Ransomware: 5 strong tactics for defense and response

Ransomware has taken off. The FBI estimates that in the first five months of this year, ransomware caused $209 million in damages, according to a recent CNN report. The criminal underground is now selling ransomware-as-a-service, suggesting that the malicious moneymaking scheme will continue to grow quickly. By the end of the year, it will likely surpass banking Trojans as the No. 1. threat.

Cybercriminals are moving to ransomware because the infections they can perpetrate directly translate into money. In the past, ransomware attackers mainly targeted consumers, but perpetrators are increasingly focusing on larger victims that pose the potential for larger payouts, says Santiago Pontiroli, a security researcher at Kaspersky Lab.

SANS 2016 State of Application Security Report

"They are actively targeting midsized to large companies," he says, "because they know the ransom can be much higher. Some companies are bound by local laws, so if they lose [the compromised] information they need a forensic investigation."

Ransomware is disruptive but not unstoppable. Companies need to know what steps they need to take to prevent being infected by ransomware and how to handle any compromise to minimize damage. Normal anti-malware defenses can help against ransomware, but the threat should be viewed as a data protection problem. To be most successful, companies need to know what data to protect.

This article will cover two approaches companies should deploy in order to stave off damage from ransomware attacks: defense against attacks, and the proper response if an attack does occur.

Defense: Stop ransomware as soon as possible

For the most part, ransomware is run-of-the-mill malware with a different payload. Attacks have many of the same components as other malware:

  • Popular vectors are email attachments and links to malicious websites.
  • Often a downloader will first load in the malware.
  • Attackers use a variety of obfuscation techniques to escape detection. 

"Defense-in-depth" as advice is almost prosaic, but that does not make it less true. Companies should have some form of host-based anti-malware technology protecting their computers. Ransomware is costly to clean up, and preventing 99% of possible infections is still a worthy goal, even if 1% still gets in.

"Do you want to be monitoring your email? Yes," says Earl Carter, senior threat researcher for Cisco's Talos research group. "Do you want to keep your users from going to any malicious sites? Yes. It is that multifaceted approach to protecting your business that is going to make a big difference."

Companies should also follow least-privilege principles, allowing users to access only data that they need for their jobs, which can prevent an attacker from easily moving from machine to machine inside a compromised network.

Defense: Detection is critical

Trying to prevent malware is a laudable goal, but security professionals should be ready to detect ransomware as it executes on an employee's system or if it is seeded inside the network by attackers who already have access, says Justin Harvey, chief security officer of Fidelis Cybersecurity.

If history has shown the security community anything, it's that breaches are not a matter of "if" but "when," he says. "At the end of the day, the CISO and security people have to realize that you cannot prevent everything."

Ensure malware visibility on hosts and networks

While preventative measures can harden a system and network against attackers, a detection strategy focuses on gaining visibility into what is going on inside the network and on systems. 

A wide variety of strategies can be based on detection, whether host-based or network-based. A hidden folder or file that no one should access becomes a "canary"—any program that changes the data contained there can be flagged for immediate investigation. Host-based detection systems can analyze patterns of access to see if a program is systematically manipulating files.

"These strategies do not prevent you from losing some data," Harvey says. "But if you are at the beginning of an outbreak, you want to be able to pick up on it as fast as possible."

Traffic analytics can help block communication

Another type of anomaly detection uses DNS traffic analytics to detect when computers are communicating with low-reputation Internet addresses or domains. In many cases, crypto-ransomware will contact an Internet server to obtain the key it needs to encrypt. Blocking that initial communication may not only highlight the infection, but also block the attack, says Kerry Matre, senior security portfolio manager for Hewlett Packard Enterprise. 

"All ransomware is going to talk back to a control machine," she says. "Once you find that, you are going to shut it down. You can detect that attack."

Response: Good backups are critical

While preventing infection may require security teams to focus on identifying malware before it executes, in many ways ransomware boils down to a data-protection issue. If crypto-ransomware gets onto a system, it does not take long to encrypt files. Even if the damage is limited to a single computer, a good backup—and a good restore process—can reduce the amount of lost data.

"No matter how good your security is, the bad guys are always working on the next iteration," says Joe Garber, vice president of information management and governance at Hewlett Packard Enterprise. "That is why backup and recovery are so important—it is your insurance policy."

Companies should use tabletop incident response exercises and test their ability to restore data from backup disks to minimize downtime in the event of any data mishap, not just ransomware. Mobile workers often miss scheduled backups, so a continuous backup process can minimize data loss. In addition, if using a cloud backup, companies should check their retention policy to make sure that the time spans are not too short.

"A proper backup solution should be one where you know that you can use it," says Kaspersky Lab's Pontiroli. "The backups need to be tested and they need to be stored in an offsite location."

Response: Partial infection

A good backup process that allows fast recovery of data back to a specific date and time is critical to minimizing the impact of ransomware. In the case of a single computer that is partially or totally infected, a backup can help a company get back to business. If the victim does not have good backups, however, even a partially encrypted computer can be devastating. 

But here's some strong advice before you delete the hard drive and start over again: Companies should make sure to back up even the encrypted data. Security researchers are always finding ways to crack the encryption used by ransomware groups. In the future, the key for your particular data may become available, says Kaspersky Labs' Pontiroli.

"We are still working on different ransomware threats, so in the future we could get access to the key needed to unlock your files," he said.

Response: To pay or not to pay?

If a company's first sign that its systems are infected involves a splash screen and a ransom demand, it needs to decide whether to pay or not. Most security firms advise against paying the ransom—paying only incites the criminal groups to continue their efforts. But it's hard to blame a victim who decides to pay.

"No two situations are the same when it comes to paying," says Fidelis' Harvey. "I think it is a risk formula or a risk analysis for the victim. It all comes down to the risk of being without the data and the money needed for the ransom."

Bet on losing whatever gets encrypted

Unfortunately, the compact between ransomer and victim is increasingly being violated. Some criminal groups delete the data and do not, or cannot, help victims recover their information. In the end, companies should prepare their defenses and responses as if they are not going to get the data back.

A process of good, routine backups that can be tested and stored offsite means that companies can weather an attack with minimal interruption. And a policy that assumes data will always be lost to encryption means that 1) strong prevention strategies will be adopted, 2) data losses that do occur will be minimal, and 3) victim companies can better afford to ignore ransomware demands, which will cause the bad guys to leave that company alone in the future.

SANS 2016 State of Application Security Report

Image credit: Flickr

Topics: Security