How to protect against Modern Ransomware Attacks

How to protect against Modern Ransomware Attacks

Ransomware

In 2019, over half of businesses were the victims of ransomware attacks with an average cost of $761,106. In 2020, attacks grew even worse with an estimated total price tag of $20 billion. Successful ransomware attacks are growing increasingly common despite the dozens of solutions that claim to provide 100% protection against ransomware. So, what’s going wrong?

Ransomware “Solutions” Aren’t Working

Most companies are aware of the threat of ransomware and have taken steps to protect against it. However, the number of successful attacks demonstrates that these approaches aren’t working. Most common anti-ransomware solutions fail because they don’t address the real problem.

Anti-Phishing Training

Many organizations’ cybersecurity awareness training discusses the threat of ransomware and how to protect against it. They talk about the risks of phishing emails and why it’s important not to click on a link or open a suspicious attachment. They also push the benefits of antivirus. However, ransomware attacks are still occurring, and in fact, growing even more common. The reason is that most anti-ransomware training and strategies are not aligned with today’s real threat.

In 2020, the main ways in which organizations were infected by ransomware was not via email or other automated processes. Instead, it was by human actors manually targeting and penetrating organizations using various software and tolls such as the Remote Desktop Protocol (RDP) or Virtual Private Networks (VPNs) with credentials that were purchased on the darkweb. In cases where the credentials didn’t work the operators would leverage brute force attacks. These aren’t “fire and forget” phishing emails designed to drop ransomware on a target system. They’re human-driven campaigns where an attacker gains access to an organization’s network, explores it, exfiltrates sensitive data, and runs ransomware exactly where and when they want to.

Endpoint Protection

Ransomware is malware, so an anti-malware solution, aka endpoint protection solutions, seem like the perfect protection against ransomware. In theory, installing and frequently running an up-to-date endpoint protection solution should fix the problem, but does it?

While endpoint solutions can defeat most known variants of malware, they can be evaded with relative ease. To effectively detect malware these solutions must have intelligence about the malware in advance of a real-world encounter. When a new, never-before-seen variant of malware surfaces (zero-day malware) , the effectiveness of these solutions is marginal at best. Complicating things further is that the attackers often test their malware against endpoint security solutions in advance of deployment to ensure that it remains fully undetectable.

What’s more problematic is that it takes organizations an average of 280 days to detect a data breach and it takes attackers less than 30 minutes to establish what amounts to an irrevocable foothold. This means that the attackers can explore victim networks for an extended period of time, steal credentials, deploy additional malware, and more. Given this fact, breached organizations can not realistically guarantee the security or safety of their networks without a complete overhaul.

Backups

Backups can be an invaluable tool for recovering from a ransomware attack. The traditional ransomware model is based on denying access to data. Assuming that your backup is very recent and wasn’t encrypted as well, then it can be cheaper and easier to restore from it than to pay the ransom.

The problem is that ransomware gangs know this too and have adapted their tactics. In recent years, ransomware gangs have begun performing “double extortion” attacks, which involve data theft on top of the data encryption. If the victim refuses to pay the ransom, then their data is posted publicly or sold to the highest bidder.

These types of attacks mean that relying on backups is not an effective strategy. Regulators don’t care that you’ve restored your data if the exposed data is protected by law. On the bright side, if you don’t have backups, double extortion attacks mean that you can restore your data by downloading a copy, just like everybody else!

Paying the Ransom

Some companies take the approach of paying the ransom demand. In theory, this puts an end to the problem by allowing them to restore their data and making the cybercriminals go away. In reality, this approach does not always work. In some cases, ransomware gangs fail to hand over the decryption key when the ransom is paid. In others, the promised decryptor doesn’t work as well as advertised. This was the case in the recent Colonial Pipeline breach, where the company shelled out $4.4 million for a decryptor that was so slow that the company went back to restoring from backups.

Making the Colonial Pipeline breach even more interesting is that, for the first time ever, the FBI was able to recover most of the funds. To pay the ransom, Colonial needed to exchange ~$4.4 million into 63.7 Bitcoin (BTC) and then transfer the BTC to one of the DarkSide wallets. In a short time, the FBI was able to compromise the private key belonging to that specific wallet and recover all 63.7 BTC. This may sound like a victory but between the time the ransom was paid and recovered the value of BTC declined sharply. As a result, the value of the recovered 63.7 BTC ~$2.3 million resulting in a loss of $2.1 million dollars. Moreover, it’s very likely that any data that was stolen will be published.

Paying a ransom also doesn’t mean that the cybercriminals will go away. In fact, it labels a company as a mark that’s willing to pay up. We’ve witnessed this firsthand. Just recently, a new customer engaged Netragard because they had been the victim of ransom attacks three times by the same group over the span of 4 years. Our consulting team helped them to drastically improve their overall security posture and to try and prevent a fourth incident.

These breaches never go without at least some public notice, even if a victim pays up. Attackers often advertise their victims on the darkweb which entices other attackers to either buy access to their networks or to attack them as “soft” targets. Two screenshots of such sites are provided below just as an example.

Wall of Shame

The Modern Ransomware Attack

Cybercrime has become a business, and that business is maturing. A major part of this increased maturity is the emergence of role specialization on a macro scale. Not all cybercriminals are wunderkids who can do everything. Instead, cybercrime groups are specializing and forming their own “as a Service” economy.

The modern ransomware threat landscape is a perfect example of this. Today’s ransomware campaigns are broken up into two main stages: gaining access and achieving objectives.
Increasingly, groups like the DarkSide behind the recent Colonial Pipeline hack are offering “Ransomware as a Service”. They create the ransomware and other teams (specialized in gaining access to corporate networks) deliver it. Alternatively, a cybercrime group will gain a foothold in an enterprise network and sell it to someone else to use. This is likely what happened in the Equifax hack and is a common part of ransomware operations today.

