3 Ways Businesses Can Block Ransomware

by CXOtoday News Desk    May 22, 2017

Ransomware has become the hacker’s favorite tool to make money in the cybercrime economy - the latest example could be the latest global ransomware attack, called WannaCry, has affected more than 200,000 victims in 150 countries since May 12. All this points to the clear fact that organizations need to protect themselves from future breaches by implementing preventive measures now.

alert

The latest Verizon Data Breach Investigations Report (DBIR) states that it is the most common type of crimeware, as holding files for ransom is fast, low risk, and easily monetizable, especially with Bitcoin to collect anonymous payment. Attacks targeting businesses have grown by 300 percent since January 2016, and an attack happens every 40 seconds.

This is hardly the largest or most costly attack ever perpetrated, said Phil Trainor, Ixia’s Asia-Pacific head of security. Since the ransom is being paid in bitcoins, anyone can see the transaction record to the known bitcoin wallets of the perpetrators. Thus so far the total extracted sum is approximately $30,000.00 USD. Granted this does not illustrate the cost of the disruption, however, other attacks have resulted in damage in the Billions of dollars such as the 2000 DDoS on Amazon, eBay, CNN, Yahoo, and many other sites. Also think of the Billion Yahoo accounts stolen. One of the most notorious hacks was of the Democratic National Party last year where the implications may have cost Hillary Clinton the US Presidency.”

“That being said, we are still in the early stages of seeing the fallout of this event. In a months’ time, the damage very well could eclipse the aforementioned events,” he informed. 

“Cybercriminals can easily mutate and adapt the ransomware code just enough so that it isn’t detected by the signature banks of antivirus software,” said Steve McGregory, Senior Director of Application Threat Intelligence at Ixia. “These ransomware variants are known as ‘zero–day mutations’. Once identified, ransomware signatures can be updated and rolled out so that antivirus products will block the new variant, although this could take days. During this time, organizations are still vulnerable, and cybercriminals often continue to exploit this to their advantage.”

McGregory also stated, “For example, with the WannaCry ransomware attack, once a machine in a network is infected, the ransomware spreads by searching for adjacent Microsoft systems that are vulnerable to the Server Message Block (SMB) MS17-010. This vulnerability was only fixed in March of this year, and many computers remain unpatched, or in the case of the UK National Health Service, it’s reported that 90 percent were still running Windows XP, making the systems easier to exploit, and the disruptions more devastating.”

According to Ixia, there are three core principles that organizations need to be aware of, if they are to develop an appropriate resistance against ransomware:

1. Discover the origin

The ransomware infection chain invariably starts with a targeted phishing email, with an attached document. The document will contain a macro, small enough to appear innocuous even to sandboxing technologies. When the document is opened, the macro activates and connects to the attacker’s remote server on the internet, and starts downloading the ransomware payload onto the machine. The macro also rewrites the payload as it downloads, so the content appears harmless until it actually enters the host machine. 

2. Understanding its behavior

Focusing ransomware protection on the content being sent to the organisation is a losing battle. Email-based macros are unlikely to be picked up, even by advanced virtualized sandboxing, because they do not exhibit malicious-looking behavior when examined. The payload will not appear malicious until it is actually on the machine and starts encrypting, so organizations should look at the vital clues of where the infection is coming from, rather than just at what it is.

3. Blocking the infection

The payloads in the final stage of ransomware infection are delivered from known, malicious IP addresses on the internet. As IP addresses are relatively scarce, the same ‘bad’ ones tend to be continually re-used. Even brand-new malware variants can be linked to a small number of compromised IP addresses. 

This means that if a machine in an organization’s network attempts to download content from a known malicious IP address, they are usually in the initial stages of a ransomware attack, and there’s no need to examine the macro that is attempting the download, or the content being downloaded.

The simplest, most cost effective way to avoid attacks is to automatically block all corporate connections to known malicious IP addresses using a continuously-updated threat intelligence feed. This lets it nullify all new attacks, as well as existing, dormant infections.

McGregory concluded, “Organizations cannot turn a blind eye to ransomware anymore. If the organization has not backed up critical data, which exclusively resides on the systems affected by an attack, the costs could be considerable, both monetarily and to their reputation. Loss of customer data, financial records, and any other irreplaceable information could render an organization unable to transact business and potentially leave permanent gaps in records.”