Ten Best Practices for Outsmarting Ransomware

Almost a year after WannaCry made global news headlines, a number of high-profile organizations have continued to be targeted by this ransomware, some quite recently. It's part of a growing trend that has the potential to impact large numbers of people, and with potentially devastating consequences. 

The now-infamous WannaCry ransomworm hit a major production plant in March, and one of the country's largest municipalities recently fought off the SamSam ransomware for several days, an event that the city's mayor called a “hostage situation.” Fortunately, it appears that WannaCry only impacted a handful of the manufacturers' servers, and it didn't compromise any of their production lines. And this latest SamSam attack fortunately only targeted online bill paying and court-scheduling services and not critical infrastructure. It could have been much worse. 

Traditionally, a ransomware attack typically begins when an end user clicks on a link or opens a file attached to a malicious email that is part of a phishing (random) or spearphishing (targeted) campaign. Or, they visit a compromised website and pick up a bug along with whatever they were looking at or downloading. In either case, the malicious file is loaded onto a vulnerable endpoint device that is connected to an open network, and its payload spreads from there, locating other vulnerable systems and encrypting their data. 

The SamSam malware, however, is a bit more complicated. This ransomworm primarily targets vulnerable servers that have been left exposed to the internet, either by attacking them through an RDP (Remote Desktop Protocol) brute force attack or by targeting and exploiting specific, known vulnerabilities. As a result, its attacks tend to be much more directed and planned. 

SamSam initially had a fairly low-profile risk when it arrived on the scene in late 2015.

However, over the past several months, its developers have become much more active, targeting a wide range of organizations, from healthcare and educational institutions to local governments. Four major municipalities have been targeted since the beginning of the year, with one being hit twice within a week, forcing nearly 2,000 employees to conduct business using pencil and paper. It is estimated that, to date, the group responsible for SamSam has extorted nearly a million dollars from its victims. 

We have also seen cybercriminals successfully targeted cloud-based web hosting services in order to inject code into multiple high traffic web domains rather than trying to do that one at a time. The force multiplier of attacking a centralized service makes cloud providers increasingly tempting targets. Successfully crippling a service that generates millions of dollars a day for the provider, while simultaneously disrupting service for potentially hundreds or thousands of businesses and tens of thousands or even millions of their customers, would not just represent a massive payday for a criminal organization. It would also undermine the fragile trust that many organizations already have when it comes to cloud-based computing, and could have a devastating effect on digital transformation and our digital economy. 

Of course, these are just a few of a growing number of ransomware exploits. It appears, however, that even the most sophisticated of these ransomware attacks emerging today are just the tip of the spear. Cybercriminals are adopting new attack strategies, such as those used by Hajime and Hand-and-Seek, to accelerate both the scale and success of attacks. These new variants are transitioning away from traditional ransomworm-based attacks, which require constant communication back to their controller and replacing them with automated, self-learning strategies, potentially turning malicious ransomworms into ransomswarms. 

Future attacks are likely to leverage things like swarm intelligence to take humans out of the loop entirely in order to accelerate attacks to digital speeds. Real-time communications allow individual attacks agents – or swarmbots – to cluster together into coordinated swarms that are able to more efficiently assess and target a wide array of potential vulnerabilities. This information sharing between swarmbots amplifies the process of trial and error, while centralized hive-based controls enable swarms to target multiple targets across the entire attack surface simultaneously. 

Malware goals can then be tied directly to code-building blocks in order to develop or modify custom attacks on the fly. This sort of swarm technology can be applied to any point along the attack chain – planning, break-in, expanding an attack footprint, gathering intelligence, and then exfiltrating data – in order to accelerate the speed at which an attack occurs, close the gap between attack and compromise, and maximize the impact of a successful attack. 

Eyes Off the Basics 

Of course, these sorts of developments are alarming. But while each of these attacks may target different attack vectors, they all have one thing in common: they almost always target systems with known vulnerabilities that should have been patched. 

