M+E Daily

Fortinet experts used the April 3 webinar “Fighting Ransomware from Network to Endpoint with Unified NDR, EDR, and NGFW” to discuss today’s ransomware attack technique trends and how to thwart them by accelerating detection, investigation and response.

That can be done, they explained, by correlating and analyzing security events while reducing false positive alerts, reducing analysis times and securing unmanaged devices.

Ransomware attackers are continuously evolving their techniques to evade detection, making every security team’s job tougher than ever, they pointed out.

Starting the webinar, Vijay Dontharaju, senior manager, security engineering at Fortinet, said he had 18 years of security sector experience, including about the past two years with Fortinet.

Amey Gat is, meanwhile, currently working as principal threat researcher with Fortinet’s FortiEDR Threat Hunting Team, he pointed out, noting he has been working in the IT industry for over 19 years.

The first topic that moderator Chris Borales, who serves as senior product marketing manager for Fortinet’s Network Detection and Response division, brought up was Rhysida Ransomware.

Gat had done some research on this form of ransomware and shared some data and other information to viewers about Rhysida, saying victims of that ransomware attack can be found across multiple industries and multiple areas of the world. What this information shows is that Rhysida is “not targeting any one particular industry,” and isn’t paying attention to the size or location of its victims, Gat said.

Instead, it’s “in their best interest to find the weakest links,” according to Gat. He then provided a timeline of a Rhysida attack that he said impacted one of Fortinet’s customers. On day one, the attacker made its initial access, he noted. By day three, the discovery and credential stuffing stage was underway. And then, day four is the busiest day, he said, noting persistence is established, ransomware preparation was underway, data validation and initial exfiltration started and quickly led to large-scale data exfiltration, and ransomware was deployed.

The most significant detail is that, within less than 24 hours of initial access from the attacker, the attack has “gone to data exfiltration and ransomware deployment,” he said. “On day one,” access to the SonicWall virtual private network (PVN) by the attackers with valid credentials was already underway, he pointed out.

While studying the ransomware, Fortinet realized that the attackers started to use a “custom tool which was found at the client and which was transferring a whole big amount of data from multiple network machines to one particular designated C2 server,” he explained.

The attackers also “installed to some of the client system …  tools … to transfer some of the malicious files,” he said. Additionally, there were “multiple Windows [PCs], which had FortiEDR deployed and they had blocked this particular [ransomware] execution,” he pointed out. But he was quick to add: “Unfortunately, all of the machines on the network didn’t have FortiEDR.”

FortiEDR provides automated endpoint security that Fortinet says integrates with the Fortinet Security Fabric and other solutions.

Peter Steyaert, senior solution architect manager at Fortinet, also participated in the panel discussion.