What We Do
How we do it
Resources
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Sep 20, 2022
eSentire Recognized as Top Global MDR Provider by MSSP Alert, CrowdStrike and G2
Waterloo, ON - September 21, 2022 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), celebrated multiple industry recognitions as the leading global MDR provider, over the last week: Named #9, and the top pure play MDR provider on MSSP Alert’s Top 250 MSSPs global rankingRecognized as the CrowdStrike 2022 Global MSSP Partner of the Year Earned G2’s industry-renowned status…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — May 21, 2020

How Current Ransomware Tactics Look
a Lot Like Smoking a Brisket

3 minutes read
Speak With A Security Expert Now

You can’t rush the process of smoking a brisket, what I consider the peak of BBQ prowess.

For a 15-pound brisket, it generally takes over 14 hours of smoking at 225 degrees F to push through the “stall” … after which it requires another couple of hours to “rest.” This process is referred to as “low-and-slow” because it takes time and patience to proceed through each of the smoke phases.

Cyberattackers are just as patient when it comes to following their plan and achieving their goals.

In information security, we often describe attackers in terms of their tools, tactics, and process (TTP). One that we don’t often discuss is TIMING. One recent development in the use of ransomware involves choosing the most appropriate time to initiate the actual encryption. By appropriate, I mean the most inopportune time to strike a target in an effort to hamper recovery.

Let’s first take a step back though. When ransomware first burst broadly into the public view a few years ago, it was very simple: someone opens malicious content which downloads an encryption key and immediately begins to encrypt that single computer’s files (and all others to which they have access, including network shares). The next generation of ransomware started attacking databases directly, encrypting their contents.

A further evolution of a separate ransomware family focused on exploiting the software that manages workstation images (e.g. Kaseya), thereby unwittingly enlisting it to spread unwanted code. This tactic is not necessarily specific to ransomware but also was used for undesired rogue cryptocurrency mining.

The current, most popular methodology within ransomware deployment couples the popular “low-and-slow” tactics of yesteryear (very much like smoking a delicious brisket). Also known as advanced persistent threat (APT) methodology, the attacker initially gains a toehold into an environment, then quietly spreads laterally from this “beachhead” to establish multiple points of presence within the organization. Once many systems are infected, the attacker is free to take their time to embed themselves and begin a more rigorous campaign to examine all accessible files (including email), gather information, pivot to other connected systems, gain administrator access (if possible) and exfiltrate interesting or sensitive data to resell or hold hostage.

The newest ransomware tactic couples the low-and-slow APT method, but once the interesting data is taken, the attacker at the right time initiates the encryption on all infected systems. The extra spin? Timing. This type of attack offers the attacker the best chance for payoff when initiated at a particularly inopportune time, when the victim isn’t expecting it and is less likely to be able to respond quickly. As such, the first night of a weekend (especially a long weekend!) provides an ideal point for a devastating malicious campaign to be launched.

It is critical to continue to watch for the early indicators. It takes time for the attacker to distribute the malicious code throughout the environment and wait for the most inopportune time to start the encryption phase. This permits the defender a wider window of opportunity to prematurely short-circuit and evict the attacker.

No doubt tactics will continue to evolve. Attackers will continue to hone and improve their methods; likely by better automating the “spread malware internally phase” and with better obfuscation to reduce the chances of detection. Given the significant recent changes due to COVID-19 with more people working from home, it is possible that depending on remote access implementation, it may be more difficult for attackers to move laterally, from endpoint to endpoint. However, this possible mitigation aspect is likely overridden by more atomic endpoints running outside the safety of a corporate firewall and other corporate security infrastructure.

With this in mind, we highly recommend that you continue to watch for unusual indicators of inappropriate access, especially when they make themselves manifest early on a weekend. Ensure that your incident response playbooks are updated, with contacts updated. Perform tabletop exercises with this updated scenario to prepare for this.

While you might be looking at the start of a long weekend as a welcome break from work (or a chance to demonstrate your BBQ skills), attackers might just be thinking about getting started.

Join 100,000+ Security Leaders

Get notified of the latest news, intel and helpful tools & assets. You can unsubscribe anytime.

By clicking the button below I confirm that I have read and agree to the eSentire privacy policy.

View Most Recent Blogs
Eldon Sprickerhoff
Eldon Sprickerhoff Founder and Chief Innovation Officer

Eldon Sprickerhoff is the original pioneer and inventor of what is now referred to as Managed Detection and Response (MDR). In founding eSentire, he responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information security breaches. Now with over 20 years of tactical experience, Eldon is acknowledged as a subject matter expert in information security analysis. Eldon holds a Bachelor of Mathematics, Computer Science degree from the University of Waterloo.