SentinelOne: Ransomware actors are adapting to EDR

SAN FRANCISCO -- During an RSA 2024 session on Tuesday, SentinelOne's Alex Stamos warned that ransomware actors are leveraging more commercial software tools instead of malware due to the success of endpoint detection and response products.

Stamos, chief trust officer at SentinelOne, presented a session titled "Global Threat Overview" where he discussed geopolitical conflicts, the cyber arms race, policy regulations, generative AI and the ongoing evolution of ransomware. In addition to more brazen extortion tactics and a decrease in ransomware deployment, SentinelOne also observed threat actors are increasingly using living off the land (LOTL) techniques to avoid detection.

Though it highlights endpoint detection and response (EDR) tools increasing effectiveness, Stamos stressed that ransomware actors are adapting quickly. He added that he prefers using the term cyber extortion over ransomware because attackers have gotten more complex in extortion tactics.

"If you've got computers, if you've got money, then you're going to get ransomwared," Stamos said during the session. "From a tech perspective, these actors have changed their model. I think a lot of this is because of the success of EDR."

SentinelOne observed ransomware actors are now using less custom malware as well as leveraging more commercial software and remote employee management tools during attacks to avoid detection tools and remain hidden inside networks. The use of LOTL tactics is a growing trend across the threat landscape. U.S. agencies and Microsoft highlighted the LOTL risk to critical infrastructure organizations in another RSA Conference 2024 session Monday around the Chinese nation-state threat actor Microsoft tracks as Volt Typhoon.

During Tuesday's session, Stamos highlighted the extent of the problem in ransomware attacks. While conducting an incident response case, Stamos observed attackers planted 12 different backdoors inside the victim organization. Eleven of those backdoors were commercial tools that attackers either bought or were using 30-day free trial offers.

Stamos stressed that attackers adapted their tactics because it is more difficult for enterprises to detect commercial tools versus custom malware that is more likely to trigger suspicious activity alerts in EDR products.

The ongoing cyber arms race also contributed to the ransomware evolution, Stamos said, as zero-day exploits and "cyberweapons" have become more common.

"Cyber arms race at the top level makes the entire world more dangerous because these weapons are effectively falling out of the sky and everyone once in a while a ransomware or any actor picks one up whodidn't have money to invent it themselves," he said.

Another problem he addressed was the expanding attack surface. Stamos stressed that most companies have complicated attack surfaces that are difficult to understand and navigate. He said threat actors are going after any vulnerable system they find, then deciding if it's a victim worth attacking.

Despite expanding attack surfaces, Stamos said Microsoft is the popular vector and cited Microsoft Exchange as 2023's top target. "Here's a tip: Never use a Microsoft product that Microsoft themselves doesn't even use anymore. That's a bad sign. Microsoft Exchange would very firmly fit in that category of a product you shouldn't employ yourself," he said.

He added that attackers are becoming increasingly effective at targeting the kill chain just to get to Microsoft. In some cases, enterprises are extremely vulnerable because many mitigations are out of their control.

"We found out just last week, there was a Microsoft graph API endpoint that didn't have any rate limiting on it, so people have been password spraying without any kind of alert coming to you. There's no way you could have stopped that."

Brian Reed, cybersecurity evangelist at Proofpoint, told TechTarget Editorial that attackers constantly target Microsoft because their products are so widely deployed across the landscape. However, he said it's counterproductive to name and shame Microsoft because it could lead the company to be even less transparent about security incidents and vulnerabilities.