure continued effectiveness.

Strengthening Resilience and Recovery Strategies

In effort to strengthen resilience and recovery strategies against ransomware attacks, organizations must adopt a proactive approach by implementing the right solutions and technologies. By establishing clear roles, responsibilities, and communication protocols, organizations can effectively respond to attacks and minimize their impact on operations.

Additionally, using simulator tools can help organizations assess their readiness and identify gaps in defense mechanisms, allowing for the implementation of stronger security measures and better protection of data. Through testing defenses, organizations can stay ahead of cyberthreats and safeguard their valuable information effectively.

Unraveling Cyber Defense Model Secrets: Credential Harvesting and Insider Threats

By: Bronwen Cohn-Cort, Data Scientist, and Shaul Saitowitz, Data Scientist

Welcome to the Unraveling Cyber Defense Model Secrets series, where we shine a light on Adlumin’s Data Science team, explore the team’s latest detections, and learn how to navigate the cyberattack landscape.

The Essential Role of Threat Detection

Threat detection is a critical component of an organization’s cybersecurity strategy. Requiring the combination of human expertise and machine learning, risk can be significantly reduced by identifying threats before a potential attack.

Many threats can go unnoticed for months or even years. In IBM’s latest report, it takes an average of 277 days for security teams to identify and contain a data breach, and the cost of a breach skyrocketed, reaching an average of $4.45 million. Given the extended timeframe it often takes to detect and contain a data breach, organizations must proactively implement measures to quickly respond to potential threats and reduce the risk of costly damages.

To effectively combat malicious activity in your environment, it can be challenging to stay on top of all the potential threats, particularly as it demands skilled professionals who can develop models to apply artificial intelligence. Setting up alerts for when suspicious activity is detected can help organizations quickly respond to potential breaches and mitigate the risk of further damage to their systems and data.

Critical Detections for Your Network Security

While there are many types of security threats and detections to consider today, we highlight credential harvesting and insider threats as two crucial ones to add to your queue.

Adlumin Data Science is rolling out alerts for credential harvesting and insider threats, each capable of warning against prevalent attack tactics within their domains by utilizing user and entity behavior analytics. These detections are crucial as they are often difficult for organizations to identify.

Credential Harvesting Detection

A credential harvesting alert addresses a post-exploitation technique to broaden network access. After gaining a foothold, this alert will notify an organization about suspicious activities related to stealing login credentials from a computer system. This information can then be used to access other systems, steal data, or even compromise an entire network.

Sources of stored credentials include files, databases, registry entries, and memory structures where login credentials are stored, whether in plaintext or encrypted form. Some of these locations include LSASS (Local Security Authority Subsystem Service), GPP (Group Policy Preferences), and web browsers that store passwords. Cybercriminals can use one of many tools or techniques to capture the stored credentials.

These include utilities like Mimikatz, Hashcat, and SharpChromium. Once the credentials have been extracted, the attacker harvests them for future use. Encrypted passwords can be cracked offline and then used to access other systems within the network, furthering the attack.

The detection exposes several credential dumping techniques and delivers background on the tool discovered. This allows prompt stoppage of the unfolding attack and helps protect business assets. The detection model should be updated regularly to keep up with new tactics and methods.

Credential harvesting poses a significant threat to organizations, leading to unauthorized access, data breaches, and financial loss. Setting up alerts for credential dumping processes is crucial as it enables early detection and swift response to mitigate potential damage. Organizations can protect their sensitive information, maintain operational continuity, and uphold trust with customers and stakeholders by efficiently enriching, containing, and recovering from such incidents.

Insider Threat Detection: Aggregating and Analyzing Widespread File Deletion

Some ransomware variants, like REvil, involve mass file deletion; in some instances, an unauthorized insider may gain permissions sufficient to mass-delete files. The Insider Threat model detects and alerts on cases of a user or attacker deleting an abnormally high number of files across many different subdirectories. Further analysis is conducted to filter out file extensions and locations that likely correspond to benign deletion activity. For example, a user emptying the Recycle Bin would not trigger an alert.

Setting up an Insider Threat alert uses a machine learning model to determine anomalies in the number of Windows Event ID 4663 (“An attempt was made to access an object”) events with Delete access permissions. A high quantity of these 4663 events in a half-hour period significantly deviating from the customer baseline is considered anomalous.

The table below displays partially redacted information from 4663 events associated with an alert. For each, it shows the time of the log message, the computer name on which it occurred, and which Object Name and Process Name were associated with the event. This table can be used to further investigate the deletion activity by reviewing the details of what computers, locations, and types of files were involved.

Following an alert, activity from the username(s) in question should be examined if a threat actor compromised a user account. Suspicious behavior may warrant disabling the account and quarantining affected computers from the network. Review user actions and run an anti-malware scan and vulnerability assessment to check if the threat actor has performed any other actions, such as creating a logic bomb or backdoor.

Insider threats pose a significant risk to organizations as they can result in data breaches, financial loss, reputational damage, and operational disruptions. Malicious insiders or compromised accounts can intentionally or unintentionally cause harm by deleting critical files, installing malware, or stealing sensitive information.

Setting up Insider Threat alerts, like the one described here, is crucial for detecting suspicious activities, such as widespread file deletion, in a timely manner. By observing user behavior, organizations can proactively identify and respond to potential insider threats, mitigating the impact of security incidents and safeguarding their assets and operations.

