By 
From IC Insider Thales Trusted Cyber Technologies
By Brent Hansen, CTO, Thales Trusted Cyber Technologies
We want to think that we’ve made our IT systems relatively impervious to ransomware attacks, but trends are showing otherwise. Rather than focusing on only preventing breaches, we have to consider the importance of file encryption so data is worthless even if the network is compromised.
The ransomware trends are troubling. During 2019 in the US, ransomware infected 113 state and municipal governments and agencies. The number of ransomware attacks grew by 41% that year, becoming increasingly more sophisticated.
No markets went unaffected. By some reports, 113 state and municipal governments and agencies were infected by ransomware, as well as 764 healthcare providers and 89 universities, colleges and school systems.
The average downtime for companies to recover from ransomware infections was 16.2 days, and the average ransomware payment increased to $84,116. Fully one-quarter of ransomware incidents in Q3 2019 involved IT vendor or MSP compromises.
And the problem shows no signs of getting better. According to Cybersecurity Ventures, by 2021 a business will fall victim to a ransomware attack every 11 seconds, with an estimated cost to businesses globally of nearly $20 billion. While the direct costs are paying the ransom, indirect costs are also important to consider, because they affect downtime, data recovery, lost revenue, improvements to cyber defenses, and reputational damage to the organization.
More worrying still, ransomware campaigns have become more sophisticated. From the high-volume “spray-and-pray” attacks that target small businesses and home users, attackers are now also using low-volume “big game hunting (BGH)” attacks against medium to large businesses (that is, companies with the cash or insurance coverage required to pay large ransoms). And worst of all, established criminal organizations have gotten into the act, offering Ransomware-as-a-Service (RaaS) to weaponize ransomware kits, and to make it easier for less sophisticated cyber criminals to launch attacks and make fast money.
Regardless of the sophistication of the attacker, however, every ransomware attack has certain characteristics. Let’s take a look at each.
The Seven Phases of a Ransomware Attack
A typical targeted ransomware attack has seven stages. This cycle is known as the “cyber kill chain,” and understanding it provides important insight into an intruder’s tactics, techniques, and procedures.
Step 1: Reconnaissance – Here the intruder harvests email addresses of all the employees in an organization and prepares to launch a phishing campaign.
Step 2: Weaponization – The intruder then uses a ransomware kit purchased off the dark web, tailored to deliver malware through an email attachment.
Step 3: Delivery – The intruder delivers the ransomware through a fake email as the payload, or through a remote desktop protocol (RDP) service.
Step 4: Exploitation – This phase refers to the point at which an employee unknowingly opens the fake email attachment, resulting in the malware exploiting a known vulnerability, thereby infecting the employee’s laptop.
Step 5: Installation – Here, the ransomware installs as a binary, which opens an access point (backdoor) to communicate with a command and control site.
Step 6: Command and Control (CnC) – In this phase, ransomware sends a target host IP address, and gets encryption key needed for encrypting all files and databases.
Step 7: Action – Here, the ransomware exfiltrates sensitive documents to the CnC server and then encrypts those files and databases. It also displays a ransom note to the end user.
Most organizations follow baseline security best practices when defending against ransomware attacks. In most cases, however, they can come up short. In this next section, we’ll take a closer look at a few tactics and best practices that may not be as foolproof as they seem.
The Problem with Current Best Practices
Best practices to defend against ransomware may not work for a variety of reasons – from inattentiveness or poor cyber hygiene on the part of employees, to the increasing sophistication of ransomware technologies that allow bad actors to move more quickly than available countermeasures. Here are a few examples of common best practices and where they often fall short:
Security Awareness Training. Training employees to recognize suspicious phishing emails through simulation exercises can help defend against attack delivery. Remember, however, that it only takes one employee mistakenly opening a phishing email to infect a company’s entire network.
Deploying Secure Email/Web Gateways. While useful in defending against ransomware attacks delivered through email, security web/email gateways will not detect a new strain of malware, because the new strain does not have a signature.
Applying the Latest Software Patches. Regularly scanning your systems and patching high priority vulnerabilities helps defend against holes that can be exploited by ransomware hackers. Because ransomware can be delivered with Day Zero methods, however, it is difficult to guarantee 100% patched systems.
Monitoring DNS Queries. After ransomware infects a server or endpoint, it typically calls home to a command and control (CnC) server to exchange encryption keys. Monitoring DNS queries to known ransomware domains and resolving them to internal sinkholes, can prevent ransomware from encrypting files. Unfortunately, DNS servers are unable to block any unknown CnC domains used by new ransomware attacks. What’s more, modern ransomware attacks can account for DNS monitoring, and take corresponding evasive actions.
