Ransomware is not a new phenomenon, but when two large-scale campaigns – Wannacry and NotPetya – caused widespread disruption in 2017 they seemed at first to presage a new pattern of large-scale attacks.
The reality has turned out differently. So far this year, we have seen relatively little ransomware activity, but what there has been is far more targeted and precise. An example of this is the recent use of SamSam ransomware to target 67 organisations in the US, following its deployment against the city of Atlanta earlier in the year.
In the latest attacks, SamSam has been employed not just to look up files but also to infiltrate backups, making protection more complicated using conventional security solutions. Its ability to spread has been boosted by criminals hitching it to the leaked EternalBlue US National Security Agency exploit.
Ransomware and the methods attackers use to delivery its crippling effects are constantly evolving, and organisations must employ a combination of innovation along with best practice processes if they are to defend themselves adequately.
Criminals have become meticulous and more focused
Planning and preparation of such ransomware attacks is far more meticulous than last year’s blanket ransomware releases, with criminals stealing credentials, and sitting and waiting for the right moment to strike. They fully understand there is no point infecting five per cent of machines on Attack Day One, if they can wait 60 days and infect 90 per cent, maximising impact and opportunities for profit.
Alongside this, we have seen convergence with exploit kits and the emergence of Ransomware-as-a-service. This gives criminals with limited technology skills access to effective, industrial-grade tools and ransomware that is upgraded every 15 days or so, enabling it to evade anti-virus security. The Kraken ransomware has, for example added the Fallout exploit kit as another means of attack. Ransomware has become a cottage industry involving small teams and solitary creators who commercialise their product and deliver it through an easy-to-use portal.
For organisations, one of the most salient features is the very targeted nature of many attacks, which are designed to hit individuals rather than being deployed globally.
Yet although there has recently been a dip in the number of ransomware attacks, we should not be complacent. There are always peaks and troughs in threat landscape and while so far this year, Glasswall’s threat intelligence, monitoring millions of emails, has not picked up any instances of ransomware, we should nonetheless remain on our guard as financially lucrative attacks such as these do not remain dormant for long. Defence against ransomware attacks requires a combination of innovation and best practice processes. This should all be informed by insight into the nature and history of ransomware and how it is delivered.
The history of ransomware
Ransomware has been around since the late 1980s but remained uncommon until the mid-2000s when ransomware programs became more commoditised among criminals. Popular during this time were Gpcode, TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and MayArchive.
More recently we have seen CryptoWall, Teslacrypt, Cerber, CTB-Locker, Cryakl, Scatter, and Locky. SamSam first emerged in 2016 but has obviously been repurposed. Some of these were spawned from the mother of all cyber weapons – Stuxnet.
The emergence of Ransomware-as-a-Service on the dark web not only puts threats in the hands of even those with low-grade IT skills, it is improving features such as encryption and anti-virus evasion, providing broader payment options and applicability beyond the Windows operating system.
Despite its evolution and ability to spread in a targeted fashion, the established characteristics of ransomware give us a basis for setting security policies. We have seen how it can avoid detection by anti-virus solutions and even when picked up, the ability to eliminate the threat may be incomplete. It is also clear that the barrier to use is relatively low and that while ransomware is used to extort money, it can be used destructively by the politically motivated or vengeful who have no intention of releasing encrypted files.
All the evidence indicates that while the common ransomware families appear to be dying, ransomware that remains is presented to victims through a larger volume of malware variants.
Increased use of targeting through emails
We now find that many potential victims and organisations are specifically targeted with tailored delivery mechanisms, such as spear phishing emails with malicious files attached. At the same time, the rapid updating of ransomware gives it the potential it to avoid detection and prevention by signature and heuristic-based intrusion prevention, next-generation firewall and anti-virus solutions.
From a risk-management perspective, an organisation needs to understand where it falls in relation to the more nuanced trajectory of today’s ransomware.
Effective risk-mitigation strategy
With many professionals agreed on the nature of ransomware, we can see that risks can be significantly mitigated to an acceptable level by well-planned and well-rehearsed strategies and a combination of people, processes and innovative technologies along with implementation of robust back-up and recovery solutions. This should help avoid the disruptive and crippling impact of attacks.
Some ransomware and initial infection vectors exploit known, published vulnerabilities and certainly some of the malware that Glasswall encounters attempts to exploit weaknesses in Microsoft that unless patched, would give up any control of the endpoint to the attacker, with no use intervention needed. A vulnerability management program, covering detection, patch management and other mitigations, can limit the attack surface available. Similarly, configuration management, proper network segmentation, and identity, credential and access-management can prevent or otherwise limit ransomware’s ability to spread laterally within an organisation.
Finally, we should not dismiss conventional defences such as intrusion prevention systems, next-generation firewalls, antivirus and sandboxing solutions. They are crucial to providing defence-in-depth and mitigating the vectors, but should be seen as baseline solutions, rather than leading best practice.
Moving on from a baseline solution to counter email-borne threats
More effort is required. Focusing on one of the most common threat vectors of ransomware – delivery via a spear phishing email – organisations should consider how to improve their defensive postures. The email attachment remains the easiest method by which ransomware criminals can hit the individuals they have identified as targets.
Generally, email attachments are scanned by traditional, signature-based anti-virus solutions at the email gateway and upon execution, at enterprise endpoints. Heuristic-based anti-virus solutions and sandboxing opportunities have also been added. Success is largely based on prior experience—a combination of encountered malicious files, modes of behaviour, and other attributes of previous attacks.
Despite this, email-based malware continues to compromise individuals and organisations and Glasswall observes that 84 per cent of the malware disarmed across our customers has no known signature or behaviour trait recognised as bad by any vendor. Increasingly, attachments are used as a pivot-point from which so-called “file-less” malware can be introduced into an enterprise, presenting its own challenges. With Microsoft Dynamic Data Exchange (DDE) appearing in 40 per cent of Excel malware, the challenge is significant.
Considering the damaging potential of phishing emails loaded with ransomware attachments, one can only conclude that while detection is necessary for effective cyber security, it is not sufficient. Even though sales of advanced behaviour-based detection tools are increasing, evidence suggests they are not effectively used due to lack of training and time among over-worked information security teams.
While the cyber security community has been trying to identify and stop malicious file attachments before they infect an endpoint or network, the truth is that automated assembly-line ransomware, coupled with sandbox-aware or at least sandbox-evading attributes will continue to defy detection.
Use innovation to admit only the “known good” in emailed files
The end goal of preventing malicious files from infecting an enterprise remains sound, but it requires solving a simpler problem. Instead of detecting and preventing “known-bad” files, enterprise email security must incorporate technology to simply look for, generate and pass only “known-good” files. That is, only files that are unaltered and do not deviate from the original design specification.
Generating and passing “known-good” files can be achieved using deep-file inspection, remediation and sanitisation technology. In near real-time, it will compare a file to that file type’s standard or specification (such as Microsoft Office specifications, ISO 10918 for JPEG, ISO 32000 for a PDF file), regenerate the file in accordance with that specification, and pass the file forward.
Get smart to defeat the constant evolution of threats
There are trends in cyber-crime just as there are right across IT, driven by a variety of factors that include developments technology and the natural propensity of hackers to copy one another’s successes. Currently, the headline-grabbing global attacks are being replaced by much more meticulously-prepared and targeted exploits. However, whatever an organisation confronts, a common set of established and emergent risk-management practices is available. In the aggregate, the threats driving these incidents will not stop. Smart prevention, response and recovery investments are available to address them.
Lewis Henderson, VP of Product Marketing, Glasswall
Image source: Shutterstock/Carlos Amarillo