Experience The Innovations 

Here at Adlumin, we know how important it is to see everything in cybersecurity. That’s why we offer a customized Security Operations Platform and Managed Detection and Response services to give organizations a complete view of their IT environment. But we go further than that. We believe in the value of firsthand experience, so we invite you to explore our platform yourself with a guided tour.

See how our platform helps your team find and address threats by arranging a demo or trying out our platform for free. Join the tour and boost your organization’s visibility to a whole new level.

Cybersecurity for Healthcare: 2024 Threat Insights

The recent ransomware attack on UnitedHealth’s Change Healthcare subsidiary highlighted the attractiveness of the data-rich U.S. healthcare industry to cybercriminals and the severe impact on patients and doctors. Total expenses from the attack are expected to surpass $1 billion, including a $22 million ransomware payment. With cybercriminals leveraging sophisticated techniques to infiltrate systems, encrypt data, and extract sensitive information, the healthcare sector faces significant challenges in safeguarding patient records and maintaining operational efficiency.

This industry spotlight highlights significant trends and developments in the threats, vulnerabilities, and cyberattacks faced by the healthcare industry in the U.S observed from January to March 2024 by Adlumin’s Threat Research Team. 

Industry Spotlight: The Healthcare Industry

Top Threat: Ransomware

Last year, the FBI’s Internet Crime Complaint Center released its latest report on Internet crimes and identified the healthcare and public health sectors as the most victimized by ransomware[1]. In fact, the healthcare sector had over 33% more reported victims than the second leading sector, critical manufacturing; 82% more than government facilities, and well more than double the number reported by the financial service sector. While waiting for the latest data reflecting 2023 cases, it’s almost certain that the healthcare sector will continue to see more ransomware attacks.

Ransomware gangs which operate under affiliate models often capture vital data, impose hefty ransoms for data retrieval, and significantly hinder patient care operations. The ransomware affiliate model resembles legitimate affiliate programs – hackers code the malware, while affiliates distribute it through Ransomware-as-a-Service (RaaS), then share the ransom profits. There may also be shared infrastructure for payout and money laundering operations. Combined, this lowers the barrier to entry for attackers and increases attack volume, fueling the overall threat.

Adlumin has observed wide adoption of a tactic known as double extortion in healthcare sector attacks. In double extortion operations, attackers encrypt sensitive and critical data as part of traditional ransomware operations, and exfiltrate or steal sensitive data. Ransomware actors then threaten public release of the data, meant to force payment of hefty ransoms even if defenders can recover encrypted data and systems from backups or other sources.

Adlumin has also observed ransomware operators increasingly threaten to report victims to regulatory authorities such as the SEC, resulting in almost certain fines if applicable under a host of old and new laws and regulations. Additionally, in uncovering Play ransomware. operations, Adlumin uncovered that ransomware attackers threaten to notify organization’s partners and customers as part ransom messages, a tactic meant to coerce payment. These factors can be especially important for those in the healthcare sector as HIPAA (Health Insurance Portability and Accountability Act) can impose fines for data breaches involving protected health information (PHI). The four categories used for the penalty structure are:[2]

TierDescriptionFines per Violation*
Tier 1A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care been taken to abide by HIPAA Rules.$137 to $68,928
Tier 2A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care (but falling short of willful neglect of HIPAA Rules).$1,379 to $68,928
Tier 3A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation.$13,785 to $68,928
Tier 4A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation within 30 days.$68,928 to $2,067,813

*Yearly cap of $2,067,813

Ransomware operators are also beginning to forgo encryption entirely, favoring data exfiltration and extortion operations. Both types have seen usage of Living-Off-the-Land (LOTL) techniques.

LOTL attacks are a stealthy tactic where attackers exploit legitimate tools already present on a system, like PowerShell, the command prompt, or native binaries like certutil, to carry out malicious activities. These “Living Off the Land Binaries” (LOLBins) blend in with normal system operations, making them more difficult to detect and allows attackers to steal data, move laterally within a network, or gain persistence without relying on easily identifiable malware.

Healthcare Top Threats

AlphV/BlackCat

On December 19, 2023, the FBI announced disruption of RaaS operations carried out by AlphV (also known as “BlackCat”). The FBI seized several websites created by the group and gained visibility into the BlackCat ransomware group’s computer network as part of the investigation[3]. Additionally, authorities offered victims access to an FBI-developed decryption tool allowing for recovery of encrypted data.

In response BlackCat called for open season against the healthcare sector stating, “Because of their actions, we are introducing new rules, or rather, we are removing ALL rules except one, you cannot touch the CIS. You can now block hospitals, nuclear power plants, anything, anywhere.”[4]

On February 27, 2024, CISA, the FBI, and the Department of Health and Human Services (HHS), released a joint advisory which addressed BlackCat’s operations and attacks against the healthcare sector. They noted that, “Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most victimized. This is likely in response to the AlphV / Blackcat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.”[5]

In late February 2024, as part of attacks against the healthcare sector, insurance provider UnitedHealth found itself in the crosshairs of BlackCat operations, it was reported the attack “had a knock-on effect on players across the U.S. healthcare system, as disruptions triggered by the attack have impacted electronic pharmacy refills and insurance transactions.”[6] In a quickly deleted post to its darknet hosted website, BlackCat stated that it stole millions of sensitive records.

BlackSuit Ransomware

In November 2023, the Health Sector Cybersecurity Coordination Center (HC3) at the U.S. Department of Health and Human Services (HHS), released a detailed analysis on BlackSuit, a new ransomware strain that poses a credible threat to the healthcare and public health (HPH) sector.