This evolution of the ransomware campaign creates significant challenges for enterprise cybersecurity. A defense strategy built around antivirus and “don’t click on the link” training won’t deter a professional, well-researched attack campaign. Having a strong lock on the front door doesn’t help much if they come in through the back window.

Ransomware Attack Prevention

If traditional approaches to ransomware prevention are not effective, then what is?

Modern ransomware attacks are human driven. Sophisticated cybercriminals can gain entry to a network through a variety of different ways, including many that a vulnerability scanner, industry standard penetration test, or anti-phishing solutions, etc. will never catch.

Preventing these types of breaches requires forward-thinking intelligence about how today’s threat is most likely to align with an organization’s existing points of risk and exposure. The most effective way to gather this intelligence is to experience a real-world attack at the hands of a qualified team that you trust and control. This is where Realistic Threat Penetration Testing comes into play. Realistic Threat Penetration Tests are not provided by most penetration testing firms and are notably different than Red Team engagements. Some of the key characteristics include, but are not limited to:

  • The ability to match or exceed the level of threat being produced by today’s bad actors.
  • Utilizing human experience & expertise with little to no dependency on tools like automated vulnerability scanners or commercial off-the-shelf testing tools. Ideally the team should be comprised of professionals with demonstrable expertise in performing vulnerability research and zero-day exploit development.
  • The use of custom-built pseudo-malware to simulate ransomware or other malware. Pseudo-malware should deliver the same or better capabilities than what the real-world threat actors are using and must be fully undetectable (covert). The primary difference between malware and pseudo-malware is that pseudo-malware is built with safety in mind which includes automated clean removal capabilities at a pre-defined expiration date.
  • Leverage experts who understand the inner workings of various security technologies as to help ensure successful subversion and/or evasion. For example, EDR’s, Application Whitelisting, Antivirus, etc.
  • The ability to develop new exploits on-the-fly with minimal risk and minimal detection.
  • The ability to erect a doppelganger infrastructure including SSL certificates and services as to help facilitate advanced phishing.
  • And more…

The product of a Realistic Threat Penetration Test is a technically detailed report that contains the intelligence required to defend against bad actors. This intelligence generally includes information about what vulnerabilities exist, areas where lateral and/or horizontal movement are possible, misconfigurations, gaps in detection capabilities, suggestions for hardening and defending, and more. Of course, the report is the starting point for building a plan and a roadmap to remediate the weaknesses and make the job harder, if not impossible for the bad actors!

To learn more about Realistic Threat Penetration Testing, and how to render your environments more secure, please contact Netragard at [email protected] or [email protected]

Blog Posts

Karen Huggins

Chief Financial, HR and Admin Officer
Karen joined the Netragard team in 2017 and oversees Netragard’s financial, human resources as well as administration functions. She also provides project management support to the operations and overall strategy of Netragard.
 
Prior to joining Netragard, she worked at RBC Investor Services Bank in Luxembourg in the role of Financial Advisor to the Global CIO of Investor Services, as well as several years managing the Financial Risk team to develop and implement new processes in line with regulatory requirements around their supplier services/cost and to minimize the residual risk to the organization.
 
With over 20 years of experience in finance with global organizations, she brings new perspective that will help the organization become more efficient as a team. She received her Bachelor of Finance from The Florida State University in the US and her Master of Business Administration at ESSEC Business School in Paris, France.

Philippe Caturegli

Chief Hacking Officer
Philippe has over 20 years of experience in information security. Prior to joining Netragard, Philippe was a Senior Manager within the Information & Technology Risk practice at Deloitte Luxembourg where he led a team in charge of Security & Privacy engagements.

Philippe has over 10 years of experience in the banking and financial sector that includes security assessment of large and complex infrastructures and penetration testing of data & voice networks, operating systems, middleware and web applications in Europe, US and Middle East.

Previously, Philippe held roles within the information system security department of a global pharmaceutical company in London. While working with a heterogeneous network of over 100,000 users across the world and strict regulatory requirements, Philippe gained hands-on experience with various security technologies (VPN, Network and Application Firewalls, IDS, IPS, Host Intrusion Prevention, etc.)

Philippe actively participates in the Information Security community. He has discovered and published several security vulnerabilities in leading products such as Cisco, Symantec and Hewlett-Packard.

He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), PCI Qualified Security Assessors (PCI-QSA), OSSTMM Professional Security Analyst (OPSA), OSSTMM Professional Security Tester (OPST), Certified in Risk and Information Systems Control (CRISC)and Associate Member of the Business Continuity Institute (AMBCI).

Adriel Desautels

Chief Technology Officer
Adriel T. Desautels, has over 20 years of professional experience in information security. In 1998, Adriel founded Secure Network Operations, Inc. which was home to the SNOsoft Research Team. SNOsoft gained worldwide recognition for its vulnerability research work which played a pivotal role in helping to establish today’s best practices for responsible disclosure. While running SNOsoft, Adriel created the zeroday Exploit Acquisition Program (“EAP”), which was transferred to, and continued to operate under Netragard.
 
In 2006, Adriel founded Netragard on the premise of delivering high-quality Realistic Threat Penetration Testing services, known today as Red Teaming. Adriel continues to act as a primary architect behind Netragard’s services, created and manages Netragard’s 0-day Exploit Acquisition Program and continues to be an advocate for ethical 0-day research, use and sales.
 
Adriel is frequently interviewed as a subject matter expert by media outlets that include, Forbes, The Economist, Bloomberg, Ars Technica, Gizmodo, and The Register. Adriel is often an invited keynote or panelist at events such as Blackhat USA, InfoSec World, VICELAND Cyberwar, BSides, and NAW Billion Dollar CIO Roundtable.