Backing Up Your Critical Data Regularly. What if the ransomware attack succeeds despite your efforts? The best way to recover from a ransomware attack is to maintain a secure backup, and to have a clear recovery plan for restoring critical business critical data. Remember, however, that you need to know whether the malware is still in your system, and you must identify and close the entry point. Otherwise, restoration will only be a temporary fix.
Blocking Ransomware with File Encryption and Robust Data Access Policies
In spite of all the best practices, and investments in traditional perimeter and endpoint security technologies, data breaches and ransomware attacks continue to make headlines. While no one likes to consider that their network will eventually be breached, the best possible strategy is to employ file encryption, with solid data access policies. Such policies carry require certain capabilities:
- Application whitelisting that identifies “trusted applications”
- Fine-grain access controls
- Data-at-rest encryption
For example, access policies can be defined with file encryption to create a whitelist of “trusted” applications. This will prevent any untrusted binaries (such as ransomware) from accessing protected data stores, and will prevent privileged users from accessing user data in files and databases.
File encryption access policies can enable you to block any rogue binaries from encrypting files or databases – even if the intruder has execute permissions for that binary and read/write permission to the target file containing critical business data. You must also be able to check the integrity of these applications with signatures, to prevent polymorphic malware from getting into approved binaries.
Further, you must have “fine-grain” access control to sensitive data, defining which user or group has access to which specific protected files or folders – and what operations they can perform. Some malware depends on escalating privileges to gain system access. Appropriate access control can bar privileged users from examining or even accessing resources.
And finally, don’t underestimate the importance of file encryption for data at rest. Data-at-rest encryption protects data wherever it resides, in on-premises data centers or in public or private clouds. This makes the data worthless to intruders who threaten to publish stolen data unless a ransom is paid.
At-rest encryption is important because some ransomware selectively encrypts files without taking systems entirely offline. Others look for sensitive data and only encrypts those files. In these cases, encrypted files aren’t possible to scan by the malware and are not attacked.
So try not to put all your eggs in one basket by using best practices for perimeter and endpoint security. Current best practices are incapable of defending against every breach of your network. In addition to best practices, it’s essential to use file encryption, to prevent unauthorized users from encrypting your most sensitive data. That way, even if best practices fail to protect against a breach, you still have some measure of defending your data.
Where Ransomware Security Technology Is Headed
The future for ransomware security and counter-measures is moving quickly from legacy solutions to platforms that simplify data security, accelerate time to compliance and deliver security an control across multiple cloud environments.
Legacy solutions often require expensive, dedicated point products which often require further integration and additional staff time to manage. The cost of integrating and managing these systems actually negates any potential cost savings seemingly gained by using legacy technology in the first place.
Modern data security platforms are built on an extensible infrastructure, enabling your IT and security organizations to discover, classify, and protect data-at-rest across your organization in a uniform and repeatable way. Additionally, products available on such platforms are typically capable of being deployed individually or in combination. This flexibility allows organizations to prepare for the next security challenge or compliance requirement, while maintaining a very low total cost of ownership.
The benefits of integrating data discovery, classification, risk analysis, data protection, and reporting into a single platform come not only in cost savings, but in staff time as well. In both cases, a flexible data security platform frees IT staff and IT budgets to pursue more strategic tasks. This new approach also allows organizations to operate more openly and to collaborate more freely, without sacrificing security.
Protecting your organization from ransomware attacks means instituting policies and technologies to prevent rogue processes and unauthorized users from encrypting your most sensitive data. New emerging technologies do just that, with platforms that unify data discovery, classification, and data protection – all with unprecedented granular access controls, as well as centralized key management.
Put the products and solutions available in today’s modern cyber security platforms to work for your organization. It will go a long way toward mitigating the business risks associated with data breaches and ransomware attacks.
About Thales TCT
Thales Trusted Cyber Technologies, a business area of Thales Defense & Security, Inc., protects the most vital data from the core to the cloud to the field. We serve as a trusted, U.S. based source for cyber security solutions for the U.S. Federal Government. Our solutions enable agencies to deploy a holistic data protection ecosystem where data and cryptographic keys are secured and managed, and access and distribution are controlled.
For more information, visit www.thalestct.com
About IC Insiders
IC Insiders is a special sponsored feature that provides deep-dive analysis, interviews with IC leaders, perspective from industry experts, and more. Learn how your company can become an IC Insider.