BlackSuit emerged in May 2023 and exhibits significant parallels to the Royal ransomware family, which succeeded the infamous Conti group linked to Russia. BlackSuit’s ties to these active threat actors suggest ongoing, aggressive targeting of the healthcare industry. HC3 outlined BlackSuit’s operations, including its use of double extortion tactics, specific technical details, and potential impact on healthcare services, alongside recommended defenses, and mitigation strategies.

As outlined in the HC3 report, BlackSuit’s impact could be significant, particularly if the group’s ties to the Royal and Conti ransomware families are confirmed. With its use of double extortion tactics, BlackSuit not only encrypts sensitive data on compromised healthcare networks but also threatens to leak stolen data unless a ransom is paid. This approach poses a dual threat: the immediate disruption of healthcare services due to inaccessible patient records and systems, and the long-term damage from the potential exposure of confidential patient data.

BlackSuit operates by encrypting sensitive data on compromised networks, employing a double extortion scheme that has so far targeted a limited number of victims across various sectors, including healthcare, in countries such as the U.S., Canada, Brazil, and the U.K. The analysis reveals BlackSuit’s operational techniques, encrypted file extensions, ransom demand methods, and its distribution via infected email attachments, torrent websites, malicious ads, and trojans.

Despite its limited use, the connections to Royal and Conti hint at a potentially significant threat landscape for the healthcare sector. Technical similarities with the Royal ransomware family, based on binary comparison tools, suggest BlackSuit could be a variant or affiliate of these larger, well-organized ransomware operations.

HHS emphasizes the importance of heightened security measures and preparedness within the healthcare industry to mitigate risks associated with ransomware attacks.

Recommendations to Eliminate Risks

To protect against evolving cyber threats in the healthcare sector, Adlumin recommends practicing good cyber hygiene by staying informed of the threat landscape, updating software regularly, implementing a Security Awareness Program, and deploying endpoint protection solutions.

Adlumin’s threat research team advises healthcare organizations to regularly update software, segment their networks, and plan for incident response. They also recommend implementing security monitoring, and anomaly detection tools. In addition, secure backups, encryption of sensitive data, and HIPAA compliance are crucial elements of a strong cybersecurity strategy.

With a deep understanding of the healthcare sector’s unique challenges and vulnerabilities, Adlumin stands as a reliable partner in strengthening cybersecurity posture and ensuring regulatory compliance. Partnering with Adlumin equips healthcare organizations with the necessary tools and expertise to combat ransomware and protect critical infrastructure effectively.

Stay tuned, Adlumin’s Threat Research team is releasing in-depth mitigation strategies for the healthcare sector.

The Best Mitigation Strategies for Ransomware Attacks

By: Brittany Holmes, Corporate Communications Manager 

The rise of ransomware attacks can be traced back to the infamous WannaCry outbreak in 2017, a watershed moment for cybercriminals. This high-profile incident revealed the potential profitability of ransomware attacks and spurred the development of numerous variants since then.

Additionally, the COVID-19 pandemic played a significant role in the recent surge of ransomware attacks. With organizations hurriedly transitioning to remote work, vulnerabilities in their cybersecurity defenses became more apparent and exploitable. Cybercriminals took advantage of these weaknesses to launch ransomware attacks, sharply increasing such incidents.

As history has shown, ransomware attacks continue to evolve and become more sophisticated in their tactics. This makes it crucial for small and medium-sized businesses (SMBs) to understand the growing threat landscape and take proactive steps to protect their data and systems.

This blog explores the mechanisms through which ransomware is delivered, the reasons behind its alarming success rate, and effective mitigation strategies for SMBs.

How is Ransomware Delivered?

From a cybercriminal’s point of view, there are numerous ways to break into a network and encrypt its data for ransom. Stealing and holding data hostage has proven to be an effective way to extort money from organizations, so cybercriminals are increasingly utilizing this tactic.

To successfully breach a network, cybercriminals target the most vulnerable link in the security chain—the people. It is crucial for companies to prioritize employee training on cybersecurity awareness and to update and strengthen their security measures constantly.

Ransomware is often delivered through phishing emails and malicious websites. Phishing emails typically contain deceptive links or attachments that, when clicked, can install ransomware onto a victim’s device. These emails are made to appear sincere and may even impersonate trusted sources, tricking users into taking actions that compromise their security. On the other hand, malicious websites can also distribute ransomware through drive-by downloads or exploit kits. These websites can quickly infect a user’s system with ransomware by luring unsuspecting visitors to click on malicious links or download files.

Why is Ransomware so Effective?

One of the main reasons why ransomware is so effective is because it preys on peoples’ fear and urgency to regain access to their data. Many individuals and organizations rely heavily on their data for everyday operations, and the idea of losing that data can be terrifying. This fear often leads victims to pay the ransom, even though there is no guarantee that the cybercriminals will provide the decryption key once the ransom is paid.

Additionally, the speed at which ransomware operates also contributes to its effectiveness. By the time detection occurs, most files are encrypted, making it difficult to stop the attack in its tracks. Even with detection, analysts still need to look at the alerts and take the appropriate action, which can be time-consuming and may result in further data loss. This rapid encryption process adds to the sense of urgency that victims feel, pushing them to consider paying the ransom as a quick solution to regain access to their data.

Ransomware is particularly effective against SMBs because they often lack the proper resources and expertise to defend against such attacks. SMBs are also more likely to pay the ransom, as they may not have proper backups in place or the means to recover their data through other methods.

