[BreachExchange] Ten Best Practices for Outsmarting Ransomware

Audrey McNeil audrey at riskbasedsecurity.com
Thu May 31 19:02:16 EDT 2018


Almost a year after WannaCry made global news headlines, a number of
high-profile organizations have continued to be targeted by this
ransomware, some quite recently. It's part of a growing trend that has the
potential to impact large numbers of people, and with potentially
devastating consequences.

The now-infamous WannaCry ransomworm hit a major production plant in March,
and one of the country's largest municipalities recently fought off the
SamSam ransomware for several days, an event that the city's mayor called a
“hostage situation.” Fortunately, it appears that WannaCry only impacted a
handful of the manufacturers' servers, and it didn't compromise any of
their production lines. And this latest SamSam attack fortunately only
targeted online bill paying and court-scheduling services and not critical
infrastructure. It could have been much worse.

Traditionally, a ransomware attack typically begins when an end user clicks
on a link or opens a file attached to a malicious email that is part of a
phishing (random) or spearphishing (targeted) campaign. Or, they visit a
compromised website and pick up a bug along with whatever they were looking
at or downloading. In either case, the malicious file is loaded onto a
vulnerable endpoint device that is connected to an open network, and its
payload spreads from there, locating other vulnerable systems and
encrypting their data.

The SamSam malware, however, is a bit more complicated. This ransomworm
primarily targets vulnerable servers that have been left exposed to the
internet, either by attacking them through an RDP (Remote Desktop Protocol)
brute force attack or by targeting and exploiting specific, known
vulnerabilities. As a result, its attacks tend to be much more directed and

SamSam initially had a fairly low-profile risk when it arrived on the scene
in late 2015.

However, over the past several months, its developers have become much more
active, targeting a wide range of organizations, from healthcare and
educational institutions to local governments. Four major municipalities
have been targeted since the beginning of the year, with one being hit
twice within a week, forcing nearly 2,000 employees to conduct business
using pencil and paper. It is estimated that, to date, the group
responsible for SamSam has extorted nearly a million dollars from its

We have also seen cybercriminals successfully targeted cloud-based web
hosting services in order to inject code into multiple high traffic web
domains rather than trying to do that one at a time. The force multiplier
of attacking a centralized service makes cloud providers increasingly
tempting targets. Successfully crippling a service that generates millions
of dollars a day for the provider, while simultaneously disrupting service
for potentially hundreds or thousands of businesses and tens of thousands
or even millions of their customers, would not just represent a massive
payday for a criminal organization. It would also undermine the fragile
trust that many organizations already have when it comes to cloud-based
computing, and could have a devastating effect on digital transformation
and our digital economy.

Of course, these are just a few of a growing number of ransomware exploits.
It appears, however, that even the most sophisticated of these ransomware
attacks emerging today are just the tip of the spear. Cybercriminals are
adopting new attack strategies, such as those used by Hajime and
Hand-and-Seek, to accelerate both the scale and success of attacks. These
new variants are transitioning away from traditional ransomworm-based
attacks, which require constant communication back to their controller and
replacing them with automated, self-learning strategies, potentially
turning malicious ransomworms into ransomswarms.

Future attacks are likely to leverage things like swarm intelligence to
take humans out of the loop entirely in order to accelerate attacks to
digital speeds. Real-time communications allow individual attacks agents –
or swarmbots – to cluster together into coordinated swarms that are able to
more efficiently assess and target a wide array of potential
vulnerabilities. This information sharing between swarmbots amplifies the
process of trial and error, while centralized hive-based controls enable
swarms to target multiple targets across the entire attack surface

Malware goals can then be tied directly to code-building blocks in order to
develop or modify custom attacks on the fly. This sort of swarm technology
can be applied to any point along the attack chain – planning, break-in,
expanding an attack footprint, gathering intelligence, and then
exfiltrating data – in order to accelerate the speed at which an attack
occurs, close the gap between attack and compromise, and maximize the
impact of a successful attack.

Eyes Off the Basics

Of course, these sorts of developments are alarming. But while each of
these attacks may target different attack vectors, they all have one thing
in common: they almost always target systems with known vulnerabilities
that should have been patched.

