'Know your enemy' – understanding what to prepare for
While ransomware isn't new, this once-simple criminal hacker tactic has morphed into a devastatingly effective weapon wielded by more advanced cyber-criminals -- as seen with the recent Wannacry outbreack. These sophisticated attackers are highly motivated by the profitable nature of their efforts. Dan Larson, technical director at CrowdStrike, looks at the current state of ransomware, why organizations should take threats seriously and how to build a strong defense.
What’s at stake – compliance and reputation
Businesses now retain sensitive information that they are required by law to protect. If an organization falls victim to a ransomware attack that lets senstive data be stolen, they must inform customers and partners. Not only can that mean substantial fines if regulations are compromised, but customer trust is compromised. Costs can be significant. In addition to harming a company's reputation, customer information is gone, intellectual property stolen, and the time needed to clean up the aftermath adds up.
Preparing for the worst
Ransomware has left many organizations scrambling to protect themselves against what's coming or to prevent a repeat attack. Typically, ransomware finds its way in through an infected document or link; once a user clicks, a ransom note appears, demanding payment. By then, files have been encrypted, and backups deleted.
The first step in fighting back is to enable any protections available in antivirus software. Some firms disconnect network drives to limit damage; others revisit backup plans to recover files. Others are even starting to purchase Bitcoin so that a ransom can be paid quickly, minimizing business disruption. But paying up only reinforces the actions of an attacker. Many report that, even after paying, they never get their files back.
Why preparation hasn’t solved the problem
Because ransomware has been so profitable, attackers seek out new variants that can circumvent traditional antivirus protection and avoid detection. Some ransomware developers are even offering ransomware-as-a-service. This increases the number of would-be attackers, which, in turn, increases the number of potential targets.
Paying the ransom – stuck between a rock and a hard place
If you’re reading a ransom note, you’re already in trouble. IT and security teams usually don’t have the key to decrypt files. In some cases, decryptors have been offered up by security experts, but they're rare and shouldn’t be relied on. Having clean backups available is key, but ransomware has been known to wait patiently until backups have been restored and then resurface.
Ransomware’s evolving targets
Initially, it was enough for the attackers to focus on a single system or victim, looking to collect a few hundred dollars per hit. The next obvious targets were larger, reaching beyond files and file servers to web servers and other victims -- demanding larger ransoms.
Many strains of ransomware have adapted to search for connected network shares, putting an entire organization’s valuable information at risk. When security practitioners adapted, and removed network drives from systems, so did the ransomware.
Web servers in the cross hairs
Web servers have become a popular target, encrypting web pages until the page owner (or those hosting the page) pay up. These attacks can cause huge disruptions in businesses.
Recently, there was a widespread attack on poorly configured, vulnerable Mongo DB servers. In January, it was reported that between 27,000 and 33,000 Mongo DB servers had been attacked. Their data was being deleted unless a ransom of 0.2 to 1 Bitcoin was paid, an amount equal to approximately $200 to $1000.
Changing the attack surface
The attacks on Mongo DB and the use of CryptoFortress are good examples of attackers expanding the attack surface to accomplish their objectives.
In the past, this type of data would have been stolen and sold on the dark web for pennies on the dollar. Hackers recognize that this data has more value to the owners than anyone on a secondary market -- ransomware is a way to maximize profits.
Knives to a gun fight
Historically, once a threat has been discovered, a signature is written and an environment becomes protected from that threat. That protection worked because the file identifier or hash, seldom changed. But today a file hash is easily altered by adding, removing or slightly changing the underlying code; often, that’s all it takes to evade existing security controls. In addition to altering files, there's even a file-less ransomware, where malicious code is either embedded in a native scripting language or written straight to memory using legitimate administrative tools such as PowerShell, without being written to disk.
The combo of outdated protection techniques, an expanding attack surface and file-less malware leads to damaging attacks.
Catch them in the act
Modern endpoint protection tools employ new techniques like machine learning and behavioral analytics to stop ransomware. These techniques are necessary because legacy techniques – antivirus using signatures and file-reputation lookups – are failing.
Instead of relying on traditional protections, newer techniques identify file attributes and unusual behavior associated with ransomware. These methods don’t rely on someone getting infected before a signature can be created. It also means that changing the attack vector from a file target to a database or web server -- or using file-less ransomware -- won't matter.