Preparing your enterprise for ransomware, and why many existing network security tools are useless

While Ransomware has received a great deal of press in the last year, ransomware has existed in one form or another for at least fifteen years. Long before the February 2016 incident at Hollywood Presbyterian Medical Center (HPMC), early samples of malware, such as the AIDs trojan, were compromising systems as early as 1989. Since then, more than 350,000 different variants of ransomware have been identified. The introduction of new technologies such as Bitcoin and the prevalence of encryption tools have made the development of ransomware simpler and more profitable.

Before delving further, let’s begin with defining ransomware and describe what makes it different from other forms of malware. Ransomware is a form of malware that prevents access to system resources, which could range from individual files and extend to the entire infected system. Traditionally, ransomware falls into one of two categories: lockers and crypto ransomware. Lockers constituted some of the earliest forms of ransomware, and either prevented the full use of the infected system, or provided enough annoyance to make using the infected system difficult or impossible. By contrast, crypto malware encrypts user content, documents, photograph and other files. Ultimately, the goal of ransomware is directly financial. It requires the user to pay a ransom in order to regain access to their resources and data.

Many early forms of ransomware would masquerade as virus scanners. These variants would present the user with a warning, telling the user that the system was infected, and ask the user to “update their license” in order to eradicate the malware from their system. These forms of malware would use a similar “visual language” off popular virus scanners to trick the user into believing that the malware was a legitimate virus scanner.This techniques was short lived as the financial reward required the user to use their credit card to perform the transaction. Once the ransomware was identified, the card service provider would shut down the service, preventing users from sending money and shortening the useful life of the ransomware. As these forms of ransomware were also typically blockers, the user would regain access to their resources once the ransomware was removed from the system. 

Modern variants choose to encrypt users individual files rather than prevent access to the system as a whole. As a result, even if the ransomware is removed from the system, the users files will remain encrypted. Each infected system is often encrypted with a unique key, making decryption of the affected files difficult or impossible. Finally, these new version of malware required payment in bitcoin rather than credit card services, which makes transactions anonymous, and tracing the attack back to the source nearly impossible. 

The threat of modern ransomware

While early forms of ransomware relied upon impersonation of a trusted entity to encourage a user to perform the transaction, the anonymity of bitcoin allows modern ransomware to be far more braizen. Ransomware typically does not disguise itself, and more frequently announce themselves directly with a warning and a timeline and instructions to deliver the ransom.  

Due to the high frequency of infections and the volume of money involved, anecdotal stories of infected parties have surfaced where they have received professional technical support from their attackers. Ransomware has become a mature industry, albeit an illegal one. Today’s ransomware has matured to the point where malware authors can announce their presence, and name their malware in the open with little possibility of repercussions. As a result of the profitable nature of ransomware, the problem will only get worse until a more permanent solution becomes available.  

How does ransomware spread?

Unfortunately, ransomware describes an end-goal and not a method of delivery. As a result, ransomware may be delivered as a trojan attachment in an email, delivered through a link to a compromised website, delivered through a “malvertising” exploit (where an advertisement on an otherwise trustworthy site is used to deliver an exploit), Ransomware can be delivered laterally through the use of an infected file on a USB drive or delivered across a local network connection. There is no single infection vector to guard to be safe from Ransomware. 

Once the ransomware has been executed on the system or endpoint, it goes to work encrypting the document files available to that computer. While initial implementations of crypto ransomware could take a long period of time to encrypt all document files, more recent samples are known to complete their task extremely rapidly. For example, Cryptowall, first discovered in 2013, could take as long as 16 minutes to encrypt 70Mb of word documents, whereas the Chimera-Locker variant discovered in 2015 could complete this same task in roughly 18 seconds. 

Speed is vital to the success of ransomware. If ransomware is discovered during the encryption process, the user can potentially terminate the process and minimize the damage. However, if the entire process takes less than a minute, it is likely that the ransomware will complete its task before the user even realizes the problem exists.  

How to prepare your enterprise for ransomware

The nature of ransomware complicates the typical strategies that have proven to be successful against other forms of malware. Keeping virus scanners active and up-to-date on your endpoints is always a good idea. With over 350,000 known variants of ransomware, a good virus scanner can help protect against the large share of known variants of ransomware spreading on the open internet. However, it has been estimated that 1000 new variants are introduced each day, which makes keeping up with the deluge of new variant difficult for the vendors of virus scanning software to keep their virus signatures current. 