According to Adlumin’s most recent Threat Insights 2024 Volume I, the top two tactics/methods used by ransomware gangs include:

Ransomware attacks continue to be successful due to the evolving tactics employed by cybercriminals, who are now packaging their methods into more streamlined and sophisticated approaches. The two primary tactics driving the success of ransomware include double extortion and the rise of Ransomware-as-a-Service (RaaS), enabling easier access and increased efficiency for cybercriminals looking to exploit organizations for financial gain.

Double Extortion: In addition to encrypting an organization’s data, cybercriminals are increasingly stealing sensitive information and threatening to release it publicly unless the ransom is paid. This additional pressure increases the likelihood that victims will pay the ransom.

Ransomware-as-a-Service (RaaS): Some ransomware groups now offer their ransomware as a service to other cybercriminals, allowing them to distribute and deploy ransomware attacks without technical expertise efficiently. This has led to increased ransomware attacks, as more criminals can launch their own campaigns with minimal effort.

By understanding how ransomware works and the tactics used by cybercriminals, organizations can better protect themselves against these attacks and prevent falling victim to ransomware.

How SMBs Can Mitigate Ransomware Risks

To effectively mitigate ransomware risks, SMBs must educate and train employees to identify and report the signs of a potential attack. By raising awareness about suspicious emails, links, and attachments, employees become the frontline defense against ransomware infiltrations. Encouraging the use of strong, unique passwords and multi-factor authentication further bolsters security measures.

In addition to employee training, implementing a robust data backup and recovery plan is essential. Regularly backing up data to offline or secure cloud storage ensures that systems can be restored without succumbing to ransom demands.

Maintaining up-to-date patch updates, particularly through Continuous Vulnerability Management, adds another layer of security. Staying vigilant and updating systems regularly makes it more challenging for threat actors to gain unauthorized access to sensitive data.

By combining these strategies, SMBs can significantly reduce their vulnerability to ransomware and protect their valuable data.

Illuminate Threats and Eliminate Risks

Last year, there was an increase of ransomware attacks at a rate of 73% totaling 4,611 cases reported. The staggering statistics on ransomware attacks highlight the critical need for heightened awareness and preparedness across all industries.

Implementing a multi-layer defense strategy and prioritizing early detection are pivotal steps in safeguarding organizations against the damaging impact of ransomware. It is imperative that organizations invest in cybersecurity measures, conduct regular training for employees, and stay vigilant against evolving threats.

By staying informed and proactive, organizations can significantly reduce the potential damage inflicted by ransomware attacks and ensure the security of their valuable data and systems.

Early Detection and Multi-Layered Defense Against Ransomware Attacks

By: Brittany Holmes, Corporate Communications Manager 

Ransomware attacks continue to pose a serious and persistent threat, causing widespread disruption to organizations of all sizes. This underscores the critical need for proactive cybersecurity measures to stay ahead of cybercriminals.  

A recent high-profile incident involving approximately 60 Credit Unions highlighted the ongoing impact of these attacks. Many of the credit unions affected lacked adequate backup coverage and dedicated security, which serves as an example of the importance of early detection and a multi-layered defense strategy to protect valuable data from ransomware threats.  

This blog explores top methods for detecting ransomware, response strategies, and the importance of a multi-layer protection approach.   

Detecting Ransomware and The Need for Early Detection 

Ransomware protection strategies commonly focus on various stages of attack detection, as outlined by MITRE. From blocking known variants to detecting signs of compromise before execution and identifying malicious activities during the execution phase, each step plays a crucial role in preventing file encryption and data loss. Here are some top ways ransomware is detected:  

  • Blocking Ransomware Variants: Blocking known ransomware variants is common in cybersecurity defense. Organizations can proactively block known ransomware strains from executing on their systems by leveraging threat intelligence feeds and signature-based detection tools. 
  • Detecting Signs of Compromise: Detecting signs of compromise before ransomware execution is another crucial strategy in ransomware detection. Organizations can identify a ransomware attack in its early stages by monitoring for indicators of compromise (IoCs), such as unusual network traffic patterns, unauthorized access attempts, or anomalous file modifications. 
  • Detecting Ransomware at Execution Stage: Detecting ransomware at the execution stage is a critical step in mitigating the impact of an attack. Behavior-based detection techniques can monitor system activities in real-time to detect and respond to malicious behavior, including ransomware encryption processes. Organizations can identify and contain ransomware before it causes extensive damage by analyzing the behavior of processes and file system activities. 

Additionally, leveraging frameworks such as MITRE ATT&CK can provide organizations with a standardized approach to understanding ransomware tactics, techniques, and procedures (TTPs). By mapping ransomware behaviors to the MITRE ATT&CK framework from left to right, organizations can identify gaps in their detection and response capabilities and implement targeted security measures to enhance their ransomware defense strategy.  

However, cybercriminals continually evolve their tactics, and ransomware strains emerge, hindering some security approaches. To address the shortcomings of each detection method, organizations can adopt a strategy that combines multiple layers of defense. Ransomware detection capabilities can be enhanced by integrating threat intelligence feeds with advanced behavioral analytics and proactive threat hunting, improving their overall cybersecurity posture. 

Adlumin’s Innovative Ransomware Protection Feature   

Adlumin’s Managed Detection and Response (MDR) now includes a ransomware prevention feature focused on file system preservation to combat the evolving ransomware landscape. This new capability safeguards and preserves most files by killing the process at the earliest detection sign. 

One crucial aspect of ransomware protection is proactive testing and preparedness. It is important to understand how secure your organization’s security tools are against ransomware by prioritizing testing defenses and response protocols to ensure readiness in the face of potential threats. 

