A government agency that found itself infected with ransomware and having to pay the ransom to restore service. Another local agency has opted not to pay the ransom and restore operations. Ransomware targeted at organizations is still a threat and even with backups, you have a highly disruptive and public event to try to get back online that comes with serious costs and potentially lost revenue.
- In order for ransomware to work, several different things have to work correctly for the attacker. The malware has to get past spam filters or web proxies to get to potential victims, the victim has to click on a link or take an action to start installing the malware, and the malware needs to be able to reach the command and control service to get encryption keys to begin the process. Each step of this process has to work or the ransomware will fail.
- At each level of the attack, there are DNS requests or IP addresses involved representing an opportunity for firewalls and DNS services to block any single stage of that attack. Many of these indicators are well-known with open-source intelligence services like the Ransomware Tracker.
- Searching for these indicators in a SIEM does not help organizations, by the time it reaches the SIEM, the attack is successful. Robust automated blocking of known ransomware infrastructure is essential to ensure organizations are never faced with a decision of having to pay the ransom or dealing with the disruption of a large recovery effort.
DNS is involved at every level of a ransomware attack. Not sure if you're protected against attacks like these? Try out ThreatSTOP's DNS Firewall for 14 days, free. No commitment. You'll be up and running in no time.