So, why weren't these devices properly updated and hardened? It's a classic problem: IT resources have been spread thin as networks have become increasingly complex. Limited resources are focused on expanding the capabilities of the network, which today often means managing cloud and application projects. This, in turn, has caused IT teams to take their eyes off fundamental security practices, including maintaining basic security hygiene. According to one of the IT administrators at a city that fought off a recent SamSam infection, this “really speaks to the fact that as much as we focus on physical infrastructure, we need to focus on the security of our digital infrastructure…This is new territory for us.” 

10 Best Practices

The “attack on all fronts” strategy that cybercriminals have developed has been especially effective. Not only are they developing new attack vectors to exploit the expanding attack surface created by digital transformation, but they have also been using the tried and true method of targeting older, known vulnerabilities that IT teams simply don't have the time to address. 

To defend your network from such multi-pronged attacks, you need to develop a back-to-basics, methodical process to reduce the number of possible attack avenues that your organization is exposed to. This includes: 

Inventory all devices: Discover and then maintain a live inventory of what devices are on your network at all times. Of course, this is hard to do if your security devices, access points, and network devices can't talk to each other. As IT resources continue to be stretched then, an integrated NOC-SOC solution is a valuable approach to ensure that every device on the network is identified and monitored. 

Automate patching: The recent WannaCry breach makes clear that unpatched systems continue to be a primary conduit for attacks and malware. Which is why, as much as possible, you should develop a process for automating your patching process.

Segment the network: What will you do when your network is breached? It's a question every security professional needs to ask. Because when it is, you want to limit the impact of that event as much as possible. The best first line of defense is to segment the network. Without proper segmentation, ransomworms like WannaCry can easily propagate across the network, even to backup stores, making the recovery portion of your incident response (IR) plan much more difficult to implement. Segmentation strategies, including microsegmentation in virtual environments and macro-segmentation between physical and virtual networks, allow you to proactively and dynamically isolate an attack, thereby limiting its ability to spread. 

Track threats: Subscribe to real-time threat feeds so that your security systems can be on the lookout for the latest attacks. When combined with local threat intelligence through a centralized integration and correlation tool, such as a SIEM or threat intelligence service, threat feeds not only help organizations better see and respond to threats as soon as they begin to emerge in the wild, rather than after you have already been a target, and even begin to anticipate them. 

Watch for indicators of compromise (IOCs): When you can match your inventory to current threats, you can quickly see which of your devices are most at risk and prioritize either hardening, patching, isolating, or replacing them. 

Harden endpoints and access points: Make it a rule that any devices coming onto your network meet basic security requirements and that you actively scan for unpatched or infected devices and traffic. 

Implement security controls: Apply signature and behavioral-based solutions throughout your network in order to detect and thwart attacks both at the edge of your network as well as once they have penetrated your perimeter defenses. 

Use security automation: Once you have locked down those areas you have control over, apply automation to as many of your basic security processes as possible. This frees your IT resources to focus on higher-order threat analysis and response tasks that can protect you from the more advanced threats targeting your organization. 

Back up critical systems: The most important thing you can do when dealing with ransomware is to make sure that you have a copy of critical data and resources stored off-network so you can restore and resume operations as soon as possible. 

Create an integrated security environment: To make sure that all these security practices are seamlessly extended into every new network ecosystem you bring online, you need to deploy security solutions that are fully integrated as a security fabric to enable centralized orchestration and analysis.

A Team Effort

As networks become more complex, so will the job of defending them. It's not a one-solution or even one-team job anymore. For example, the growing number of threats is generating so many patches and updates that it's no longer a manual job. Automation can relieve the IT team's burden for this and many other security best practices, and thereby close doors to ransomware. In addition, as malware evolves, the group intelligence provided by a shared threat feed will help you know what to look for and how to address them. The saying “Many hands make light work” applies to the ongoing challenge of keeping your network and its data secure.

Derek Manky

Derek Manky is chief security strategist and global vice president of threat intelligence at FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. He provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.