The damage inflicted by ransomware is in the potential loss of important files, documents, and intellectual property. If the sole copies of important files reside on inflected systems, the user is faced with paying the ransom or losing the files permanently. This is only true, though, if the only copies of these documents exist on the inflicted device. From an enterprise perspective, there are a few “old-school” steps that can be taken to prepare in advance of a ransomware outbreak.

A) Establish a policy to store all documents on network or cloud-based storage

The reason for this is simple. End users rarely maintain local backups of their systems. Even in circumstances where local backups are established as policy, it is exceptionally easy for these backups to fail. Most ransomware limits itself to encrypting files stored on local drives. If all important files are stored non-locally, this may be enough to protect your data.  

Unfortunately, many forms of modern ransomware are extending beyond local drives, and are now encrypting network drives as well. 

B) Establish a policy of data segmentation and isolation on your network drives

Many organizations that use network drives and network attached storage create one large network share which can be viewed and edited by all. Best practices suggest that the enterprise should segment network shares to only allow each user to view and edit files with which they require access. While this is a good practice from a data loss prevention standpoint, it also helps to minimize the impact that any one infected user can have upon the enterprise as a whole. If the end user is not given access to a file, the malware on that user’s system cannot encrypt it.  

Unfortunately, even with these two techniques, a user can still get infected, and if that user has a sophisticate form of ransomware, it may still reach out to the network share and encrypt what files are there. Which leads to the third and most critical recommendation

C) Perform daily scheduled rotating backups

This may seem like a trivial recommendation, but this one habit would have prevented all of the most newsworthy ransomware attacks from becoming critical. To be successful, though, it is not just important to perform normal backups. The backup solution must not only backup all files, but also allow the user to revert to an arbitrary previous restore point. This is critical. If you have a scheduled backup occurring at regular intervals, you don’t want your scheduled backup to backup the already encrypted versions of your files to the exclusion of their original versions. You need to be able to restore back to the version just prior to encryption, whenever that may have occurred.  

While we are discussion backup strategies as a solution, it is useful to at least mention the 3-2-1 backup strategy. In this strategy, you have 3 backups of your data total, 2 stored locally on different media (disk and DVD for example), and 1 stored off-site in case of a catastrophic event such as a fire. 

Why some traditional techniques do not work, but other may

We have already described how traditional virus scanners can provide some relief when it comes to ransomware, but may not protect you from the most recent variants that exist. With 1000 new variants being introduced daily, it is nearly impossible to keep up with the new signatures required to keep ahead of attackers. This is not entirely unique to the ransomware threat, though.

One of the more recent innovations for malware detection is to use behavioral analysis by testing new samples in a “sandboxed environment” in order to determine what behavior occurs. Companies such as FireEye Palo Alto Networks often observe files and objects as they enter the network by monitoring the internet connection used by the enterprise. When an object is downloaded, the system drops the file into a virtual environment to test it. As this testing process can take up to four minutes, it lets the file go to its recipients. The belief is that, if the file object is identified as being malicious the incident response team can be dispatched to the system to avert any hard and remediate the threat.

Unfortunately, as ransomware can compete in 18 seconds, and the test can take up to four minutes, the damage is frequently done before the incident response team is even alerted to the problem. Tools that perform network-based behavioral analysis are ill-equipped to do anything other than alert the enterprise that damage has already occurred.  

The current trend is for Endpoint Threat Detection and Response (ETDR) tools to start looking for the telltale behavior on the endpoint itself, giving the user an opportunity to interrupt the process in advance of any significant damage being done. As this specific functionality is still in its infancy there are no standout vendors that have proven to be effective against these newest forms of ransomware.

The prevalence of ransomware is growing rapidly, and the sophistication of ransomware attacks makes it nearly impossible to mitigate in advance. The widespread distribution of ransomware and the rapidly evolving nature make it nearly an inevitability that your enterprise will be impacted by ransomware sooner or later.  

Today, “Old-school” techniques of disciplined backup procedures appear to be the most effective in rapid recovered after a ransomware infection has taken place. Virus scanners can provide some protection, while other more advanced solutions may not provide the results you desire.