Last week Kronos (now Ultimate Kronos Group (UKG)) announced that they were hit by a ransomware attack that is likely to keep their system offline for weeks. As a major human resources management company, they provide services like payroll, timekeeping, etc. to other companies. Because so many companies rely on Kronos’s services, they are feeling the effects of this attack as well. So, what does this show us about the danger and damages of ransomware? 

First, it’s easy to see how the ransomware attack can hurt other businesses that engage with the affected company. While only a few dozen companies have publicly announced they have been impacted by the ransomware attack, Kronos is so widely used that there are likely many more companies affected. These companies using Kronos’s software must now find alternatives to track hours worked and pay their workers, including issuing paper checks. For companies that have a mostly remote employee base, this can mean significant delays in pay for hundreds or thousands of workers. 

Second, it shows the importance of deploying effective mitigation and monitoring techniques. While nobody can truly prevent all attacks, doing everything in your power to reduce risk is important for the business as well as your customers. 

Start with the network.

Detecting ransomware is difficult. There are so many ingress points where hackers can enter the network. Then they can move throughout the network looking for valuable data. The more connection points, the more complex it becomes to detect ransomware. To understand these complexities and detect ransomware, you need to have full visibility of the network and monitor the traffic that goes over the network. 

Tracking lateral movement is one of the most effective ways to detect malware. This is because it’s very common for bad actors to move laterally through the network, rather than connecting to individual machines one by one from an external host. In the case of ransomware, the more machines it touches, the more machines are likely to be compromised. 

While it may seem like a trivial task to detect lateral movement, it is more complicated because, without proper analysis, the data isn’t actionable. That’s because it can be difficult to understand the difference between legitimate and malicious lateral movement. After all, there are plenty of systems that connect to one another and send data across the network to myriad other systems. But understanding the good from the bad is what is useful. Flow data can provide baseline traffic patterns that would be difficult to create or expensive to deploy with other technologies. These baselines thresh the wheat from the chaff and provide the details needed to see when malicious lateral movement is detected. 

That’s why analyzing flow data is the most comprehensive way to detect ransomware that is moving across the network. Furthermore, tracking lateral movement is only worthwhile if you have excellent data. High-fidelity flow data is especially useful because it gives you better visibility from the additional data elements being exported. This data is exportable as IPFIX and most network hardware vendors support the protocol. Additionally, some vendors provide even more details, like username and connection-level details, that are not available in low-fidelity flow data like NetFlow v5. 

What now?

While the full forensic report from Kronos is likely weeks away, it is likely to reveal that the ransomware initially came on the network many weeks, if not months, ago and was slowly making its way through the organization until it found something the malware writer was looking for. This length of time that the hacker had access to the network is known as dwell time, and flow-based network detection and response is the only viable option for companies to reduce it. 

We know that ransomware isn’t going away given this latest attack. But using a flow-based NDR solution can reduce the amount of time that the attacker can remain on your network. When combined with other security solutions like IDS, IPS, and other endpoint detection systems, you can make it more difficult for hackers to lock you out with ransomware. This keeps you and your customers happy. 

Learn to fight ransomware

To see how flow-based NDR can detect ransomware on your network, book a demo today.


Justin Jett is Director of Audit and Compliance at Plixer with roles ranging from system administration of web services to technical product marketing for Plixer’s incident response system, Scrutinizer. Jett, a graduate of the University of Maine at Farmington, is an avid learner of all things security, with a particular interest in TLS and DNS attacks.