How to fight back against ransomware
- By Rene Kolga
- Oct 28, 2019
The first documented ransomware attack hit in 1989, prompting organizations to implement antivirus, firewalls and other security tools to guard their network perimeters and endpoint devices. Yet, three decades later, state and local agencies remain vulnerable. Hardening security postures requires understanding how attackers “teach” ransomware to slip past their defenses.
Ransomware locates the files it wants to encrypt based on file extensions. It targets an agency's Microsoft Office documents or photos, while leaving operating system files intact to ensure that system will still boot. Then the malware encrypts that data in memory, destroys the original file and displays the dreaded ransom note.
The security industry has developed five primary approaches to combating ransomware, although none have proven to be consistently effective:
1. Static file analysis. This is the same technique that’s used for malware detection in antivirus, anti-malware and other endpoint protection products. It looks for known malicious code behavior, sequences or strings as well as commonly used words that often appear in ransom notes (e.g., Bitcoin, encryption, etc.). It’s a signature- and machine learning-based method for detecting malicious code. Malware writers use packers, crypters and other tools to obfuscate and change their signatures, which makes static analysis too easy to bypass.
2. Blacklist file extensions. Admins can blacklist those file extensions that ransomware typically uses and gives to the files it encrypted. While this may stop ransomware encryption immediately, it too is easy to bypass because the ransomware simply needs to come up with new file extension or random file extension. For example, CryptXXX and Cryptowall variants used random extensions instead of a specific ones. Alternatively, ransomware may keep the original file names along with the original extensions.
3. Honey pot files. After baiting attackers with decoy files, IT pros can monitor how they try to change them. Once a file is “touched,” the system identifies the touch as an attack and blocks it. However, this does not prevent all damage because many files will likely be encrypted before the ransomware hits a decoy file. Or, the ransomware may simply avoid those files/folders altogether.
4. Monitoring the file system for mass file operations. Security managers should monitor renames, writes and deletes within a certain period of time. If a defined threshold is exceeded, the offending process will be terminated. This technique eliminates the reliance on specific signatures or file extensions and instead looks for abnormal activity typically associated with ransomware. However, some files will be encrypted before that defined limit is exceeded. Malware can also bypass this detection method by using a “low and slow approach” like adding delays between encryptions or by spawning multiple encryption processes.
5. Tracking file data change rate. This security solution performs an entropy calculation to measure the randomness of data in a file. After a certain threshold of change is detected, the offending process is deemed malicious and terminated. This method benefits from fewer false positives than other techniques, but the files will be encrypted until a level of confidence is reached, so not all damage is blocked. Additionally, this technique can be bypassed by encrypting only parts of files, or by encrypting in chunks.
What can municipalities do to fortify their defenses against ransomware attacks? By following these five steps agencies can address basic IT hygiene and embrace a “defense in depth” approach.
First, organizations need to know what they have. Often IT departments cannot answer a simple question like, "How many Windows 7 SP1 systems do we have?" Asset management must be table stakes.
Second, take patch management seriously. The days of 30-day SLA for critical patches are long gone (or they should be). Attackers start leveraging vulnerabilities sometimes within hours of being publicly released.
Third is multifactor authentication. At the very minimum, highly privileged users, like admins, must leverage MFA/2FA. All remotely accessible systems (e.g., terminal servers, remote desktop protocol clients) must be accessible only with 2FA. This dramatically hardens an environment against groups like SamSam that often get through by brute-forcing passwords to gain entrance into the organization.
Fourth, ensure a sound backup strategy is in place. Many ransomware groups target backups in an attempt to corrupt, delete or encrypt them. This requires answering several key questions: Where is sensitive data located? Just servers or workstations as well? What about backing up to the cloud? Are recovery procedures tested and confirmed ready? In the event of an attack, how long will it take to recover all data and systems? Is the network properly segmented?
Finally, complement traditional security layers that look for “the bad” with an approach that does the exact opposite -- ensuring what’s good. This is not a call for municipalities to uninstall their antivirus products. Even though a skillful locksmith can unlock a house door in a matter of seconds, it doesn't mean we should be leaving our doors unlocked or getting rid of the door altogether. On the contrary, those basic defenses serve as a deterrent, while we deploy more advanced defenses -- alarm systems, guard dogs, etc.
The same logic holds for cybersecurity. Antivirus and firewall solutions will stop commodity and automated attacks. However, as antivirus technologies (even those that use machine learning or so-called artificial intelligence) rely on the past knowledge to stop attacks, they will rarely be effective against new, targeted attacks. And that's exactly what the advanced groups behind high-profile ransomware attacks frequently leverage.
Changing the status quo requires combining these existing tools with ones that ensure the “good” by applying a whitelisting-like approach. This enables agencies to embrace a true defense in depth approach to security by building a last line of defense against malware and ransomware that can evade frontline defenses like antivirus.
The security team cannot work on an island; it needs the support of management for both making the necessary investments in people and technology and ensuring all employees are regularly trained on security best practices. Well-educated employees who can recognize and report suspicious emails and other activities are just as effective a security layer as the latest next-gen security software tools.
Rene Kolga is VP of product strategy with Nyotron.