Written by George Grzyb, Nexum Principal Engineer
Ransomware can be very disruptive for both businesses and individuals alike. We have all seen the latest examples in the news concerning ransomware campaigns. As the COVID-19 pandemic accelerated remote working, the attack surface has expanded to personal electronics and networks. Increased cloud adoption has transformed the methods of ransomware attacks as datacenter compromise is no longer a requirement. Understanding how ransomware works is important to planning and implementing effective security solutions.
How does a ransomware campaign work?
Ransomware campaigns install advanced threats and malware on an end user device. In the past, the target device was an office workstation, but the increase in remote working has evolved to include mobile devices such as laptops, phones, and tablets. Once a device has been compromised, ransomware has the capability of reaching out to a threat actor-controlled server to facilitate Command and Control (C&C) communications. This method allows for data exfiltration, encryption key exchange, and remote control. In ransomware, the exploit action utilizes local device central processing unit (CPU) resources to secretly encrypt all important documents and files. At the end of this action, a warning is presented to the end user with instructions for remitting payment in return for the promise of decrypting and unlocking the stolen files.
At times, a threat actor may take the payment (often paid in cryptocurrency) and disappear, or the server may go offline before a business remits payment. Nevertheless, faced with this type of extortion, the end user has only two options – forfeit the data and restore from backups (which hopefully were regularly performed with a tested restoration process) or succumb to the financial demands and pay up (which in effect emboldens threat actors and finances future campaigns).
What more is at stake?
A ransomware disruption can result in far greater damage than simply that of lost time and money. The resources needed to recover from a ransomware attack can be devastating, but there are other critical issues to consider:
- Do compliance or regulatory measures require breach disclosure? Is the business now subject to additional fees/fines resulting from compliance or regulatory action?
- Was customer data compromised? Does the business have to provide disclosure and payment for any monitoring services?
- Were business trade secrets leaked due to data exfiltration? Did the threat actors post stolen information on the dark web?
- What about reputation? Will the business now suffer from the loss of consumer trust or diminished trademark appeal?
- How has the recovery process from the ransomware incident affected resource burnout? Do employees continue to trust the business or are they looking for different opportunities?
Given the significant primary and secondary losses at stake, priority should be placed on preventing, detecting, and in the worst case, recovering from a ransomware attack.
How can we prevent ransomware?
As the saying goes, “the only certainty in life is death and taxes.” However, there is hope for preventing ransomware attacks. It starts with a culture of embracing cybersecurity best practices. If we focus on disrupting the attack with a layered approach, we can reduce the chances of a successful attack. A layered defense is simply a series of cybersecurity solutions that work to prevent ransomware from reaching the end user or communications from reaching an external threat actor.
Here are some of the cybersecurity solutions that make up that layered defense:
- Cloud Access Security Broker (CASB)
- Deception Technology / Honeypots
- Domain Name System (DNS) Security
- Email Security
- Malware Detection & Remediation
- Phishing Prevention
- Next-Generation Firewall (NGFW)
- Secure Web Gateway (SWG)
While we are going to focus on technology solutions in this series, it is also just as important to raise individual awareness and develop general security hygiene in the end user and employee community.
Cloud Access Security Broker (CASB)
The cloud is ubiquitous and no longer just what you see when you look at the daytime sky. Many business applications that the typical end user interacts with are a cloud service of some type. These Software as a Service (SaaS) applications generally include change management, customer relationship management, email, file sharing, and many other solutions to fulfill a business function. A CASB solution can help prevent ransomware from landing in the cloud or data being exfiltrated for extortion. It provides visibility into unsanctioned usage and restricts employee access to only approved SaaS applications. CASB solutions offer the ability to enhance access control, manage information exchange through application program interfaces (APIs), and ensure best practices which will limit the attack surface.
