Morphisec Cybersecurity Blog

Ransomware Attacks: A Quantum Leap from Quantity to Quality

Written by Tom Bain | September 7, 2018 at 4:41 PM

The cybersecurity attack landscape moves fast, really fast. Last year, not a week passed that didn’t bring about news on a new ransomware incident. Of course ransomware’s very nature lends itself to newsworthy headlines based on how incredibly damaging to businesses this class of attacks can be.

Unlike other types of malware which rely on stealth characteristics to infiltrate systems or quietly siphon off data untraced, ransomware boldly declares its intent. After the WannaCry outbreak, which leveraged the leaked NSA EternalBlue exploit, ransomware had become a mainstream topic of conversation, and a major concern.

Fast forward a year and by all accounts ransomware incidents are on the decline – by as much as 32% according to some reports. So should security practitioners check ransomware off their list of things keeping them up at night? Dig a little deeper and we see that, for enterprises, the ransomware threat is not going away anytime soon. While attack volume may have declined, ransomware attacks have evolved to be more sophisticated, targeted and effective against unsuspecting users and unprepared organizations.

As a recent example, let’s look at the March attack on the City of Atlanta. The SamSam ransomware used to attack the city’s IT infrastructure infiltrated the network, hiding its presence while it harvested credentials to spread to multiple computers before locking them up. The result was a mass shutdown of online city services and an estimated cost of at least $2.6 million in clean-up and response.

The New Face of Ransomware

For a better understanding of why ransomware isn’t going away anytime soon, we only have to look at the newest ransomware on the scene, GandCrab.

GandCrab first appeared in January and has already gone through multiple iterations, with new versions released as soon as a decryptor is developed. The cybercrime group behind GandCrab uses a partnership ransomware-as-a-service (RaaS) approach, focusing its efforts on development and taking a cut of proceeds rather than running campaigns themselves. It’s been estimated that over 50,000 victims were infected by GandCrab by the end of Q1, netting its criminal distributors over $600,000.

Another RaaS newbie, DBGer (formerly Satan), regularly adds new exploits to its bag of tricks including the infamous EternalBlue. Recently it received an upgrade to include capabilities that allow it to move laterally through the network, ensuring maximum damage for the buck.

How Can Organizations Protect Themselves?

The first rule of course is backup, backup, backup. While it won’t prevent an attack, it can minimize the damage.

In addition, end-user education on cyber safety can go a surprisingly long way. Phishing emails remain the number one delivery mechanism for ransomware. The ransomware attack on the Lansing Board of Water and Light in Michigan, which forced the utility to shut down its accounting system, email service and phone lines, succeeded because a single employee opened an attachment to a phishing email.

Education, however, only goes so far when an email purports to be from someone you know or an exploit kit hides in a banner ad on a legitimate website. A defense-in-depth strategy is crucial.

Unfortunately, when it comes to ransomware, most security solutions have proven fairly ineffective. Many victims of ransomware are running fully-updated antivirus engines alongside anti-exploit and/or HIPS engines at the time they get hit. Signature-based solutions simply can’t keep up with the pace of new malware variants, especially when polymorphic code can generate a new signature as quickly as every 15 or 20 seconds.

By contrast, behavioral detection tools analyze a file’s behavior, often using machine learning, to compare and identify ransomware. Although these are more effective against new variants than static detection, they still can be evaded by various techniques and come with their own set of problems, including false positives and resource-intensive updating and monitoring.

Most significantly, both static and behavior-analysis solutions fail to detect and protect today for one main reason: Many ransomware variants are fileless, injecting malicious code into legitimate operating system services like Windows PowerShell.

It’s important to remember that ransomware is the last part, the payload, in an attack kill chain. The real question is how to stop the initial exploit. You need a deterministic, powerful threat prevention technology that doesn’t require prior knowledge or indicators to simply eliminate any hope of a targeted threat executing.

One method is to reduce or obfuscate the attack surface itself so that target vulnerabilities cannot be found. For example, newer technologies like moving target defense use counter-deception techniques to continuously and persistently change the target surface so the ransomware payload is never delivered.

Finally, don’t neglect to patch early and often. The SamSam attack on the City of Atlanta leveraged an unpatched server vulnerability, which an internal security audit warned about months before the attack occurred. 

This article previously appeared on Security Magazine.