What is ransomware?
Ransomware is malware that encrypts an organization’s high-value data, such as files, documents and images, and then demands a ransom from the company to restore access to that data. To be successful, ransomware needs to gain access to a target system, encrypt the files there, and demand a ransom from the company.
A recent survey, The State of Ransomware, by the cybersecurity company, Sophos, reveals that 51% of organizations were hit by ransomware in the last year, and hackers succeeded in encrypting the data in 73% of those attacks. However, only 26% of ransomware victims whose data was encrypted got their data back by paying the ransom.
How does ransomware spread?
A popular method to introduce ransomware to a new environment is through the use of phishing emails. A malicious email may contain a link to a website that hosts a malware download or an attachment with a built-in downloader. If the email recipient opens the phishing email, then the ransomware is downloaded and executed on their computer instantly.
Once an endpoint is infected, the attack will attempt to spread to as many machines as possible throughout the network by executing unauthorized lateral movement to maximize the blast radius (encrypting as many disks as possible).
Another popular ransomware infection vector takes advantage of Remote Desktop Protocols (RDP). With RDP, a hacker who has gained access to login credentials can use them to authenticate and remotely access endpoints within an enterprise network. With this access, bad actors can directly download and execute the malware on machines under their control and attempt to move laterally through the environment, capturing and encrypting data on additional assets.
The encryption of a user’s files is the unique aspect of ransomware. By encrypting highly valuable data, the ransomware attacker can demand a ransom in exchange for the decryption keys to release the files back to the company. However, ransomware hackers don’t always release the data back to the organization, even if they pay the ransom.
Why do legacy firewalls fail when attempting protection against ransomware?
Legacy firewalls control communications between VLANs and zones. However, legacy firewalls don’t allow you to block traffic inside the VLAN, so this approach is ineffective when you want to prevent propagation within a segment. This is due to different network architecture limitations with the existing legacy firewall model. Once an attacker has compromised a machine on a single VLAN, they will eventually compromise another machine on the same VLAN and use it to leapfrog to other assets in the data center, including backup servers.
Detecting and blocking ransomware threats - Guardicore’s approach
As a defender, you want to limit access between machines as much as possible to prevent lateral movement. Specifically around the protocols and services ransomware campaigns often exploit. There is no reason for employees’ laptops to communicate with one another and no reason for domain members to connect over SMB.
Guardicore Centra allows the defender to limit traffic between any two machines. Because the platform uses a software-based segmentation approach, you can create policies that block communication between laptops or limit SMB traffic between domain members and allow them only to specific servers like the domain controller.
Additionally, Guardicore provides visibility, down to the process level, of communications and dependencies between your assets. This enables you to assess risk ahead of time and develop proactive strategies for protecting critical assets and high-risk components such as backups.
The platform also comes with robust threat detection capabilities, so you can look for communication with known malicious domains or the presence of known malicious processes in your environment that may indicate a malware breach.
Ransomware - FAQ
What should I do if attacked by ransomware?
Because ransomware relies on lateral movement to execute a successful attack, it’s where organizations should focus their effort. If you determine that an active ransomware attack is in progress, use tools that provide visibility to understand the breach’s scope. Based on what you learn, you can then isolate affected parts of the network from the rest of the organization and add more security layers to critical applications and backups. Only once you have taken mitigation steps and restored services should you gradually re-enable communication flows.
How does crypto ransomware encryption work?
A ransomware attack begins with an initial breach, often enabled by a phishing email or vulnerability in the network perimeter. The malware will start to move through your network and attempt to maximize damage from its landing point. Typically, bad actors seek to seize control of a domain controller, compromise credentials and locate and encrypt any backups in place to prevent operators from restoring infected and frozen services.
How do you find out what ransomware you have?
There are many different variants of ransomware. However, looking at the specific IOCs (indicators of compromise) based on suspicious domain names, IP addresses and file hashes associated with known malicious activity can help you learn more about the attack’s origin and how to respond.
What are the most common types of ransomware?
Some campaigns are highly targeted advanced, persistent threats (APTs) run by a bad actor, while others are opportunistic, typically executed by scripts. However, there are two main categories. Attacks that encrypt files and hold them for ransom are known as crypto-ransomware, and ransomware that prevents users from accessing a device is known as locker ransomware.
Additional resources for detecting and blocking ransomware: