What’s Your Ransomware Reaction Plan?
Ransomware is nothing new, but like Distributed Denial of Service Attacks (DDOS), over time it has evolved in its prevalence, sophistication and impact. New techniques in social engineering and methods of compromise are creating new vectors that attackers can leverage quite effectively. The damage can also be quite extensive with the three major impacts being:
Encryption of corporate and/or personal data:
Typically these are important documents and data on the resident system after a cross infection to other systems.
Encryption of secondary and tertiary data:
As other systems are infected these are often servers and backup resources.
Disclosure/Destruction (or threat of) prior to or during restoration attempts:
If there is an attempt to circumvent the ransom, data is destroyed or disclosed to the public.
Additionally, the variety and evolution of ransomware has significantly increased as well. This is making it more difficult for traditional malware detection mechanisms to detect and react in time (much like the flu virus that constantly morphs its outer proteins to avoid the detection of the immune system). Let’s take a look at some of the major categories of ransomware:
These two are similar in code base with Cryptowall evolving out of CryptoLocker. During the first six months of 2014, Cryptowall earned an estimated $1 million.
This code, discovered in 2014, distinguished itself by the use of TOR-based (dark web) server control and automated bitcoin methods.
An evolution of CryptoLocker.
Began to spread in 2016 using mass distribution channels.
In 2015, this ransomware encrypted various types of files including online games. It’s very difficult to remediate.
This is a very limited list. Each category has several offshoots that provide for a rich jungle of each code type. The actual list would go on for pages.
Non-file-based attacks are also increasingly becoming more prevalent. First discovered in 2014, this is where the direct manipulation of systems registry and memory allow for the ability to place malware in a manner that is quite undetectable by traditional file-based anti-virus methods. It sacrifices resiliency for stealth. The code does not survive a reboot, but it doesn’t have to.
Once the access is gained the damage is done. Typically the covert encryption of data occurs very fast after code residency, but encryption is not the only method. Sometimes data may be extracted and held for ransom. The data might be email threads, web histories, internal corporate documents, etc. There may also be a C2 channel for infiltration or exfiltration. So the problem of ransomware is indeed multidimensional. It has multiple methods and can impact both corporations as well as individuals.
So the question is, “What can be done”? I call attention back to my Advanced Persistent Threat blog series. The use of micro-segmentation in a well thought out manner is the first key approach. While some users may be affected, it is important to realize that the propagation must be contained. Above all, important critical data should be separated from the compromised end point by several degrees. At a high level these relate to a good solid white-listed security demarcation between micro-segments as well as threat detection intelligence at these demarcations to pick out any anomalies in traversing traffic.
But we can’t ignore the human dimension. We are the weakest link in the chain. I hate to bang on the users again—but, after all, I’m a user as well, right? We all are. Do individuals in our organizations understand what the proper security policy is? Do our organizations have a policy for ransomware and more importantly do we have a reaction plan?
Avaya has been working with various security partners to evolve SDN Fx into a true open ecosystem for secure network communications. By utilizing stealth network topologies, hyper-segmentation and elasticity, many of the hurdles to a secure infrastructure can be eased. It also makes it much more difficult for malicious code and C2 channels to propagate and become established. This is particularly true if the micro-segmentation design is well aligned with well-designed security demarcations. This powerful combination can result in the service chaining of individual communities of interest into defined and coordinated security inspection points. We will talk about this in my next blog where I explore the importance of visibility to a proper security practice. Until then, stay secure!