Ransomware stops here - preventing network-wide ransom attacks
Kasey Cross explains the devastation an organisation undergoes when struck by ransomware and describes preventative measures that can be taken to avoid spread from a single machine to a network.
Kasey Cross, senior product marketing manager, LightCyber
Over half of all UK companies have been hit by ransomware in the past twelve months, and nine percent were left “entirely unable to operate,” according to an August 2016 report from Osterman Research. Clearly ransomware is not just a flesh wound, and its ramifications can be staggering.
Losing one computer to ransomware is bad, but losing all clients and servers on a network is clearly worse. Despite the difficulty of dealing with constantly changing ransomware, security solutions exist to protect clients from opportunistic ransomware. However, even using the most up-to-date preventative measures, it may not be possible to protect every single client.
Some opportunistic ransomware loves company, or companies as the case may be, and will attempt to spread to other machines on a network. At the same time, cyber-criminals are increasingly taking a targeted approach to ransomware, trying to infect entire networks of clients, servers and other storage. Some ransomware focuses just on infecting other client machines. Others, such as CryptoFortress and Locky, see file shares as most critical. Either can be devastating.
Interrupting work for an entire company is more catastrophic than for a single individual. In one of the more infamous incidents, The Hollywood Presbyterian Medical Centre in California reportedly lost more than US$ 100,000 (£77,000) per day and could not serve urgent medical needs due to an inability to perform such computationally-intensive services such as CT scans - because of being locked down due to a ransomware infestation.
While ransomware infections of individual computers may be hard to battle, there is now a strong possibility that an organisation can curb the spread of ransomware across a network. An effective approach to preventing the network spread of ransomware involves monitoring for: 1.
Command and Control – look for communication between a cyber-criminal home base and ransomware or an active attacker who already has a foothold in your network. This type of communication may be difficult to spot because an attacker or malicious programme owns both ends of the communication. The conversation or interchange can be disguised or hidden, and often it may not involve a disreputable website or a brand new domain. Attackers may also hide their command and control in a cloud environment such as AWS.
2. Reconnaissance and lateral movement – once an attacker compromises a client or end-user account, they are typically blind to the network and all it contains. They need to find a way to gain control of assets by moving laterally across the network and increase their sphere of control. With a careful, deliberate process of reconnaissance and lateral movement—using common administrative and networking tools and commands—they can gain a good understanding and advance their position. The use of proper behavioural profiling can sort the anomalous use of these processes from those that are normal and acceptable. From there it is possible to analyse the results to understand what is likely malicious.
3. Encryption of files on network drives and file shares – as an attacker locates and gains access to network drives and file shares, the initial steps of encrypting them for ransom can be identified as a strong signal that a ransomware exploit is in progress. By quickly detecting the activity and automatically quarantining the compromised device, organisations can greatly reduce the impact of a ransomware attack.
Detecting reconnaissance and lateral movement is the best way to uncover an active attack. Although their tactics blend in with normal tool usage and network and administrator operations, they can be detected with behavioural analytics. If you profile users and devices to establish a baseline of known good, you can see anomalies and then try to determine which might be malicious and indicative of an attack. This capability applies to ransomware threats as well as potential data breaches.
Some of the steps of a targeted ransomware attack take time, especially to ensure that the attacker stays undetected. The general strategy for attackers is to conduct their attack “low and slow” to ensure success. Each step is deliberate, and there is some trial and error involved. If a particular action of reconnaissance or lateral movement does not work or is too difficult, the attacker will change tactics to something else that will produce the desired result. The idea is to blend in and not to attract attention. If they can stay undetected, they can take as long as they need to accomplish their goals. For a data breach, this is typically weeks and months. The time horizon for ransomware is generally shorter, ranging from several days to several weeks. Of course, you will want to detect the attacker as quickly as possible and then immediately stop them to curtail or minimise damage.
It is entirely possible that an attack could have multiple goals that combine ransomware with other forms of theft or damage. For instance, as a part of launching a network-wide ransomware campaign, an attacker may acquire access to user accounts that could prove useful for subsequent attacks or as the way to get into another organisation, perhaps a partner or customer. An attacker may also steal data or secrets that can increase the monetisation and maximise the return for their efforts. Security professionals should be cognisant that such objectives may be possible and to apply diligence in examining an attacker's activities.
A network-wide ransomware attack is both costly and disruptive, potentially stopping business for a significant period of time. It is also becoming more commonplace so organisations need to plan now to have the required network visibility and behavioural analytics in place to uncover an attack quickly - and cut it off before considerable damage is done.
Contributed by Kasey Cross, senior product marketing manager, LightCyber