Derailing ransomware 2.0 requires a little trickery

Ransomware attacks are on the rise – and they are getting more and more sophisticated and destructive. That is bad news for executives struggling to maintain a high level of cybersecurity even as their organizations continue to cope with the massive impact of a pandemic.

The good news? Technology is available to help companies better defend against ransomware, a type of malware that threatens to publish a victim organization’s data or continually block access to systems unless it pays a ransom via cryptocurrency.

Recent ransomware developments show just how dangerous these attacks have become. Here is a brief sampling:

Zeppelin: The newest member of the VegaLocker family of ransomware, first seen in November 2019, is an example of increasingly common ransomware-as-a-service (RaaS), where cybercriminals develop ransomware and sell it to others or rent it and take a portion of any ransom collected. Zeppelin is thought to rely on water-holing attacks, in which Web sites likely to be visited by targeted victims are embedded with malware.
Sodinokibi: Another example of RaaS, and also known as REvil, it was discovered in April 2019 and exploits known security vulnerabilities and phishing campaigns. The ransomware encrypts a user’s files and can gain administrative access by exploiting vulnerabilities.
Maze: A sophisticated strain of Windows ransomware that can spread across a corporate network and infect systems by encrypting data so it cannot be accessed. Even worse, it also steals the data it finds, and then exfiltrates the data to servers controlled by hackers who then threaten to release it if a ransom is not paid. Maze regularly targets managed service providers, so by infecting one company it can possibly infect many more.
RobbinHood: A ransomware family that targets organizations using a vulnerable kernel driver to prepare systems for encryption. In 2019, the ransomware creators successfully attacked and received ransom payouts from a number of U.S. cities. RobbinHood ransom demands can range from three bitcoins for a single computer to 13 bitcoins for a complete network, which amounts to tens of thousands of dollars.

There are many more. The point is, ransomware is far more insidious today than in the past, and in some cases, it is designed to attack specific types of businesses to maximize returns for the cybercriminals who write the malware.

The new, more advanced attack techniques used by cybercriminals enable them to disable security software tools and deploy ransomware on highly specific targets. These attacks also go beyond indiscriminately encrypting any data they come across. Instead, they target data that is critical to the business. Such attacks require criminals to conduct lateral movement activities such as stealing credentials, discovering network assets, probing for open ports, querying Active Directory for critical objects and escalating privileges.

Traditional security tools such as endpoint detection and response (EDR) systems and endpoint protection platforms (EPP) are important in fighting against ransomware. Advanced EDRs examine process flows and chains to see if something looks unusual. These types of observations can be helpful after an attack. As teams investigate an incident, EDR can provide the process flows it mapped during the attack.

EPP provides capabilities such as automated patch management, maintaining devices remotely and protecting endpoints from attacks.

Such tools do not stop all types of attacks, however. They are not designed to detect all ransomware methods, especially lateral movement. In order to successfully defend against the newest and most sophisticated ransomware attacks, organizations need to have a layered approach that supplements EDR, EPP and other legacy tools with additional capabilities.

Here is what cybersecurity teams need to do to build a comprehensive and effective defense against the latest ransomware:

Protect data so attackers cannot find it or access it. Cybersecurity teams have long made it a top priority to deploy multiple layers of data protection. But with ransomware attacks becoming more sophisticated and destructive, protecting data has become even more critical. A key part of this is protecting the endpoints that generate and house so much of a company’s data resources and having early detection and effective alerting of attacks. Detecting attacks early can lead to substantial cost savings.
Leverage endpoint protection functions to effectively prevent attacker lateral movement by anticipating attack methods and efficiently derailing these efforts. For example, by providing Active Directory query redirections and deceptive credentials and shares, organizations can feed attackers false information and quickly redirect them away from production assets.
Protect the endpoint so attackers cannot see real files, folders, removable storage, network shares, or cloud storage, only decoys. If the ransomware cannot find production data, it cannot have any negative affect on it. Companies can create an environment where every endpoint becomes a decoy that is designed to disrupt an attacker’s ability to break out and further infiltrate a network. This can be done without requiring agents on the endpoint or causing disruption to the endpoints or network operations. In this way, an organization can gain early alerting of lateral movement activities while misdirecting the attack into the decoy environment to collect forensics evidence, which can speed up adversary intelligence development and attack analysis. The decoy environment can even feed the ransomware unlimited data to keep it from moving on to other production targets.

There is no getting around the fact that ransomware attacks continue to rise in number and gain in sophistication. That means organizations need to understand the importance of creating multiple layers of protection.

While there is no single solution to defending against all ransomware attacks, a strategy that combines traditional tools with newer solutions featuring deception-based detection within the network can help companies bolster their defenses to a much greater extent.

Such advanced technology can quickly find multiple types of lateral movement and has the ability to hide assets and redirect ransomware to deceptive file shares. Working in unison, cyber deception and EDR/EPP tools create a comprehensive cyber defense that enables companies to outsmart the smartest ransomware.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.