So, why weren't these devices properly updated and hardened? It's a classic
problem: IT resources have been spread thin as networks have become
increasingly complex. Limited resources are focused on expanding the
capabilities of the network, which today often means managing cloud and
application projects. This, in turn, has caused IT teams to take their eyes
off fundamental security practices, including maintaining basic security
hygiene. According to one of the IT administrators at a city that fought
off a recent SamSam infection, this “really speaks to the fact that as much
as we focus on physical infrastructure, we need to focus on the security of
our digital infrastructure…This is new territory for us.”

10 Best Practices

The “attack on all fronts” strategy that cybercriminals have developed has
been especially effective. Not only are they developing new attack vectors
to exploit the expanding attack surface created by digital transformation,
but they have also been using the tried and true method of targeting older,
known vulnerabilities that IT teams simply don't have the time to address.

To defend your network from such multi-pronged attacks, you need to develop
a back-to-basics, methodical process to reduce the number of possible
attack avenues that your organization is exposed to. This includes:

Inventory all devices: Discover and then maintain a live inventory of what
devices are on your network at all times. Of course, this is hard to do if
your security devices, access points, and network devices can't talk to
each other. As IT resources continue to be stretched then, an integrated
NOC-SOC solution is a valuable approach to ensure that every device on the
network is identified and monitored.

Automate patching: The recent WannaCry breach makes clear that unpatched
systems continue to be a primary conduit for attacks and malware. Which is
why, as much as possible, you should develop a process for automating your
patching process.

Segment the network: What will you do when your network is breached? It's a
question every security professional needs to ask. Because when it is, you
want to limit the impact of that event as much as possible. The best first
line of defense is to segment the network. Without proper segmentation,
ransomworms like WannaCry can easily propagate across the network, even to
backup stores, making the recovery portion of your incident response (IR)
plan much more difficult to implement. Segmentation strategies, including
microsegmentation in virtual environments and macro-segmentation between
physical and virtual networks, allow you to proactively and dynamically
isolate an attack, thereby limiting its ability to spread.

Track threats: Subscribe to real-time threat feeds so that your security
systems can be on the lookout for the latest attacks. When combined with
local threat intelligence through a centralized integration and correlation
tool, such as a SIEM or threat intelligence service, threat feeds not only
help organizations better see and respond to threats as soon as they begin
to emerge in the wild, rather than after you have already been a target,
and even begin to anticipate them.

Watch for indicators of compromise (IOCs): When you can match your
inventory to current threats, you can quickly see which of your devices are
most at risk and prioritize either hardening, patching, isolating, or
replacing them.

Harden endpoints and access points: Make it a rule that any devices coming
onto your network meet basic security requirements and that you actively
scan for unpatched or infected devices and traffic.

Implement security controls: Apply signature and behavioral-based solutions
throughout your network in order to detect and thwart attacks both at the
edge of your network as well as once they have penetrated your perimeter

Use security automation: Once you have locked down those areas you have
control over, apply automation to as many of your basic security processes
as possible. This frees your IT resources to focus on higher-order threat
analysis and response tasks that can protect you from the more advanced
threats targeting your organization.

Back up critical systems: The most important thing you can do when dealing
with ransomware is to make sure that you have a copy of critical data and
resources stored off-network so you can restore and resume operations as
soon as possible.

Create an integrated security environment: To make sure that all these
security practices are seamlessly extended into every new network ecosystem
you bring online, you need to deploy security solutions that are fully
integrated as a security fabric to enable centralized orchestration and

A Team Effort

As networks become more complex, so will the job of defending them. It's
not a one-solution or even one-team job anymore. For example, the growing
number of threats is generating so many patches and updates that it's no
longer a manual job. Automation can relieve the IT team's burden for this
and many other security best practices, and thereby close doors to
ransomware. In addition, as malware evolves, the group intelligence
provided by a shared threat feed will help you know what to look for and
how to address them. The saying “Many hands make light work” applies to the
ongoing challenge of keeping your network and its data secure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180531/38aff6b5/attachment.html>

More information about the BreachExchange mailing list