Embracing a Multi-Layered Defense Approach 

Ransomware protection is a complex and challenging threat that demands a multi-layered defense approach. Early detection, proactive response strategies, secure backups, and innovative technologies like Adlumin’s Ransomware Prevention are essential to a comprehensive defense posture against attacks. By understanding the importance of early detection and implementing a multi-layered defense strategy, organizations can significantly enhance their resilience to evolving cyber threats.   

The threat of ransomware is large, but by staying informed and leveraging advanced security solutions, the risks can be mitigated, and data assets can be safeguarded. Remember, there is no single answer to ransomware protection – it requires a holistic and dynamic approach to stay ahead of cyber adversaries. With 24×7 coverage and innovative technologies, you can protect your organization against the threat of ransomware and ensure organization continuity in the face of evolving cyber risks. 

Misconfiguration in Zero-Trust Solution Could Allow Threat Actors to Bypass 2FA

The Adlumin team recently investigated a security incident in which a malicious actor(s) successfully managed to gain unauthorized access to a company’s networks by completely bypassing Duo, a popular zero-trust security solution used by hundreds of organizations worldwide.

Background

The incident occurred in early February 2024 when threat actor(s) used two compromised sets of email credentials to log in remotely to the targeted company’s network from servers with IP addresses registered to Russia and Brazil. Subsequently, the company’s security tools, including Adlumin, generated several alerts for malicious activity detected within the network. This activity included credential brute forcing attempts, attacks against Microsoft Active Directory and Kerberos, and the use of Netscan to enumerate endpoints and servers.

Security teams responded to the alerts and successfully halted and locked out the threat actors before they could inflict more harm on the network, but questions remained as to why Duo’s two-factor authentication (2FA) was not prompted to verify the legitimacy of the login sessions which would have protected against compromised credential-based attacks.

Investigation Findings

The Adlumin investigation revealed that the two compromised email accounts used by the threat actor(s) were stale accounts which had been mistakenly configured with a policy that allows for unenrolled or partially enrolled users to authenticate into their network without 2FA.

According to Duo’s online documentation (last updated on Jan. 29, 2024), a “New User Policy” to allow access without 2FA, does not prompt users to complete enrollment and they are granted access without two-factor authentication.1

This type of user policy is made available to organizations for several reasons, including facilitating a gradual rollout of 2FA within the organization or a slow adoption of new zero-trust practices. However, it remains important to monitor events generated by users that bypass 2FA. Duo does offer such a monitoring feature to companies using Duo Premier, Duo Advantage, and Duo Essentials Plan.

With any 2FA solution, it’s important to consider the risks of enabling or using user policies that bypass it in any scope. Bypassing 2FA for certain users or scenarios reduces the overall security posture of the system and network. It can create fringe but exploitable instances where authentication relies solely on a single factor (e.g., username and password) that may be more susceptible to compromise – which was the case in the security incident investigated by Adlumin.

When users are not required to use 2FA, there is an increased vulnerability window. Attackers may exploit this period, especially if users with reduced authentication factors can enable access to sensitive information or critical systems.

In its online documentation, Duo does warn account owners and administrators who configure login access to remember that users with bypass status are not subject to restrictions and can bypass Duo authentication entirely.2

Conclusion

To protect against similar attacks at organizations that use Duo or other zero-trust solutions, Adlumin recommends that companies and organizations ensure user access policies are correctly configured and consider the security risks that come with allowing some users to bypass 2FA.

Organizations can avoid or reduce their exposure to an attack by practicing good account hygiene. This includes routinely conducting account reviews to identify and deactivate accounts that are no longer needed, establishing efficient communication between IT departments and human resources when employees leave an organization, and automating account provisioning and deprovisioning processes.

Indicators of Compromise (IOCs)

7 Reporting Considerations to Enhance Your Security Operations

A critical component of any organization’s security operations is the ability to automatically generate reports that offer valuable insights into the effectiveness of security measures. These reports help identify potential threats and vulnerabilities and play a crucial role in meeting compliance requirements.

This proactive approach enables security teams to quickly address issues, make informed decisions, and enhance the organization’s security posture, ultimately saving valuable time when reporting to leadership during incidents.

This blog details recommended key reports to share with your board and leadership team along with ways to make the most of your cybersecurity solution.

7 Key Reports Your IT Team Should Use

Being able to grab reports instantly plays a crucial role in saving time and ensuring that when the latest ransomware or breach headlines hit, your leadership team has the answers they need. Below are examples of compliance, board, admin, and IT reports that your IT team should regularly review and incorporate into your security program:

1. One-Touch Compliance Reporting: Ensuring that security measures align with industry standards and regulatory requirements, such as GDPR or HIPAA, is crucial for maintaining data privacy and protecting against legal repercussions. Below are a few examples:

  • National Credit Union Association, Automated Cybersecurity Evaluation Toolbox (NCUA ACET)
  • Federal Financial Institutions Examinations Council (FFIEC)
  • FBI’s Criminal Justice Information Services Division (FBI CJIS)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Ransomware Self-Assessment Tool (R-SAT)
  • Information Technology Risk Examination Program (InTREx CU)
  • Health Insurance Portability and Accountability Act (HIPAA)

2. Detection Analysis: By analyzing detection reports, IT teams can identify trends, patterns, and anomalies in network activity that may signify a breach or potential threat.

3. Darknet Monitoring: Monitoring the darknet for any compromised credentials or sensitive data belonging to the organization can help preemptively address potential security risks.

