Ransomware has become the hacker’s favorite tool to make money in the cybercrime economy. The latest Verizon Data Breach Investigations Report (DBIR) states that it is the most common type of crimeware, as holding files for ransom is fast, low risk, and easily monetizable, especially with Bitcoin to collect anonymous payment.
Attacks targeting businesses have grown by 300 percent since January 2016, and an attack happens approximately every 40 seconds.
The latest global ransomware attack appears to be a complex attack based on several ransomware families as well as multiple vectors. It has affected companies worldwide including utilities and oil companies, shipping companies and airlines, and financial institutions across Europe.
All this points to the clear fact that organizations need to protect themselves from future breaches by implementing preventive measures now. The methods of ransomware delivery have evolved as criminals look to increase infection rates and grow their illegal revenues. The early conventional methods of delivery, such as an infected file attached to an email, could be detected and blocked relatively easily by antivirus products and security sandboxes. Today’s increasingly complex infections are specifically designed to bypass these traditional defenses.
“Cybercriminals can easily mutate and adapt the ransomware code just enough so that it isn’t detected by the signature banks of antivirus software and easily avoids detection,” said Steve McGregory, Senior Director of Application Threat Intelligence at Ixia. “Once identified, ransomware signatures can be updated and rolled out so that antivirus products will block the new variant, although this could take days. During this time, organizations are still vulnerable, and cybercriminals often continue to exploit this to their advantage.”
McGregory also stated, “Cyberattacks are increasingly complex. For example, there's a fair bit of speculation as to the source of today’s attack and how it works. It appears to be a targeted and coordinated attack using multiple ransomware families and multiple vectors. This has enabled the attack to avoid detection and to be difficult to replicate for researchers. We are in that vulnerable time, early in the discovery phase of the attack.”
According to Ixia, there are three core principles that organizations need to be aware of, if they are to develop an appropriate resistance against ransomware:
The ransomware infection chain invariably starts with a targeted phishing email, with an attached document. The document will contain a macro, small enough to appear innocuous even to sandboxing technologies. When the document is opened, the macro activates and connects to the attacker’s remote server on the internet, and starts downloading the ransomware payload onto the machine. The macro also rewrites the payload as it downloads, so the content appears harmless until it actually enters the host machine.
Focusing ransomware protection on the content being sent to the organization is a losing battle. Email-based macros are unlikely to be picked up, even by advanced virtualized sandboxing, because they do not exhibit malicious-looking behavior when examined. The payload will not appear malicious until it is actually on the machine and starts encrypting, so organizations should look at the vital clues of where the infection is coming from, rather than just at what it is.
Most payloads in the final stage of ransomware infection are delivered from known, malicious IP addresses on the internet. As IP addresses are relatively scarce, the same ‘bad’ ones tend to be continually re-used. Even brand-new malware variants can usually be linked to a small number of compromised IP addresses.
This means that if a machine in an organization’s network attempts to download content from a known malicious IP address, they are usually in the initial stages of a ransomware attack, and there’s no need to examine the macro that is attempting the download, or the content being downloaded.
The simplest, most cost effective way to avoid attacks is to automatically block all corporate connections to known malicious IP addresses using a continuously-updated threat intelligence feed. This lets it nullify all new attacks, as well as existing, dormant infections.
McGregory concluded, “Today’s attack makes it clear that organizations cannot turn a blind eye to ransomware. If the organization has not backed up critical data, which exclusively resides on the systems affected by an attack, the costs could be considerable, both monetarily and to their reputation. Loss of customer data, financial records, and any other irreplaceable information could render an organization unable to transact business and potentially leave permanent gaps in records.”