Ransomware is an ingenious method used by criminals to extract money from their victims. The basic scenario is:
- Potential victim clicks on--or is redirected to--a malicious website
- The malicious website identifies and exploits vulnerabilities in the victim’s computer, installing ransomware software
- The ransomware “phones home” to the criminals’ control servers to receive an encryption key
- The ransomware encrypts any file it can access (even network and portable drives) rendering them inaccessible to the victim
- After the files are encrypted, the ransomware provides instructions on how to pay a ransom for the decryption key
- The victim pays the ransom, receives the key and decrypts their files
This is an ingenious attack method because it is relatively easy to find victims, and victims are likely to pay to recover their files. (They are even encouraged to do so by the FBI!) Media coverage with examples of these attacks appears almost daily, with victims ranging from hospitals to banks. It has become a well-established criminal industry, with ransomware-as-a-service and turn-key software packages available on the internet.
What You Can Do to Avoid Becoming a Victim
A number of security agencies and private security firms have issued recommendations with security measures to avoid becoming victim this type of attack. The recommendations are by and large unrealistic or offer tedious processes for the recovery of the encrypted files..
A few examples:
Stop clicking on unknown links. OK – great idea, but not realistic. Studies have shown that humans will click on links, even if forewarned that they could lead to compromise. Even if they don’t click on links, their software (e.g. email client) may open it for them. One hundred percent of ThreatSTOP’s initial security evaluations for potential corporate clients have uncovered malware on their networks. The malware is not always ransomware, but it indicates that despite investments in expensive security infrastructure, malware will bypass firewalls, web filters and other security devices to gain access to your network.
Don’t install software. Much like not clicking on links, this seems obvious to folks familiar with IT security. The same logic applies: it is nearly impossible to prevent end users from downloading unsafe software.
Backup your files. This is always a good idea (I’m sure you are all backing up your files, right?). However, backing up files is more complex in a corporate environment, particularly with large data sets. And an interruption of business operations is costly (take the recent hospital example). In many cases, the FBI agrees it makes more sense to pay the ransom and return to normal operations as soon as possible. Oh, and hope that you’re dealing with “honest” criminals.
How You Can (actually) Avoid Becoming a Victim
As you can see, following these recommendations will not safeguard your organization – so, what works? The standard approach of deploying IDS/IPS systems are a great start, but criminals are continuously inventing ways to obfuscate their malware and will ultimately bypass these systems. Completion of a successful malware attack takes milliseconds, so any solution must be automated and require no human intervention.
While there is no 100% solution, the first course of action is to take the end user out of the equation. This is possible by using threat intelligence and targeting the underlying Internet technologies that even the criminals have to rely on to successfully infect their victims.
Make the infected websites unavailable. There are a number of threat intelligence services that identify (in near real time) websites that are currently delivering malware. These threat lists can be easily integrated into both DNS servers and firewalls. When an end user attempts to visit an infected website, their computer does a DNS lookup to determine how to access the site. If the DNS server is protected with a threat list, it can refuse to complete the request, preventing the end user from accessing the infected site. Alternatively, a firewall can also use these lists to block traffic to and from known infected sites. The strength of this solution is (assuming you have selected effective threat lists*) that the protection happens in real time and the threat lists can be updated continuously to protect against emerging threats.
Make the control servers unavailable. Even if an end user clicks on a ransomware link – and the malware infects their computer – the malware will not encrypt any of the end user’s files until it “phones home” to receive an encryption key from the criminals’ control servers. The malware will essentially have to do the same thing that an end user does to access a website: do a DNS lookup to find the IP address of the control server, then communicate with the control server to receive its encryption key. The same DNS and firewall technology can be applied – using threat lists of known criminal control servers to block the conversation, prevent the end user’s files from being encrypted, and reporting the attempt to the IT/security staff. The strengths of this solution are similar to the one listed above for preventing initial access to the infected websites – real time protection without the requirement of human intervention. Good threat intelligence is crucial – professional security research teams can often identify these control servers before they become active. Couple that with a continuous distribution method (e.g. RPZ) to get the highest level of protection from ransomware.
ThreatSTOP blocks ransomware attacks by preventing threat actors from bypassing routers, firewalls and DNS servers with automatically provisioned best-in-class threat intelligence. Our service enables users to set custom policies, then automatically enforces those policies to block both inbound attacks and data theft and corruption. This is accomplished using existing equipment – no new hardware to configure, no training, no malware analysis required. The service includes up-to-the-minute reporting to identify affected machines for quick remediation.
* While these threat lists vary in quality, a properly curated threat list can provide continuous updated threat information with a very high degree of effectiveness.
Contact firstname.lastname@example.org to begin your free trial today.
Submitted by Steve Wallace
Steve Wallace is the Vice President, Operations and Customer Experience for ThreatSTOP. He is an entrepreneurial technologist with 30 years of hands-on experience in data security, network design, technical operations and cloud computing.
Prior to joining ThreatSTOP, Wallace was the CTO of AIS Data Centers. Prior to AIS Data Centers, he held several senior technology leadership roles including CTO, ComplexDrive Data Centers, CTO, cari.net, and founder and VP of Engineering, American Digital Network. Wallace served in the U.S. Navy and holds a BSc in Computer Engineering from CSU Long Beach. Wallace is currently an Advisory Board Member for CyberHive - CyberTECH, and the Security SIG Co-Chair for CommNexus.