Stop Ransomware Cold

By Krystal Rennie / Adlumin, Inc.

There continues to be a lot of media buzz around ransomware—and with good reason. This Help Net Security article argues that ransomware is “the most significant cybercrime innovation in recent history.” Due to the ransomware business model, “it is now the most common and devastating threat to organizations of all sizes.” Ransomware continues to grow in strength and poses a threat to cybersecurity networks around the world. Below is a breakdown of everything you need to know about ransomware and how to properly protect your assets against it.

What is ransomware?

Ransomware is a specific type of malware that prevents a user or network of users from accessing their laptops, desktops, or servers until a monetary amount is paid to the owner of the ransomware. Ransomware includes malware that has the potential to lock-up or destroy data unless reversed.

How does ransomware spread?

Ransomware can infect your computer in many different ways. One of the most common ways cybercriminals deliver malware is through malicious spam, where an email often includes an attachment – in the form of a PDF or Word document – that contains executable malware when opened. Ransomware delivered via email uses social engineering to trick users into opening attachments or clicking specific links, which seem legitimate or reasonable enough to take action. These types of emails are posed to be sent by a colleague or friend to help ease suspicion. For example, think about the last time you received an email that said, “click here” to open your fax invoice.

Another popular infection method used in ransomware attacks is through malvertising, or malicious advertising. This method injects malware into online advertising to spread malware with little to no interaction necessary. While browsing the internet, users can be redirected to malware command and control servers monitored by criminals without ever clicking on an ad. After this exchange occurs, the server records details about the victim’s computer location, operating system version, including specific vulnerabilities, and then matches and delivers the best malware suited to that user. Oftentimes, ransomware is the type of malware that is delivered.

What are types of ransomware?

According to this Malwarebytes article, there are three main types of ransomware, which all have different levels of severity. The three types are as follows:

Scareware

This type involves rogue security software and tech support scams. While browsing the web, a user might get a pop-up message saying that malware was detected on their device and the only way to get rid of it is through payment. If you decide not to act on the request, you’ll continue to receive multiple pop-up messages, but your files will essentially remain safe.

The sensible thing to note here is that a legitimate cybersecurity software program would never solicit its customers this way. If you have security software installed, you wouldn’t have to pay for infections to be removed – the software should do that for you.

Screen Lockers

This is a more dangerous type of ransomware that will lock you out of your computer completely once infected. As reported in the article, “upon starting up your computer, a full-size window will appear, often accompanied by an official-looking FBI or US Department of Justice seal saying illegal activity has been detected on your computer and you must pay a fine.”

It is important to remember that realistically, if you were ever caught doing something illegal, the FBI would not lock you out of your computer or force you into a payment.

Encryption

This type of ransomware is the most dangerous of them all. It involves cybercriminals confiscating your files, encrypting them, and demanding payment in order to decrypt and release full access. This type of ransomware is so severe mainly because once cybercriminals gain access to your files there is essentially nothing that can be done to return them to you.

Cybercriminals are constantly finding new ways to enhance their attacks. While ransomware is not a new threat to cybersecurity, it is one that continues to evolve. Protecting your company and personal assets should always remain a top priority. Consider these few solutions to help you avoid ransomware:

  • Conduct proper research
  • Invest in a SIEM to monitor your networks
  • Constantly update your software and systems

How do you stop ransomware before it gets a foothold on your network?

Sophisticated attackers often stay in the network for weeks or months prior to the final attack, which provides targeted organizations a greater opportunity to stop the ransomware attack before the network is locked up. These attackers use multiple malware delivery methods, which include long periods of time inside the network prior to the attack, compromised accounts, and definitely lateral movement within the network. We will briefly discuss three methods to detect and stop a sophisticated ransomware attack in progress.

The first method is to detect ransomware activity (e.g. reconnaissance or lateral movement inside your network) before you are locked out of your network. This can be done using artificial intelligence and machine learning in the form of User and Entity Behavior Analytics (UEBA). Second, you will need to detect compromised accounts within your network before they are effectively used to attack your network. This method requires that you actively search the deep and dark web for all your domain accounts that may be compromised.  Finally, you will need to hunt for IP Indicators of Compromise (IoC) inside your network traffic.

How do these methods work?

Ransomware intruders typically gain access to your network as described above, using compromised accounts that they have either stolen using malware or that the intruder has purchased on the deep and dark web. Below is a deeper look into the main options for preventing ransomware activity before it makes a final attack:

  • UEBA will assist you in detecting lateral movement or anomalous account activity once an attacker has entered your network for reconnaissance of the target environment. Remember, it is very likely that your attacker will get into your network and move around laterally to determine what network systems must be exploited and locked. UEBA will lay down a pattern of behavior for every system and account on your network. It then searches 24/7 for anomalies that provide clues to lateral movement, or unusual activity, by compromised accounts that belong to legitimate network users.
  • Hunting for IP IoCs in firewall, endpoint, and VPN traffic is critical to determining whether one of your legitimate users has accidentally clicked on a malware command and control link – or other delivery methods used by ransomware attackers. If you have a Threat Intelligence Portal that will automatically hunt your network traffic for bad IP IoCs, then you have an excellent chance of discovering a breach in progress. Crowd-sourced IoCs are the best way to find dangerous IPs in real-time.

Remember, the smartest ransomware intruders don’t just lock-up every company’s network in hopes that they will pay a ransom. Intruders will use public records to determine the most lucrative targets to attack, then use digital reconnaissance to determine the best method for exploiting potential vulnerabilities. This may provide you with a key opportunity to detect the necessary activities upfront and before the final lockout.