Ransomware After Dark: Friday Night Lights Out

Growing up in Texas, Friday nights in the fall meant one thing and one thing only: high school football. Whether I was playing in the game or just going, Friday nights meant fun with friends and family cheering on the local high school team on the gridiron.  

For many security professionals, Friday nights are a time to unwind from a chaotic week, turning over the keys to the SOC and the weekend crew to monitor what should be the slowest part of the week. It is time for that crew to catch up on reports, do some deep dive analysis on this or that part of their security infrastructure, and even apply that upgrade to a security tool that has been on the shelf for a while.  

All this goes out the window when the unexpected happens – a ransomware attack.  

While ransomware can strike at any time, recently savvy attackers have been considering their targets' schedules, deploying their attacks when they know the protectors are either out of the office or running a skeleton crew.  

It’s not hard to figure out why this would be the best time to carry out an attack. The fewer folks “minding the store,” the better chance they must be successful. Late last year, law enforcement notified professional athletes that sophisticated burglars were targeting their luxury homes, making off with thousands of dollars in high-valued jewelry, when the players were playing a game.  

These bandits took advantage of these athletes’ schedules to carry out their nefarious deeds with a high degree of success. Ransomware attackers are no different. These attackers are looking for any window where their actions might go unnoticed, even if the security controls in place are firing off alert after alert, even for just a few minutes.  

In many cases, that is all the time they need to deploy their ransomware payload, exfiltrate data, and bring an organization to a grinding halt. Here are three different strategies security teams should consider to “close the window” on the attackers.  

Uplevel your Tools and Staff

While easier said than done, security teams that can increase their budgets to add ransomware-specific security tools and experts who know how to use them around the clock should consider doing so.  

While many Endpoint Protection Platforms (EPP), Endpoint Detection & Response (EDR), and even Extended Detection and Response (XDR) tools proclaim their ability to combat ransomware, modern attackers routinely evade these tools to deploy their attacks so augmenting your existing stack with ransomware-centric tools, can make it that much more difficult for attackers to reach their objectives.  

That said, bringing in any security tool will mean you need to have resources on your team that know how to use them, which can be challenging but certainly doable. Assuming you can bring in this ransomware security solution, you will also want to add or increase your ability to monitor around the clock.  

The apparent positive of this approach is not only minimizing the attacker window for striking when you are at your weakest, but you also give your security team additional schedule flexibility to balance their work/life balance.  

You might find you have security team members who would prefer working the overnight shift, giving them more time to do other things during the day. Conversely, early risers might be more than willing to take the early hour shifts, freeing up their afternoons to pursue other hobbies or family obligations.  

Adding a shift, while no small challenge, might be what your security team needs to be the best they can be.  

Augment from the Outside

Adding a new tool to your internal stack and additional permanent staff to your team, significantly increasing your overhead, is a non-starter. In that case, you might look to outside providers who offer ransomware-specific services and can provide the overnight/weekend/holiday coverage attackers longingly desire to exploit.  

With the rise of many regional Managed Security Service Providers (MSSPs), you will probably have no issue finding many viable options to help you close the attacker’s window of opportunity.  

While many options exist, be sure to put your potential provider through their paces regarding ransomware expertise, triage, and investigation capabilities, as well as their ability to provide comprehensive reports when you find yourself the victim of an attack during these off-peak hours.  

With a bit of effort and due diligence, you might find that augmenting your staff with an MSSP might be precisely what you are looking for.

Best of Both Worlds

While options 1 and 2 might provide a measure of improved ransomware protection, the best of both worlds would be to find in a ransomware specific security solution that includes, at no additional cost, 24/7/364 monitoring, investigation, response, and recovery.  

The Halcyon Anti-Ransomware Platform and the Halcyon Ransomware Detection and Recovery (RDR) are designed to accomplish this with high efficacy. Our mission is to help every organization avoid being the victim of a successful ransomware attack.  

We know that providing a ransomware security platform, no matter how good it is, requires an already stretched security teams to deploy, monitor, and maintain to protect themselves against ransomware. We understand that we can’t achieve our goal of protecting you and your organization if we don’t break with the norms and include expert-level monitoring with every license of the platform.  

Many security vendors would consider this approach as “leaving money on the table”, but for us, we see this as eliminating a common barrier security teams deal with when considering reducing their risk of any type of cyber threat by adding security products to their stack.  

By taking the burden of monitoring, triage, investigation, and response of the security teams shoulders we can not only ensure our platform is properly tuned and working as designed, but we also give security teams something they desperately need – time.  

Once the lightweight Halcyon agent is deployed across your environment, Halcyon RDR will monitor all generated alerts during the learning phase, working with your security team to identify trusted applications as well as determine the operating model (detection or prevention) appropriate for different groups of assets in your environment.  

After a short learning phase, Halcyon RDR will move into 24/7/365 monitoring mode, triaging and investigating every alert generated in the platform, taking appropriate response actions when an active threat is encountered.  

Working with your internal team, or your MSSP of choice, the Halcyon RDR team will maintain a constant communication channel to ensure every threat neutralized, and action taken, is known by all stakeholders. To date we are helping hundreds of security teams eliminate the attackers window of attack, getting nights and weekends back.

Ransomware has been known to ruin many a date night, but by working on increasing your staff, working with an MSSP, and evaluating what we offer here at Halcyon, you can take back your off time and finally rest easy. You can learn more about Halcyon RDR here.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.