Deception Technology / Honeypots
What if we assume that there will be a ransomware attack? Deception technology and honeypots can identify evidence of compromise before ransomware lands on production systems. Such advance notice would allow the business to characterize the attack and tune the security stack to address any identified weakness. The company could also monitor a threat actor’s actions with appropriate authorities and security professionals, to end a much larger threat campaign.
Domain Name System (DNS) Security
DNS provides IP-to-name mapping for the internet and is a critical part of the infrastructure. It is also one of the most abused protocols due to its universal presence. DNS security addresses simple issues, like a user resolving a known malicious site, to complex problems, like DNS tunneling for C&C communications and exfiltration. Ransomware leverages both methods to gain access to the endpoint. DNS Response Policy Zones (RPZs) can ingest threat feeds and block DNS client requests to known malicious sites. In addition to monitoring for malicious end user activity and malware-based C&C communications, the IP address response can route the end user to a coaching page. Leveraging machine learning and Artificial Intelligence (AI), DNS traffic is analyzed for tunneling attempts – where non-DNS data is either exfiltrated or infiltrated under the auspices of normal DNS communications. By introducing DNS security controls, we can prevent ransomware from gaining a foothold.
There are a couple of ways email is used in a ransomware campaign. Threat actors may attempt to directly embed malware into an email in the form of a modified file that looks too good to not open. A more advanced technique is phishing, where a threat actor sends an email with embedded links to a broad target audience, or spear-phishing, where the target audience is much smaller or even a single person in an organization.
Malware Detection & Remediation
So, you receive a spreadsheet purporting to have your colleagues’ salary information. Do you click on the link or open the attachment? Modern email security products not only perform traditional antivirus scanning but also analyze and review embedded links to ensure they are not coming from malicious sites or IP addresses. Embedded URLs can be redirected to proxy connections which perform a detailed inspection at the time of usage. This is important as threat actors may initially embed inconspicuous URLs to weaponize them at a later point in time. Many email security solutions will perform threat analysis on downloaded content within a sandboxed environment to prevent the attack from reaching the email recipient.
What about targeted attacks? Perhaps you receive an email with an embedded URL link to reset your password or to confirm your personal information due to a billing issue. Threat actors may initially perform reconnaissance to learn what types of applications or products are used by employees or contractors. Emails are then constructed to mimic legitimate third-party logons, notices, password resets, and other content to entice a user to divulge sensitive information. Luckily, these types of phishing and social engineering campaigns can be synthesized using an appropriate email security solution.
Will an employee click on that embedded URL link? If they do, their behavior is tracked, and the end user receives a coaching email with links to additional information and training. With API integration, the business can automatically enroll an uninformed employee in mandatory training in hopes of positively reinforcing future behavior.
Next-Generation Firewall (NGFW)
NGFWs are a part of the overall solution. Capabilities vary by vendor, but these solutions provide a network-based detection and response that can address some of the challenges discussed and are a critical part of improving the overall security posture of the organization.
Secure Web Gateway (SWG)
With outbound access to external sites, employees are exposed to a myriad of potential issues which may result in malware or ransomware compromise:
- Viewing inappropriate material on business assets
- Inadvertently downloading malware or ransomware onto their device
- Uploading business documents containing application source code, customer information, trade secrets, etc.
- Posting information to social media which can be in violation of compliance or regulatory rules for a particular industry, or can be used by a threat actor for social engineering or targeted threat campaigns
When SWG is coupled with an appropriate locked-down outbound NGFW, inappropriate non-business access can be restricted. In an ideal world, personal web browsing would be performed on non-business assets and preferably during non-business hours. The reality is many businesses allow some level of personal use. Many solutions provide for both employee coaching and whitelisting capabilities for such research-based activities.
What is next?
The Nexum team will be posting follow-up breakout technical blogs to address in greater detail the various cybersecurity solutions that can be deployed to reduce the risk of a successful ransomware attack.
In this Ransomware Series, we will review how a combination of platform and point-based solutions can significantly reduce the attack surface of your organization to limit the risk of a successful ransomware attack.
Contact us for more details.