Q&A with Scott Simkin, Sr., threat intelligence manager, Palo Alto Networks
Question: One of the challenges companies face today with ransomware versus traditional malware is that ransomware uses advanced cryptography to make user systems inaccessible. What can companies do to ensure that the attackers' encryption is stopped before it reaches critical data on corporate servers?
Scott Simkin Sr.: For ransomware, it is important to frame it as a criminal business model that generates massive profits for attackers, not a malware problem. While ransomware is delivered as a malware payload, like any other threat, it differs in intent and motivation as compared to nuisance, information stealing, or destructive attacks. When architecting your response, consider how quickly ransomware attacks can impact organizations– typically within minutes of an infection – meaning legacy “detect and respond” models provides little value. If a detection system alerts you that an infection has occurred, it's very likely already too late to stop your files from being encrypted. It is critical to deploy controls that are able to prevent malware from entering the network and executing on the systems storing your valuable data.
Q: Much of today's ransomware is delivered either through email with an infected attachment or through standard phishing or spear-phishing attacks with infected links. Essentially, these are the same attack vectors as traditional malware. What's the difference between ransomware and malware and why is this important?
SSS: A common misconception about ransomware is that it isn't malware. The truth is the exact opposite, and this threat is simply another type of malware, levering the same delivery and infection methods as more common malware. When considering how to prevent and respond to ransomware, you must consider the motivation. Ask yourself why the attacker is picking this particular tool from all of those available to them. In the case of ransomware, it can deliver substantial profit in a relatively simple manner, far more than stolen credentials can on the underground market, for instance. Knowing the motivation and attack methods allows you to set the right organizational policies and protection mechanisms in place, including best practices for malware prevention and choosing not to pay the ransom, should you be infected.
Q: The biggest difference between traditional malware and ransomware is business model. Traditional malware moves stealthily through the network, embedding itself and stealing data to be monetized later. With ransomware, the goal is to monetize the attack immediately by charging the company to get its data back. Why would a company expect an attacker to return the data once the ransom is paid? What recommendations do you have for companies that identify a ransomware attack?
SSS: In a very paradoxical fashion, ransomware requires infected users trust cyber attackers. If organizations pay the ransom (typically about 1 Bitcoin, or $400 dollars), and do not regain access to their data, word would spread, and no one would pay. Given this, adversaries have put a great deal of resources into ensuring they can reliably decrypt data once they receive payment, including standing up support centers akin to what we see in enterprise business. Furthermore, it is important to consider that there is no guarantee that attacks will not come back again with a separate attack, since you've already proven you will pay them. In order to prepare for a potential attack, we recommend a few critical areas to focus on:
- Ensure you have a prevention-based security posture in place, which can stop the threat before it infects your systems.
- Have an organization policy ready and plan for the event, including guidance on paying the ransom, involving law enforcement, and response efforts.
- Have offline system back-ups ready and updated, in the event you need to restore access to valuable data or systems.
Q: There is a plethora of advice available on the internet about what to do after a ransomware attack occurs. What should companies do before an attack in order to reduce their potential attack surface?
SSS: While knowing how to respond to an attack is important, preventing an infection from ever happening should be the ultimate goal. In order to limit ransomware's ability to spread, there are a few key recommendations organizations can follow:
- Gain full visibility and block unknown traffic
Identify all traffic on the network and block the unknown, potentially high-risk traffic.
- Enforce application- and user-based controls
Restrict access to SaaS-based tools for employees who have no business purpose for using them.
- Block all dangerous file types
Not all file types are malicious, but those known to present higher risk, or associated with recent attacks, can be controlled.
- Implement an endpoint policy aligned to risk
Enforce policies that restrict non-compliant endpoints from connecting to critical network resources
- Block known threats:
Including malware, malicious URLs, exploits and command-and-control activity.
- Identify and prevent unknown threats:
Automatically identify new unknown malware and share real-time protections across a global community of users.
Q: Let's start with a given – the best way to not get ransomware, or any malware, is to not click on things you don't know. Given that everyone clicks on some things that they don't know, what are some of the best technological approaches to defeating ransomware? We've seen approaches such as software sandboxing, traditional endpoint security, and even employing VMs to test links before committing them to the user's system. What works and what's antiquated technology?
SSS: One thing is clear with ransomware: legacy “detection and response” methods do not scale. The volume of alerts combined with the velocity of new malware creation has put network defenders on the defensive. Security teams are constantly chasing after an endless number of events, without the time or resources to respond to all of them. Organizations should consider how to implement a next-generation security platform that combines network and endpoint security with threat intelligence to provide automated protections and prevent cyber attacks. The platform should natively address all stages of the attack lifecycle, leveraging multiple best-of-breed technologies from advanced endpoint protection to sandboxing.