Ransomware Detection and Prevention
What is it? Ransomware can have a huge impact on business operations. In fact, the WannaCry worm had an enormous impact in a very short period of time. Within one day, it forced the National Health Service (NHS) in the UK to cancel thousands of operations and medical appointments due to these threats for ransom. Within hours, WannaCry was reported to have infected more than 230,000 computers in over 150 countries. Full NBC Article
More than 4,000 ransomware attacks have occurred every day since the beginning of 2016.
In addition to WannaCry, some high-profile examples of Ransomware campaigns include Petya, Locky, TeslaCrypt, CryptoLocker, CryptoWall, and CryptoDefense
How Ransomware Works?
It’s important to note that not all ransomware exploits work in precisely the same way—especially when it comes to the initial stages of an attack.
1. Malware Delivery: The attacker induces the victim user to download malware . A common method is via phishing—the user receives an email and clicks on a link that appears to be to a legitimate website (but it’s not; it actually hosts an exploit kit). Or, as in the case of Petya, an infected software update carries the ransomware.
2. Command-and-Control Server (C2) Connection: Upon loading the page, the web server hosting the exploit kit begins communicating with the victim machine.
3. File Execution and System Compromise: If a vulnerable version of an application or OS is confirmed, the kit attempts to exploit the vulnerability.
4. File System Encryption: Once the vulnerability is exploited, the victim system is compromised, the filesystem is encrypted, and the malware sends the encryption key and host-specific info back to the attacker’s C2 server.
5. User Notification: The attacker’s server then sends a message to the victim alerting them that their data is being held hostage and issuing directions on how to pay. To add urgency, the ransomware will often include a countdown clock ticking down the minutes before the data is destroyed.
How Much Does it Cost the Organization?
Unlike other types of cyber attacks, ransomware attackers don’t seem to have a preference for financial services and retail. Ransomware attacks all sizes and types of organizations. Some of the more high profile ransomware attacks have been against hospitals, notably because their need to restore services (and pay the ransom) is literally a matter of life and death. These are attacks are often successful, which is why it’s on the rise. According to a survey from Osterman Research, nearly one in two participants indicated that their organization suffered at least once ransomware attack in the last year. In the first quarter of 2016, companies paid an estimated $325 million in ransom, and the number of attacks grew from 30 million to over 260 million by the fourth quarter.
Detection and Prevention
It’s important to detect ransomware as quickly as possible in order to isolate the infected systems and minimize the attack’s ability to spread as much as possible. In a recent SANS Institute survey, 54% of respondents indicated that it took more than two days from initial compromise to detection, yet a ransomware attack can encrypt a filesystem in minutes. Therefore, real-time ransomware detection is crucial.
1. Perform Asset Discovery and Vulnerability Scans
Knowing what’s on your network and in your public and private clouds at all times is essential in order to understand the scope of any security incident. Since the goal of a ransomware attack is to steal your most valuable data, having an updated and reliable asset inventory to start with provides the security team with the certainty they need in the event of an attack.
Additionally, periodic vulnerability assessments are critical so that as new vulnerabilities and exploits are discovered, vulnerable assets can be patched or reconfigured to address these risks.
2. Implement Intrusion Detection
While ransomware can be difficult to detect before it’s too late, it’s not impossible. If you have the right intrusion detection technology in place you can act quickly to contain the damage and quarantine the infected systems. Some examples of ransomware signature behaviors include:
• Communication with an IP or domain with a bad reputation (e.g. Command-and-Control or C2 Server)
• Forcing group policy updates to fail
• Sending data via a covert channel
• Updating an audit policy
• Disabling firewall or antivirus software
• Running unauthorized or unexpected network scans
3. Enable File Integrity Monitoring
Ransomware, like most malware, will kick off system processes and access system files that aren’t necessarily part of normal system operations. With File Integrity Monitoring (FIM) technology, you’ll be alerted any time a critical system file is accessed, modified, or otherwise messed with. Once the encryption process is kicked off, you may not save that particular system… but once alerted, you can prevent the further spread of the ransomware attack by rapidly isolating and quarantining the compromised system.
4. Implement Security Automation
Rapid response is a critical factor in any type of emergency. The faster you can detect and respond to a potential ransomware attack, the more likely you can contain the damage. Recent innovations in security automation have enhanced incident response by allowing disparate security tools to work together more effectively all from a single management platform.
5. Conduct Log Monitoring and Analysis
System logs, application logs and access and activity logs contain the breadcrumbs of every cyber security attacker. The sheer volume and endless variety of event log data makes it essential to have an automated event correlation solution to parse through the actions of the attacker and alert you when ransomware attacks happen so you can stop them from propagating.
6. Integrate Security Monitoring with Updated Threat Intelligence
Attackers who conduct ransomware attacks have an entire ecosystem at their disposal, and they’re constantly evolving their methods. Security researchers have studied their procedures and infrastructure in depth, and continue to monitor their attributes, activities, and innovations. This translates into tuned security controls to detect the latest ransomware attacks for an enhanced response.
1. Conduct End User Security Training
Since most ransomware attacks take advantage of unsuspecting users clicking without thinking, educating users is the best first step you can take to combating ransomware. Phishing and spear-phishing techniques that often start ransomware campaigns can’t be successful if users are more skeptical of what they see or receive online. The SANS institute has some excellent resources and KnowBe4 even offers a free ransomware simulation tool.
2. Set up Reliable Backup and Recovery Procedures (and test them)
In a scenario where you may lose all of your currently accessible data unless you pay, having a reliable backup certainly gives you much more confidence in refusing to pay up. Unfortunately, many organizations either don’t do regular system backups, or they do them but never test their recovery procedures. During an emergency like a ransomware attack is the worst time to try your recovery procedures for the first time. Schedule regular system backups and test these procedures with system recovery testing. Find out where things break down and continually refine these procedures so you’ll be ready if/when there’s an emergency.
3. Update Your Endpoints
Ransomware and other malware attacks exploit endpoint vulnerabilities and insecure configurations. Installing application and OS patches is one of the best ways to prevent ransomware attacks. Another is to disable macros on MS Office applications, as well as remove any and all software that’s not necessary.
4. Implement Continuous Vulnerability Assessment
Regular and continuous vulnerability assessment scanning will identify app, OS, and network vulnerabilities across your assets, so that you can prioritize remediation efforts that can prevent ransomware (and other types of malware) attacks.
5. Block and Filter Outbound Connections (Not Just the Inbound Ones)
One of the first stages of a ransomware attack involves the infected endpoint initiating connections outbound to the attacker’s C2 server(s). If you block these connections at your gateway, you’ve effectively disrupted the ransomware attack before it can ever get started. It’s also a good idea to set up alerts when these connections are initiated so that you can investigate and correlate these connections with known bad internet addresses.