Sponsored Post: Palo Alto
Ransomware. This single word is foremost in the mind of so many IT managers the world over, and for good reason. According to the 2022 IBM cost of a Data Breach Report, the average cost of a ransomware breach was $4.54 million in 2022, and that doesn’t include the cost of the ransom itself. While the public may have only heard about ransomware in recent years, the extortion attack dates to 1998 when a victim inserted an infected floppy disk. That action ended up costing them $189 which was mailed to a PO Box. It wasn’t until the rise of cryptocurrencies in 2010 that ransomware began to rise in prominence as ransomware criminals finally had an anonymous and efficient means for payment receipt. Today ransomware is so popular that amateur criminals can buy into the ransomware business using Ransomware-as-a-Service platforms.
Ransomware Strategies Are Mature and Complex
It’s important to realize that ransomware has been around for 30-plus years. This isn’t some recent exploit that went viral on TikTok or YouTube recently. It’s an attack methodology that has evolved and matured over time. It has now become an industry, supported by investment dollars and smart minds. A ransomware attack is not a single strike. It’s comprised of multiple stages, with each stage assigned its own objective. It’s only in the final stage that the malware begins to encrypt the victim’s files and a ransom demand is presented.
We know this because security vendors and specialists have made significant effort to analyze these attacks and learn more about them. Palo Alto Networks contributed to this effort back in 2020 when its teams triaged a large-scale ransomware infection at a healthcare provider and identified all stages of the threat lifecycle.
In this instance, the initial network penetration began when a Microsoft Office document containing an embedded macro was received by an unsuspecting user who inevitably clicked on it. This action executed the downloading of a portable executable (PE) file from a compromised website over SSL. The malicious file was then downloaded and executed a second payload download which then allowed the perpetrators to establish a command-and-control presence within the endpoint device. This then led to more tools being downloaded which were used to move laterally across the enterprise and eventually extract a shared Backup Service account. With this attained privilege in hand, the ransomware was finally downloaded, distributed, and executed on hundreds of network-connected computers using the compromised privileged credentials. When we break down the play-by-play of this attack, we can easily identify its involved stages.
Stage 1 – Deliver
The email with the infected attachment is sent to a user of a targeted organization.
Stage 2 – Initial Infection
The user clicks on the attachment and the falling of the dominos begins with the introduction of the first malicious payload.
Stage 3 – Command & Control (C2)
A connection is established to the attacker’s command and control server using an unblocked protocol such as HTTPS. Once the connection is established, the attackers can begin orchestrating the next phases of the attack.
Stage 4 – Persistence
It’s here that the attackers establish a backdoor and begin funneling in the additional tools they’ll need to successfully implement the attack. These tools can include root kits, trojans and reconnaissance tools that are used to map out the network.
Stage 5 – Reconnaissance
Known as the discovery phase, the attackers move laterally through the network seeking out additional privileges that will allow them to perform elevated tasks such as registry modification, service alteration, and the creation of scheduled tasks. Threat actors target admin accounts to gain access to critical areas such as backups, data repositories, security appliances and servers.
Stage 6 – Exfiltration
This stage was introduced in what is known as Ransomware 2.0 in which sensitive or high-value data is exfiltrated to an off-site location and used as a second extortion method if needed.
Stage 7 – Execution
Here the ransomware sample is downloaded via SSL. This phase may include a preliminary attack on the victim’s backup system to delete the backups or make them unusable for any recovery efforts. Then the encryption process begins.
Stage 8 – Negotiations & Coercion
This is where the nightmare commences as ransom negotiations may take place involving either senior executives or in some cases, cyber insurance negotiators. Reluctance to pay the ransom may result in the attackers selling or releasing the exfiltrated data.
When you can peel back the layers of the onion, you realize the scope of these multifaceted attack strategies and the coordinated precision that’s evident. However, when examining these multiple stages from a glass-half-full perspective, you also realize opportunity. You don’t have to wait until the encryption process to mitigate an attack. With the proper observability, insight, and tool sets, security teams have multiple opportunities to identify and negate a ransomware attack at any one of these previous stages. The earlier an attack is recognized, the easier it can be dealt with.
Why Ransomware Attacks Continue to Prove Successful
There’s a reason scammers often target the elderly. Elderly victims aren’t usually up to date on the technologies or investment trends and often live isolated from others. In similar fashion, ransomware organizations target businesses that use outdated cybersecurity strategies and tool sets. For instance, organizations still rely on a fortified perimeter defense that lacks any ability to segment their networks to contain attacks. Because of the vast attack surfaces of today’s hybrid networks that accommodate multiple branch locations, clouds, and remote work locations, there’s no defined perimeter anymore. In addition, too many security tools work in isolated silos that create security gaps that attackers know how to take advantage of.
Then there’s the case of outdated tools and strategies. Many organizations continue to utilize legacy security tools that can’t do things such as decrypting SSL traffic to inspect incoming web packets. They continue to ignore the Principle of Least Privilege and assign local admin rights to standard users or allow unrestricted access between systems.
Modernized Cybersecurity Recommendations
It’s time to put the knowledge that we have of ransomware to good use by leveraging the right security tools and adapting modernized cyber prevention strategies that are proven to restrict the blast area of an attack and, in many cases, stop it in its tracks. Here are some of the recommended security measures you can take to address each attack stage.
- Use multifactor authentication to prevent cybercriminals from compromising accounts.
- Utilize allow-list protection on endpoints that prevents unauthorized software and malicious executables from being installed.
- Use file blocking policies to prevent users from clicking on malicious executables or unknown file types.
- Segment your network into defined zones that limits an attacker’s ability to see your entire network and stop the lateral probing of your network.
- Utilize advanced web filtering solutions that are capable of decrypting SSL traffic to analyze web payloads.
- Extended Detection and Response (XDR) solutions that go beyond just traditional endpoint protection by providing unified visibility, advanced analytics, threat intelligence, and automation.
- Using AI assisted technologies like AURL, DNS, ATP, AWF will also help protect against zero day attacks
By understanding the various layers of the ransomware attack lifecycle, you understand which phases these available security controls can prove most effective. Hackers can successfully exploit their victims only after taking the time to learn about their targeted victims and the inherent limitations of their security posture. It’s time that IT and security teams understand the makeup of the attacks levied against them and learn how to control their exploitative attempts.