Ransomware is on everyone's minds these days, and that is no surprise considering just in the past year, we have seen a huge rise in infiltration cases, which led to ransomware infections. What might be surprising is that ransomware has been around for a very long time. The first ransomware outbreak was seen in 1989. It was named the AIDS Trojan or PC Cyborg Trojan, and it propagated through infected floppy disks.
Many believe the question of ransomware is not if, but a question of when, and it is hard to argue that notion considering the extensive list of victim organizations in just this past year alone. One of many examples to note is the ransomware infection that affected Quanta Incorporation, a manufacturer of hardware parts for Apple computers. The ransomware group REvil infiltrated Quanta, encrypted their files, and made a ransom demand of $50 million. The company, however, refused to pay. So REvil turned to Apple with the ransom demand, which Apple also refused to pay. It is believed that as a result of the data that was exfiltrated, schematics for a future release of Apple laptops was released on the Internet, but the information was ultimately taken down by law enforcement agencies.
Ransomware is so difficult to defend against because each ransomware strain has its own way of infiltrating a network, moving around within a network, gaining access to resources, and exfiltrating data. But at a very high level, there are five major stages in the lifecycle of ransomware. One is the initial infiltration stage, where ransomware tries to gain a foothold somewhere on the network or into one or a few machines. Once successful, the ransomware might move to the next stage and try to attempt privilege escalation and harvest credentials that it can use to move laterally within a network. In addition, it might also attempt network reconnaissance to find assets that are most valuable, a third stage in the ransomware lifecycle. A fourth stage is communication with a command-and-control server to receive further commands and download more tools that will help attackers reach deeper into the network and further exploit, for example, take over a domain controller or install backdoor access on routers which will help monitor traffic or redirect it. The final stage we are all very familiar with – exfiltration and encryption of files – which enables attackers to demand their ransoms.
It is important to note that it is not necessary for an attack to follow the stages in the order that I have listed. For example, after the first stage, which is the initial compromise of a machine, the malware may contact a command-and-control server, listed as step 4, to download the next stage of an attack. This could be an exploit for privilege escalation, or if privilege escalation has been achieved, it could be to download the next stage of the payload, which contains the real malware (ransomware, cryptominer, rootkit, etc.).
To illustrate how widespread the issue is, the recent Log4j vulnerability made worldwide headlines because millions of devices became affected by this vulnerability. And it is very trivial to exploit. In fact, a new ransomware strain named Khonsari has started leveraging this exploit to infiltrate machines and then deploy ransomware. In addition, ProxyLogon refers to a chain of vulnerabilities in Microsoft Exchange servers, and these exchange servers are always exposed and receive infected emails. The well-known DearCry ransomware used the ProxyLogon exploit to infiltrate organizations by leveraging this vulnerability in Exchange servers to deploy ransomware. Another way ransomware can spread is through infected USB drives. A good example is the Try2Cry ransomware.
Once malware gets a foothold on a network, it will try to identify important assets and gain access to them. If it goes to the stage of privilege escalation and is successful, it will have maximum privileges on all those machines. The next thing the ransomware could try to do is employ a series of exploit tools that might be built into the ransomware or the malware or which might be readily available on Windows machines themselves. For example, since PowerShell is available on all Windows 10 machines, ransomware could leverage this and employ a series of tools, techniques, or procedures, otherwise known as TTP, to move laterally throughout the network and take over other devices.
Now, consider the ransomware endgame, which can actually be twofold. Once an organization is infected with ransomware, most of the time, the files are encrypted and held for ransom. But a second threat from ransomware is emerging around data exfiltration. In this instance, before the ransomware encrypts an organization’s files, it exfiltrates files from infected computers – which can result in double extortion. Once a network is infected with ransomware, it is common for the organization to be demanded to pay a ransom to get the files decrypted back. While an organization may consent to get its files decrypted, the problem is that the original files were exfiltrated, which may contain confidential information, personal data, credit card information, or blueprints for some upcoming projects. The organization could be extorted again by the ransomware operator to keep the content from being released into the public domain.
Once infected, organizations are at the mercy of the cyberthieves. In some cases, despite the ransom being paid, the decryption tools are not provided. And as we have seen, confidential data can always be released into the public domain. Luckily, new innovative technology is available and proven to improve network security and visibility, and can help in the battle against ransomware.
How SASE can help
One innovative approach that integrates advanced security and networking into one solution is called secure access service edge (SASE), which allows IT teams to create a more robust, reliable, and trusted network infrastructure to operate efficiently and safely, and best serve users. Advanced SASE solutions protect organizations by tightly integrating security services such as VPN, Secure SD-WAN, Edge Compute Protection, Next-Generation Firewall, Next-Generation Firewall as a Service, Secure Web Gateway (SWG), and Zero Trust Network Access (ZTNA); while providing contextual security based on user, role, device, application, location, security posture of the device, and content.
Advanced SASE solutions offer a wealth of security capabilities to help organizations address the ongoing threat of ransomware. For example, static analysis and dynamic analysis tools enable organizations to discover if there is anything suspicious about a file or if it contains any malicious code. SASE offers these capabilities as part of its IPS engine or Firewall as a Service (FaaS) functionality. When a file leaves a user’s machine and enters a SASE edge gateway and into the internal network, its file content analysis solution statically analyzes the file to determine if it contains anything malicious.
Network traffic analytics, analysis, and anomaly detection help organizations determine if anything such as lateral movement is happening inside the network. These network traffic anomaly detection solutions as a capability of SASE, determine if there is any kind of unusual network activity, which can be flagged as possible ransomware.
SASE offers IPS and other network monitoring, which uses signatures or heuristics to detect the latest threats and network anomalies, including lateral movement, which ransomware uses to propagate within a network. It also delivers network visibility and analytics to help an organization clearly understand its network and the segmentation within the network, to apply specific security policies and permissions based on the network dynamic.
SASE also enables Zero Trust networking and the principle of least privilege, which gives users only the privileges needed to complete their duties on that machine, and sets up appropriate network policies for users, works stations, and laptops to limit access and a widespread ransomware attack. Ransomware's main weapon is lateral movement and infiltration within networks to capture valuable information. SASE helps prevent this.
SASE's Host Information Profile (HIP) scans the health of a SASE client connecting to the SASE gateway. There are numerous parameter checks to ascertain the client's health status, including patch level, OS version, presence of an up-to-date AV engine with signatures, registry settings, monitoring of running processes and services, etc. Based on the scan results, the SASE gateway can enforce policies such as preventing access from the host or moving it into a quarantine network.
Finally, advanced SASE solutions offer a URL reputation feature that monitors and reports if any process on a SASE client contacts a malicious domain.
When it comes to ransomware, organizations can count on being under attack or under the constant threat of attack. While we do not know when the next major ransomware attack will hit, we do know there are preventative measures organizations can take to help protect their valuable data. In addition to important measures such as deception technologies and backup techniques, SASE offers a suite of security capabilities well suited to limit the assault of ransomware while also ensuring healthy network performance and services.
Winny Thomas is Principal Security Architect at Versa Networks.