4. Privileged Account Activity: Tracking and analyzing privileged account activities can help detect unauthorized access or unusual behavior that may signal a security breach.

5. VPN Activity Report: Examining VPN usage and access logs can provide insights into who is accessing the network remotely and identify suspicious or unauthorized activities.

6. Network Health Report: Regularly assessing the overall health of the network, including performance metrics, system vulnerabilities, and security gaps, is important for maintaining a secure and efficient IT infrastructure.

7. Board and IT Steering Committee Report: Providing executive stakeholders with a high-level overview of the organization’s cybersecurity posture, including key metrics, incident response updates, and strategic recommendations, is essential for aligning business objectives with security priorities.

Incorporating these reports into your daily operations will automate the collection, analysis, and reporting of security data. This also allows analysts to focus on more operational tasks, such as threat hunting and incident response, rather than spending time manually compiling and analyzing data. By streamlining these processes, reports help improve overall productivity.

Closing the Reporting Gap with Leadership

Regardless of which report you are looking to pull, having access will play a crucial role in bridging the gap between security teams and leadership by providing an overview of the organization’s cybersecurity posture. These reports offer insights into the efficiency of cybersecurity investments, helping leadership understand and make informed decisions regarding resource allocation.

By tracking security incidents and trends, reports enable organizations to identify gaps in their defenses and prioritize security efforts based on risk assessment. This continuous monitoring enhances communication between different stakeholders and helps build a strong security posture that can withstand evolving cyber threats. Ultimately, reports assist in understanding the security environment and ensuring proactive measures are in place to safeguard the organization’s assets.

Enhance Your Security Posture with One-Touch Reporting

Taking advantage of complete access to one-touch reporting can significantly enhance your organization’s security posture and by working with a Security Operations Platform like Adlumin, you can streamline the process of generating these reports and gain access to expert analysis and recommendations.

This partnership enhances your security capabilities and helps you effectively communicate with leadership and gain a deeper understanding of your security environment. Make the most of automatic reports to stay ahead of threats so you always know where your security posture stands.

Explore the Platform



Adlumin XDR ensures swift setup, unrivaled visibility spanning endpoints, users, and the perimeter, and provides contextual insights for rapid, informed decision-making.




Explore the Platform

Adlumin XDR ensures swift setup, unrivaled visibility spanning endpoints, users, and the perimeter, and provides contextual insights for rapid, informed decision-making.


XDR and the Benefits of Consolidating Cybersecurity Tools

IBM reported that it took an average of 204 days globally to identify a data breach in 2023, underscoring the pressing need for effective detection and response solutions. Extended Detection and Response (XDR) has emerged as a game-changer in the world of security operations, offering a proactive approach to threat detection and response. However, amidst the buzz surrounding XDR, it’s crucial for organizations to have a clear understanding of the basics of various detection and response solutions to evaluate what best suits their unique needs.

This blog breaks down the benefits of consolidating your cybersecurity tools with XDR, and the differences between XDR and other solutions such as Managed Detection and Response (MDR) and Endpoint Detection and Response (EDR).

What is Extended Detection and Response (XDR)? 

XDR is a security solution that consolidates data from various security tools within an organization’s infrastructure to streamline threat detection, investigation, and response processes. By automatically aggregating and correlating data from diverse security components such as endpoints, cloud workloads, networks, and email, XDR enhances the capabilities of security teams to quickly identify and neutralize security threats across multiple domains from a centralized interface. 

Gartner defines XDR as a “unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components. Security and risk management leaders should consider the risks and advantages of an XDR solution.” 

This unified approach streamlines threat hunting and response efforts, allowing for more efficient and effective security operations. 

Adlumin XDR, in Figure 1, integrates various security tools to streamline threat detection, investigation, and response processes for enhanced cybersecurity operations. 

Benefits of Consolidating Cybersecurity Tools with XDR 

Managing and monitoring all cybersecurity resources available can be daunting. XDR offers organizations a centralized platform where they can easily access and analyze data from all of their cybersecurity tools in one place. This streamlined approach simplifies the process of identifying and responding to potential threats, making it easier for organizations to stay one step ahead of cybercriminals.  

More benefits include:

#1 Enhanced and Centralized Threat Visibility:

XDR consolidates data from various security tools such as email, endpoints, servers, cloud workloads, and networks, offering a centralized view of potential risks and threats. This unified approach enables security teams to identify and respond to threats quickly. IBM’s latest report indicates that organizations using threat intelligence are able to identify threats 28 days faster on average.  

#2 Simplified Detection and Investigation:

By automatically filtering out insignificant anomalies, XDR allows analysts to focus on high-priority threats, reducing the time and effort required for manual investigations. The prebuilt analytics and correlation capabilities help detect risky threats, minimizing the need for constant rule tuning and management. 

#3 Streamlined Orchestration and Response:

XDR facilitates end-to-end threat response by offering detailed threat context, telemetry data, and automation capabilities. This enables security teams to orchestrate response actions across multiple tools and environments, enhancing the MDR team’s efficiency and ensuring quick threat mitigation. 

XDR security empowers organizations to proactively detect, investigate, and respond to security incidents more efficiently, ultimately strengthening their overall cybersecurity posture. 

What is the difference between XDR and other solutions? 

XDR is often confused with other detection and response technologies, such as Managed Detection and Response (MDR) and Endpoint Detection and Response (EDR). 

EDR monitors end-user devices for threats that traditional antivirus software may miss, while MDR is essentially EDR provided as a service. EDR continually monitors an endpoint (laptop, tablet, mobile phone, server, or internet-of-things device) to identify threats through data analytics and prevent malicious activity with rules-based automated response capabilities.  

