In 2021 ransomware attacks have been reigning among the bigger cyber security storeys. Hence, I was not surprized to see that McAfee’s June 2021 Threat report is primarily focused on this topic.

This report plies a large range of statistics abusing the McAfee data lake behind MVISION Insights, including the Top MITRE ATT& CK Techniques. In this report I foreground the following MITRE proficiencies ๐Ÿ˜› TAGEND

Spear phishing joins( Initial Access) Exploit public-facing works( Initial Access) Windows Command Shell( Execution) User hanging( Execution) Process Infusion( Privilege escalation) Credentials from Web Browsers( Credential Access) Exfiltration to Cloud Storage( Exfiltration)

I too want to highlight one obvious proficiency which are still common across all ransomware attacks at the end of the attack lifecycle ๐Ÿ˜› TAGEND

Data encrypted for significance( Impact)

Traditional defences based on anti-malware signatures and web protection against known malicious domains and IP addresses can be insufficient to protect against these techniques. Therefore, for the rest of this article, I want to cover a few recent McAfee inventions which can make a big difference in the fight against ransomware.

Mix Cloud Edge with Remote Browser Isolation

The following three ransomware proficiencies are linked to web access ๐Ÿ˜› TAGEND

Spear phishing ties-in User hanging Exfiltration to Cloud Storage

Moreover, most ransomware attacks require some form of access to a command-and-control server to be fully operational.

McAfee Remote Browser Isolation( RBI ) ensures no malevolent entanglement content ever even contacts endeavour endpoints’ web browsers by isolating all browsing act to unknown and risky websites into a remote virtual environment. With spear phishing relates, RBI works best when running the mail client in the web browser. The used plans cannot be compromised if web code or registers cannot run on them, forming RBI the most powerful form of web threat safety available. RBI is included in most McAfee United Cloud Edge( UCE) licenses at no additional cost.

Figure 1. Concept of Remote Browser Isolation

McAfee Client Proxy( MCP) self-restraints all entanglement congestion, including ransomware network traffic initiated without a web browser by tools like MEGAsync and Rclone. MCP is in relation to McAfee United Cloud Edge( UCE ).

Protection Against Fileless Attacks

The following ransomware proficiencies are linked to fileless assaults ๐Ÿ˜› TAGEND

Windows Command Shell( Execution) Process Injection( Privilege escalation) User Execution( Execution)

Many ransomware attacks also use PowerShell.

Figure 2. Example of an attack kill chain with fileless

McAfee supplies a huge stray to new technologies which protect against fileless attack methods, including McAfee ENS( Endpoint Security) Exploit avoidance and McAfee ENS 10.7 Adaptive Threat Protection( ATP ). Here are few examples of Exploit Prevention and ATP patterns ๐Ÿ˜› TAGEND

Exploit 6113 -6 114 -6 115 -6 121 Fileless threat: self-injection Exploit 6116 -6 117 -6 122: Mimikatz suspicious pleasure ATP 316: Prevent PDF readers from starting cmd.exe ATP 502: Prevent brand-new services from been generated via sc.exe or powershell.exe

Regarding the use on Mimikatz in the precedent above, the brand-new McAfee ENS 10.7 ATP Credential Theft Protection is designed to cease assaults against Windows LSASS so that you do not need to rely on the spotting of Mimikatz.

Figure 3. Example of Exploit Prevention rules related to Mimikatz

ENS 10.7 ATP is now included in most McAfee Endpoint Security licenses at no additional cost.

Proactive Monitoring and Hunting with MVISION EDR

To prevent initial access, you also need to reduce the risks linked to the following technique ๐Ÿ˜› TAGEND

Exploit public facing lotions( Initial Access)

For example, RDP( Windows Remote Desktop Protocol) is a common initial access used by ransomware attacks. You may have a policy that already vetoes or limits RDP but how do you know it is enforced on every endpoint?

With MVISION EDR( Endpoint Detection and Response) you can play-act a real era exploration across all overseen systems to see what is happening right now.

Figure 4. MVISION EDR Real-time Search to verify if RDP is enabled or disabled on a system

Figure 5. MVISION EDR Real-time Search to identify arrangements with active linkages on RDP

MVISION EDR maintains a history of structure communications incoming and outgoing from the client. Performing an historical search for network traffic could link organisations that actively communicated on port 3389 to illegal addresses, potentially spotting assaults at exploitation.

MVISION EDR too enables proactive monitoring by a defence reporter. The Monitoring Dashboard facilitates the reporter in the SOC abruptly triage questionable behavior.

For more EDR use occasions related to ransomware see this blog article.

Actionable Threat Intelligence

With MVISION Insights you do not need to wait for the latest McAfee Threat Report to be informed on the latest ransomware expeditions and threat charts. With MVISION Insights you can easily meet the following use actions ๐Ÿ˜› TAGEND

Proactively assess your organization’s revelation to ransomware and prescribe how to reduce the attack surface:

Detect whether you have been hit by a known ransomware safarus Pas a Cyber Threat Intelligence program despite a lack of time and expertise Prioritize menace hunting abusing the most relevant indicators

These use cases are covered in the webinar How to fight Ransomware with the latest McAfee innovations.

Regarding the following technique from the McAfee June 2021 Threat Report ๐Ÿ˜› TAGEND

Credentials from Web Browsers( Credential Access)

MVISION Insights can expose the identifications in your environment as well as prevalence statistics.

Figure 6. Prevalence statistics from MVISION Insights on the LAZAGNE tool

MVISION Insights is included in several Endpoint Security licenses.

Rollback of Ransomware Encryption

Now we are left with the last technique in the attack lifecycle ๐Ÿ˜› TAGEND

Data encrypted for affect( Impact)

McAfee ENS 10.7 Adaptive Threat Protection( ATP) furnishes dynamic work containment of questionable processes and enhanced remediation with an automatic rollback of the ransomware encryption.

Figure 7. Configuration of Rollback remediation in ENS 10.7

You can see how records impacted by ransomware can be restored through Enhanced Remediation in this video . For more best patterns on adjusting Dynamic Application Containment principles, check the knowledge base article here.

Additional McAfee Protection Against Ransomware

Last year McAfee liberated this blog article covering added abilities from McAfee Endpoint Security( ENS ), Endpoint Detection and Response( EDR) and the Management Console( ePO) against ransomware including ๐Ÿ˜› TAGEND

ENS Exploit avoidance ENS Firewall ENS Web hold ENS Self protection ENS Story Graph ePO Protection workspace Additional EDR use events against ransomware


To increase your protection against ransomware you might previously be given the opportunity to ๐Ÿ˜› TAGEND

ENS 10.7 Adaptive Threat Protection Unified Cloud Edge with Remote Browser Isolation and McAfee Client Proxy MVISION Insights MVISION EDR

If you are, you should start using them as soon as possible, and if you are not, contact us .

The post Fighting brand-new Ransomware Techniques with McAfee’s Latest Innovations saw first on McAfee Blogs.

Read more: