[BreachExchange] Seven ways to detect ransomware beyond antivirus

[Inga Goddijn]

http://economictimes.indiatimes.com/small-biz/security-tech/security/seven-ways-to-detect-ransomware-beyond-antivirus/articleshow/51328701.cms

Ransomware is a creative malware that infects systems and locks down data,
preventing users from accessing it until a ransom is paid. It can affect
individuals and businesses alike, but can become a critical threat for
enterprises dealing with huge amounts of data.

Once you are infected the strong data encryption that Ransomware type of
malwares use makes it impossible to find the key to decrypt the data. The
data is more or less lost, unless backups are available. So in these types
of threats, it is better to focus on prevention and detection mechanisms
before it is too late.

There are several kinds of Ransomware and new ones are being detected every
day. Present day anti-virus software predominantly relies on using
signatures that malwares leave behind for detection. Due to the highly
dynamic and evolving threat situation in the Ransomware space, it is very
ineffective to have a signature oriented approach to detection. So relying
only on anti-virus software that is predominantly signature-based to
protect you may be very risky.

There is a need for organizations to look beyond traditional security
technologies to stay protected from such threats. The new breed of security
products need to be multi-pronged and should be able to look at multiple
dimensions to protect an organization or individuals from such attacks.
Here are some pointers to these various dimensions that you will need to
look at to protect yourselves from such attacks.

1. Secure Network Shares

At a very basic level, none of the shared folders should have read\write
rights to the "Everyone" group. Malware needs to propagate further to
maintain stealth and persistence in the network. It will have to find a
mechanism to copy files to the connected target machines; network shares
are used for this. Ensuring shared folders do not have open ended
permissions can prevent this from happening. Tools to warn you of such
violations should be deployed.

2. Regular Analytics on Service Usage

If you are not using any services\daemons, then it is better to stop them.
Unused services are often not monitored and tend to remain unpatched.
Malwares look for such gaps and use them to piggyback and maintain stealth.
Tools to detect such unused services will enable you to make decisions on
stopping such services.

3. Detect Internal C&C Accounts

Malwares create local accounts to conduct activities in a stealth mode.
Once a malware gets hold of a local account, its activities become
authorized and an antivirus may not be able to flag it. The solution is to
run periodic discovery tools for user accounts across the systems and
detect such Command & Control accounts. Detecting such C&C accounts can
enable you to take remedial action before it is too late.

4. Actively Detect Rogue Browser Plugins

A common entry point for Ransomware is through browsers. Most times
malwares are pushed into a system through malicious plugins that get
installed by users while browsing. Tools that can continuously scan
browsers across network endpoints and force its removal is needed.

5. Applying Threat Intel on Outbound Connections

Firewall, IPS, WAF, NetFlow and Proxy are devices through which outbound
traffic of your organization goes through. The need of the hour is to have
a tool that can sift through this outbound data across these technologies.
Such centralized monitoring tools of all outbound traffic combined with the
ability of the tools to apply Threat Intelligence on malware sites, IP
addresses, C&C and Botnet URLs to the outbound traffic data will help in
detecting malicious network activities. Such detection will go a long way
in protecting the network from Ransomware and other such deadly malwares.

6. Scan for Indicators of Compromise

There is usually a delay in anti-virus signatures of new malwares and
variants. Till the signatures are established you are at a risk. Some
Ransomware type of malware does not have fixed signatures. They keep
changing their signatures very frequently to avoid detection. In such a
situation, other Indicator of Compromises (IOCs) should be used for
detecting malware. There is a need for IOC-based scans rather than
signature-based scans. You should use such IOC based scanning tools to
protect your networks.

7. Detect Drive by Downloads

Drive by Downloads is one of the most common vectors for propagation of
Ransomware. The indicators of Drive by Download are available in Proxy,
NetFlow and DNS logs. Tools that can analyse such logs to determine
patterns or outliers indicating Drive by Download behaviour is needed.

Conclusion

Ransomware uses new paradigms of stealth which makes it difficult to
detect. Software products that focus on vulnerability and threat management
have traditionally been using signatures for detection. This single
dimensional approach is very risky. Combating Ransomware type of threats
needs multi-dimensional approach that focuses on a number of factors as
outlined above. So to fight such threats, you will need to enable
yourselves with tools that provide a co ..
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160309/a54df613/attachment.html>