For a comprehensive and managed approach, organizations can opt for Managed Extended Detection and Response (MXDR), which provides multi-domain protection with dedicated support, expertise, and 24/7 response capabilities. Understanding the differences and capabilities of these various technologies can help organizations choose the best solution for their cybersecurity needs. 

Want to dive deeper? Read EDR vs. XDR vs. MDR: The Cybersecurity ABCs Explained to find the best solution for your organization.  

Find the Cybersecurity Solution to Fit Your Needs 

Selecting the right cybersecurity solution tailored to your organization’s specific needs is essential in safeguarding against rising cyber threats. As the threat landscape expands in complexity, it is crucial to adopt proactive security measures that detect and respond effectively to potential risks.  

Managed security solutions, such as XDR, offer organizations the advantage of dedicated support, expertise, and around-the-clock monitoring and response capabilities. Small IT teams can offload the burden of day-to-day security operations by opting for managed services, allowing them to focus on strategic initiatives and core business functions. 

Organizations can access the latest tools, technologies, and best practices in security operations by partnering with a managed security services provider without requiring extensive in-house resources. This approach enhances security resilience and ensures operational continuity and operational growth. 

Explore the Platform

Adlumin XDR ensures swift setup unrivaled visibility spanning endpoints, users, and the perimeter, and provides contextual insights for rapid, informed decision-making.


How to Spot the Early Signs of a Ransomware Attack

By: Brittany Holmes, Corporate Communications Manager 

The threat of ransomware attacks looms large over organizations of all sizes. It is predicted that ransomware will cost, in total, USD $265 billion annually by 2031, up from USD $42 billion in 2024. This serves as a reminder of the importance of proactive cybersecurity measures in staying ahead of these malicious attacks, especially when they’re predicted to arise with new challenges.  

There is hope in the form of advanced defense mechanisms that can proactively prevent and detect ransomware attacks before they cause irreparable harm. This blog explores early signs of a ransomware attack and how organizations can level up their defenses to mitigate the risk.   

How Ransomware Attacks Work 

Ransomware is a type of malicious software that blocks a user’s access to their computer files by encrypting them. The cybercriminals demand a ransom payment in exchange for unlocking the files. This coercive tactic puts victims in a predicament where paying the ransom is often seen as the most straightforward and cost-effective way to regain access to their data. In some cases, ransomware may also involve data theft to further pressure targets into meeting the ransom demands. 

A prime example is when the MGM Resorts data breach shook the industry. This breach resulted in the personal information of more than 10.6 million guests being exposed on the dark web after the company refused to pay the ransom demanded by the cybercriminals. It was reported that MGM faced $100 million in financial losses. This incident showcases what can happen if an employee falls victim to a simple social engineering tactic via a fraudulent phone call. 

Recognizing Early Signs of a Ransomware Attack 

Being vigilant and proactive in recognizing early signs of a potential attack is crucial: 

  • Tailored and Targeted Campaigns: For example, a rise in phishing attempts, seen through an increase in spam emails, can indicate potential malware threats. This puts the entire network at risk, as an employee clicks on a malicious link or download can lead to infection. Vigilance is key in recognizing and responding to this threat promptly. 
  • Abnormal network activity: Sudden increases in traffic from unknown sources may signify unauthorized access attempting to exfiltrate data. In addition, unexpected data transfers can be a sign of ransomware encrypting files for extortion purposes. The presence of unfamiliar file extensions or files being created/modified without authorization can indicate the presence of malicious software attempting to compromise the network. 
  • Failed 2FA Authentication: Cybercriminals often try to bypass two-factor authentication to gain control and encrypt important data, leading to potential extortion demands. Monitoring and responding promptly to failed authentication attempts can help prevent the escalation of a ransomware attack and protect critical assets from being compromised. 

What is The Impact of a Ransomware Attack?  

The consequences become more severe for the targeted organization when a ransomware attack is successful. Data encryption and demands for ransom payment disrupt normal operations, leading to potential financial losses and downtime. After a successful ransomware attack, organizations may face long-lasting repercussions such as stolen assets, including intellectual property and sensitive customer information.   

The reputational damage from a data breach can cause clients and stakeholders to lose trust, impacting the organization’s standing in the industry. In addition, financial penalties for failing to secure sensitive data can add to the attack’s overall cost. 

By staying vigilant and updating defenses at the first sign of a threat, organizations can significantly reduce their exposure to ransomware attacks and safeguard their critical data and systems. 

Strengthening Ransomware Defense Mechanisms 

Implementing strong cybersecurity measures, conducting regular security assessments, and training employees on cybersecurity best practices can help amplify defenses against evolving cyber threats. Remember, early detection and quick response are key to mitigating the impact of ransomware attacks and safeguarding the integrity and resilience of your organization’s digital infrastructure. 

Embracing technologies like Adlumin’s Total Ransomware Defense and Managed Detection and Response (MDR) can provide organizations with the multi-layered protection they need to stay one step ahead of cyber threat actors. By leveraging AI and behavioral models to identify warning signs of ransomware at different attack layers, these solutions can effectively block malicious files from executing and mitigate the risk of data encryption and extortion. 

The ability of these solutions to provide automated detection updates ensures that organizations are constantly shielded from evolving ransomware variants. By staying vigilant and updating defenses at the first sign of a threat, organizations can significantly reduce their exposure to ransomware attacks and safeguard their critical data and systems. 

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.



