Ixia,
a leading provider of network testing, visibility, and security
solutions, offers organizations three core principles to develop an
appropriate resistance against increasingly complex ransomware threats.
Ransomware
has become the hacker's favorite tool to make money in the cybercrime
economy. The latest Verizon Data Breach Investigations Report (DBIR)
states that it is the most common type of crimeware, as holding files
for ransom is fast, low risk, and easily monetizable, especially with
Bitcoin to collect anonymous payment.1 Attacks targeting businesses have grown by 300 percent since January 2016, and an attack happens approximately every 40 seconds.2
The
latest global ransomware attack appears to be a complex attack based on
several ransomware families as well as multiple vectors. It has
affected companies worldwide including utilities and oil companies,
shipping companies and airlines, and financial institutions across
Europe.
All
this points to the clear fact that organizations need to protect
themselves from future breaches by implementing preventive measures now.
The methods of ransomware delivery have evolved as criminals look to
increase infection rates and grow their illegal revenues. The early
conventional methods of delivery, such as an infected file attached to
an email, could be detected and blocked relatively easily by antivirus
products and security sandboxes. Today's increasingly complex infections
are specifically designed to bypass these traditional defenses.
"Cybercriminals
can easily mutate and adapt the ransomware code just enough so that it
isn't detected by the signature banks of antivirus software and easily
avoids detection," said Steve McGregory, Senior Director of Application
Threat Intelligence at Ixia. "Once identified, ransomware signatures can
be updated and rolled out so that antivirus products will block the new
variant, although this could take days. During this time, organizations
are still vulnerable, and cybercriminals often continue to exploit this
to their advantage."
McGregory
also stated, "Cyberattacks are increasingly complex. For example,
there's a fair bit of speculation as to the source of today's attack and
how it works. It appears to be a targeted and coordinated attack using
multiple ransomware families and multiple vectors. This has enabled the
attack to avoid detection and to be difficult to replicate for
researchers. We are in that vulnerable time, early in the discovery
phase of the attack."
According
to Ixia, there are three core principles that organizations need to be
aware of, if they are to develop an appropriate resistance against
ransomware:
1. Discover the origin
The
ransomware infection chain invariably starts with a targeted phishing
email, with an attached document. The document will contain a macro,
small enough to appear innocuous even to sandboxing technologies. When
the document is opened, the macro activates and connects to the
attacker's remote server on the internet, and starts downloading the
ransomware payload onto the machine. The macro also rewrites the payload
as it downloads, so the content appears harmless until it actually
enters the host machine.
2. Understanding its behavior
Focusing
ransomware protection on the content being sent to the organization is a
losing battle. Email-based macros are unlikely to be picked up, even by
advanced virtualized sandboxing, because they do not exhibit
malicious-looking behavior when examined. The payload will not appear
malicious until it is actually on the machine and starts encrypting, so
organizations should look at the vital clues of where the infection is
coming from, rather than just at what it is.
3. Blocking the infection
Most
payloads in the final stage of ransomware infection are delivered from
known, malicious IP addresses on the internet. As IP addresses are
relatively scarce, the same ‘bad' ones tend to be continually re-used.
Even brand-new malware variants can usually be linked to a small number
of compromised IP addresses.
This
means that if a machine in an organization's network attempts to
download content from a known malicious IP address, they are usually in
the initial stages of a ransomware attack, and there's no need to
examine the macro that is attempting the download, or the content being
downloaded.
The
simplest, most cost effective way to avoid attacks is to automatically
block all corporate connections to known malicious IP addresses using a
continuously-updated threat intelligence feed. This lets it nullify all
new attacks, as well as existing, dormant infections.
McGregory
concluded, "Today's attack makes it clear that organizations cannot
turn a blind eye to ransomware. If the organization has not backed up
critical data, which exclusively resides on the systems affected by an
attack, the costs could be considerable, both monetarily and to their
reputation. Loss of customer data, financial records, and any other
irreplaceable information could render an organization unable to
transact business and potentially leave permanent gaps in records."