Ransomware has become the hacker’s favorite tool to make money in the cybercrime economy. The latest Verizon Data Breach Investigations Report (DBIR) states that it is the most common type of crimeware, as holding files for ransom is fast, low risk, and easily monetizable, especially with Bitcoin to collect anonymous payment.[1] Attacks targeting businesses have grown by 300 percent since January 2016, and an attack happens every 40 seconds.[2] The latest global ransomware attack, called WannaCry, has affected more than 200,000 victims in 150 countries since May 12th. All this points to the clear fact that organizations need to protect themselves from future breaches by implementing preventive measures now.
The methods of ransomware delivery have evolved as criminals look to increase infection rates and grow their illegal revenues. The early conventional methods of delivery, such as an infected file attached to an email, could be detected and blocked relatively easily by antivirus products and security sandboxes. However, the current infections are specifically designed to bypass these traditional defenses.
“Cybercriminals can easily mutate and adapt the ransomware code just enough so that it isn’t detected by the signature banks of antivirus software,” said Steve McGregory, Senior Director of Application Threat Intelligence at Ixia. “These ransomware variants are known as ‘zero–day mutations’. Once identified, ransomware signatures can be updated and rolled out so that antivirus products will block the new variant, although this could take days. During this time, organizations are still vulnerable, and cybercriminals often continue to exploit this to their advantage.”
McGregory also stated, “For example, with the WannaCry ransomware attack, once a machine in a network is infected, the ransomware spreads by searching for adjacent Microsoft systems that are vulnerable to the Server Message Block (SMB) MS17-010. This vulnerability was only fixed in March of this year, and many computers remain unpatched, or in the case of the UK National Health Service, it’s reported that 90 percent were still running Windows XP, making the systems easier to exploit, and the disruptions more devastating.”
According to Ixia, there are three core principles that organizations need to be aware of, if they are to develop an appropriate resistance against ransomware:
1. Discover the origin
The ransomware infection chain invariably starts with a targeted phishing email, with an attached document. The document will contain a macro, small enough to appear innocuous even to sandboxing technologies. When the document is opened, the macro activates and connects to the attacker’s remote server on the internet, and starts downloading the ransomware payload onto the machine. The macro also rewrites the payload as it downloads, so the content appears harmless until it actually enters the host machine.
2. Understanding its behavior
Focusing ransomware protection on the content being sent to the organisation is a losing battle. Email-based macros are unlikely to be picked up, even by advanced virtualized sandboxing, because they do not exhibit malicious-looking behavior when examined. The payload will not appear malicious until it is actually on the machine and starts encrypting, so organizations should look at the vital clues of where the infection is coming from, rather than just at what it is.
3. Blocking the infection
The payloads in the final stage of ransomware infection are delivered from known, malicious IP addresses on the internet. As IP addresses are relatively scarce, the same ‘bad’ ones tend to be continually re-used. Even brand-new malware variants can be linked to a small number of compromised IP addresses.
This means that if a machine in an organization’s network attempts to download content from a known malicious IP address, they are usually in the initial stages of a ransomware attack, and there’s no need to examine the macro that is attempting the download, or the content being downloaded.
The simplest, most cost effective way to avoid attacks is to automatically block all corporate connections to known malicious IP addresses using a continuously-updated threat intelligence feed. This lets it nullify all new attacks, as well as existing, dormant infections.
McGregory concluded, “Organizations cannot turn a blind eye to ransomware anymore. If the organization has not backed up critical data, which exclusively resides on the systems affected by an attack, the costs could be considerable, both monetarily and to their reputation. Loss of customer data, financial records, and any other irreplaceable information could render an organization unable to transact business and potentially leave permanent gaps in records.”