Six Ways to Improve Cloud Security for Your Organization

By: Brittany Holmes, Corporate Communications Manager 

Cloud security has become increasingly crucial as more organizations are transitioning from on-premise solutions to cloud-based services. The scalability and convenience of cloud products drive this shift. According to a study by Gartner, it is estimated that by 2026, 75% of organizations will adopt a digital transformation model predicated on cloud as the fundamental underlying platform. This showcases organizations moving toward the growing trend of cloud adoption and cloud technology as a key driver in their digital transformation journey and cybersecurity strategy.  

The rapid transition to the cloud has greatly expanded the potential areas for cyberattacks, posing a significant challenge for security teams. Cybercriminals have been targeting cloud environments by exploiting vulnerabilities in public-facing applications like web servers, gaining access through valid accounts, password resets, or by planting web shells for long-term access. These insights highlight the critical importance of implementing strong cloud security practices and actively managing exposure to mitigate the increasing threat of cloud-related attacks.  

This blog uncovers how to secure your cloud environment.   

Six ways to improve cloud security for your organization: 

1. Encrypt all data within the cloud:

Encryption makes it more difficult for cybercriminals to infiltrate sensitive information stored in the cloud. This added layer of protection ensures that data remains secure and confidential, reducing the risk of cyberattacks and breaches. Encryption also allows for secure data transmission between users and the cloud, further enhancing the security of information stored in the cloud. 

Implementing encryption also helps organizations comply with various data protection regulations and industry standards. By encrypting all data within the cloud, organizations can demonstrate a commitment to safeguarding sensitive information and maintaining data privacy. 

2. Centralize visibility of private, hybrid, and multi-cloud environments: 

Organizations can have visibility within a single pane of glass view across all cloud environments by centralizing the visibility of private, hybrid, and multi-cloud environments. IT teams can monitor and manage security controls, policies, and configurations more easily. This allows for better coordination and communication between different cloud environments, enabling organizations to quickly identify and remediate any security vulnerabilities or threats that may arise. 

Investing in Extended Detection and Response (XDR) solutions can further enhance centralized visibility across multiple cloud environments. XDR is a security platform that integrates and correlates security data from various sources such as endpoints, networks, and applications, providing a holistic view of the organization’s security posture. 

3. Enforce cloud security standards: 

By implementing and enforcing strict cloud security standards, organizations can ensure that all cloud services and applications adhere to best practices for data protection, access control, encryption, and compliance requirements. This can help mitigate the risk of unauthorized access compromising sensitive information stored in the cloud.  

Organizations should establish policies and procedures to enforce cloud security standards effectively. For example, conduct regular audits and assessments to monitor compliance with these standards and provide ongoing training and education for employees on best practices for securing cloud environments. 

4. Employ machine learning detection capabilities: 

Leveraging threat detection capabilities, such as User Entity and Behavior Analytics (UEBA) and Machine Learning, detects and responds to security threats in real-time. UEBA technology analyzes user behavior patterns and identifies deviations that may indicate a potential security incident. Machine Learning algorithms help block and predict security incidents by analyzing large datasets and identifying patterns indicative of malicious activity. By leveraging these advanced technologies, organizations can proactively protect their cloud environments from cyber threats. 

5. Implement multi-factor authentication (MFA): 

Utilizing security tools and technologies, such as encryption, MFA, and intrusion detection systems, further enhances cloud security measures. MFA, specifically, adds an extra layer of protection to user accounts, requiring more than a password and username or email for access. MFA reduces the risk of unauthorized access and data breaches by requiring multiple verification forms to protect cloud data.   

Read more about the basics of MFA, its strengths and weaknesses, and top methods cybercriminals use to bypass MFA in MFA Bypass Attacks: How to Keep 2FA Secure. 

6. Regularly audit misconfigurations and stale accounts: 

Organizations should regularly audit and address misconfigurations in their cloud infrastructure. Misconfigurations can leave vulnerabilities that cybercriminals can exploit to gain unauthorized access to sensitive data or resources. Organizations can identify and rectify misconfigurations by conducting regular audits of their cloud environments before they are exploited. This can involve implementing automated tools to scan for misconfigurations, regularly reviewing and updating security policies, and ensuring that employees are properly trained on best practices for cloud security.  

Another important aspect of cloud security is managing and monitoring stale accounts. Stale accounts refer to user accounts that are no longer actively used or have not been accessed for a long time. These accounts can become a target for cybercriminals, as they may not be monitored or have proper security measures in place. Organizations should regularly review their user accounts, identifying stale accounts and either disabling or deleting them. 

Maximize Your Cloud Security with Extended Detection and Response 

The shift to the cloud offers organizations a competitive edge by providing cost savings, increased agility, improved collaboration, and enhanced security features. It is no surprise that more and more organizations are transitioning to cloud services due to their numerous benefits. 

For lean teams looking to enhance their cloud security and free up time for other operational tasks, Extended Detection and Response (XDR) is invaluable. By seamlessly integrating with cloud security measures, XDR solutions provide continuous monitoring, threat detection, and prompt remediation, allowing organizations to safeguard their assets in the cloud proactively. 

This proactive approach ensures real-time threat detection and incident response, ultimately strengthening the overall security posture. With XDR in place, IT teams can focus on other critical operational tasks without compromising security. XDR services are vital in effectively supporting lean teams securing their cloud environments.   

Explore the Platform



Adlumin XDR ensures swift setup, unrivaled visibility spanning endpoints, users, and the perimeter, and provides contextual insights for rapid, informed decision-making.