Author: Ammar Enaya, regional director – METNA, Vectra
When we think of ransomware, WannaCry is probably the first example that jumps to mind, for obvious reasons—to date, it is one of the most devastating ransomware attacks. WannaCry spread quickly across the globe using opportunistic methods that targeted organizations vulnerable to the Eternal Blue exploit.
However, in 2019, ransomware evolved from opportunistic into targeted attacks that victimize organizations likely to pay a larger ransom to regain access to their files. This made networks—particularly those of cloud service providers―the number one attack vector.
Network file encryption
Because the goal in a ransomware attack is to propagate as wide and as quickly as possible, it is desirable for file encryption to occur beyond the local files. As such, the most effective weapon in carrying out a ransomware attack is the network itself, which is instrumental in enabling the malicious encryption of shared files―known as file shares—on network servers.
Ransomware scans the network for shared files on servers and computers to which it has access privileges, and then spreads from one computer to many others. In those cases where the infected computer has access to documents in network shared volumes, with their high capacity data storage, that single host can lock access to documents across several departments in the company.
It is standard practice to employ volume sharing protocols such as the Server Message Block (SMB) with networked shares in order to make documents easily accessible to the users. This occurs in both cloud and private data centers. Documents are stored in shared volumes to ensure good backup procedures and for productivity in sharing content for teamwork, especially with a mobile workforce. However, this also makes files more vulnerable to exposure as the shared volumes are reachable from any system in the organization, which could be an infected system.
In a volume sharing system a single infected client host could encrypt a whole networked volume, with a global impact on the organization business and systems. The files must be recovered from the most recent backup. Regular and frequent backups are a common policy and the main recovery mechanism to a known good state after a ransomware attack. They are easier to implement in scenarios with centralized volumes shared through a network. Upon suffering a ransomware infection, as much work time is lost as was taken to detect the intrusion, because all the documents modified from the previous backup are only in the encrypted volumes.
Detecting & responding to ransomware
In the event where the utilised vulnerability is unknown or there hasn’t been enough time to patch, organizations need a method for rapid detection and response.
Look for early indicators of a ransomware breach. Because modern ransomware attacks are targeted and modular, attacker dwell-times can be quite lengthy before shared network files are encrypted.
From the time of the initial infection to the deployment of the ransomware, attackers perform reconnaissance inside a compromised network to discover which systems are critical before encrypting files. So, one way to improve detection is to focus on monitoring internal traffic for immutable attacker behaviors like reconnaissance, lateral movement and file encryption, rather than attempting to detect specific ransomware variants in network flows or executables.
For response, spotting and isolating early in the attack lifecycle stops the loss of data. Rapid host isolation should be considered good practice once an infected device has been identified. Isolation can occur by quarantine of hosts, removal of offending systems from the network, and killing the processes causing propagation. Due to the speed and severity of ransomware attack, isolation could require the use of automation like automation and orchestration tools and native integration with detection and enforcement points.
It is also vital to observe privileged access to know which accounts have access to critical systems. Ransomware can only run with the privileges of the user or the application that launches it. Comprehensive knowledge about the systems and users that access specific services will enable security operations teams to monitor misuse of privileged access and respond when that access is compromised―well before network file encryption occurs.
The case for AI
Organizations hit by a ransomware outbreak find themselves in an all-hands-on-deck emergency that requires comprehensive contextual understanding to effectively halt the attack’s further progress and then restore systems immediately while business functions are held hostage. Even if an organization is willing to pay the ransom, there is no guarantee that the encryption key will be provided by the attacker. Without the encryption key, files will have to be restored from a backup, and any changes since the last backup will be lost. As such, when ransomware encrypts file shares, attacks become very costly due to resulting scale, operational downtime and data loss.
To reduce the impact of future attacks, we need to move to a model of detecting behavior rather than detecting the specific tool or malware used. Such behavior detection is much more effective, but it also requires in-depth analysis of network traffic. With advances in artificial intelligence (AI) augmenting security teams, we’re already seeing the industry shift to identifying attacker behavior in real time. AI can detect subtle indicators of ransomware behaviors at a speed and scale humans and traditional signature-based tools simply cannot achieve. This enables organizations to prevent widespread damage. When organizations recognize these malicious behaviors early in the attack lifecycle, they can limit the number of files encrypted by ransomware, stop the attack from propagating, and prevent a disastrous business outage.
When you are fighting a ransomware attack, time and contextual understanding are your most precious resources.