Written By Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver
Ransomware that is tailored to business attack campaigns has emerged in the wild. This is an apparent evolution of consumer-grade ransomware, driven by the bigger bounties which enterprises are able to pay out paired to the sheer scale of the attack surface area (internet-facing endpoints and un-patched software). To the opponent, your business is an appealing target with a huge fat wallet simply asking to be overturned.
Your Company is an Attractive Target
Simple Google inquiries may currently have recognized unpatched internet-facing servers by the scores throughout your domain, or your credulous users might already be opening “spear phishing” e-mails crafted just for them most likely authored by individuals they know.
The weaponized invoices are sent to your accounting department, the weaponized legal notifications are sent to your legal department, the weaponized resumes go to your human resources department, and the weaponized trade publication posts go to your public relations firm. That must cover it, for starters. Include the watering hole drive-by’s planted on industry sites often visited by your employees, the social media attacks targeted to your essential executives and their family members, the infected USB sticks scattered around your facilities, and the compromises of your suppliers, consumers, and business partners.
Enterprise compromise isn’t an “if” but a “when”– the when is consistent, the who is legion.
The Arrival Of Targeted Ransomware
Malware researchers are now reporting on enterprise-targeted ransomware, a natural evolution in the monetization of business cyber invasions. Christiaan Beek and Andrew Furtak discuss this in an excerpt from Intel Security Advanced Threat Research, February 2016:
” Throughout the past couple of weeks, we have received details about a new project of targeted ransomware attacks. Instead of the regular modus operandi (phishing attacks or drive-by downloads that cause automated execution of ransomware), the opponents acquired persistent access to the victim’s network through susceptibility exploitation and spread their access to any connected systems that they could. On each system, a number of tools were used to find, encrypt, and erase the original files along with any backups.”
Cautious reading of this citation instantly reveals actions to be taken. Preliminary penetration was by “vulnerability exploitation,” as is often the case. A sound vulnerability management program with tracked and imposed exposure tolerances (measured in days) is mandatory. Considering that the cyber attackers “spread their access to any connected system,” it is likewise requisite to have robust network division and access controls. Think of it as a watertight compartment on a warship to prevent sinking when the hull is breached. Of special note, the assailants “delete the original files in addition to any backups,” so there must be no delete access from a compromised system to its backup files – systems need to just be able to append to their backups.
Your Backups Are Not Current Are They?
Naturally, there must be current backups of any files that need to make it through an enterprise invasion. Paying the ransom is not an effective choice since any files created by malware are naturally suspect and need to be considered polluted. Enterprise auditors or regulators can not accept files excreted from some malware orifice as lawfully legitimate, the chain of custody having been entirely broken. Financial data might have been changed with deceptive transactions, configuration data might have been tampered with, infections may have been planted for later re-entry, or the malware file manipulations might simply have had mistakes or omissions. There would be no chance to invest any confidence in this data, and accepting it as legitimate could even more compromise all future downstream data reliant upon or derived from it. Treat ransomware data as garbage. Either have a robust backup strategy – routinely evaluated and verified – or prepare to suffer your losses.
What is Your Preparation for a Breach?
Even with sound backups privacy of affected data must be presumed to be breached since it was read by malware. Even with detailed network logs, it would be impracticable to prove that no data had been exfiltrated. In a targeted attack the hackers typically take data stock, examining at least samples of the data to evaluate its prospective worth – they could be leaving money on the table otherwise. Data ransom demands might simply be the last money making stage in a business breach after mining all other value from the intrusion since the ransom demand exposes the compromise.
Have a Thorough Removal Strategy
One ought to assume that skilled enemies have actually organized multiple, cunningly-concealed opportunities of re-entry at different staggered time points (well after your crisis team has actually stood down and costly specialists flown off to their next gig). Any roaming proof remaining was carefully staged to mislead investigators and deflect blame. Costly re-imaging of systems must be extremely thorough, touching every sector of the disk across its whole recording surface area and re-creating master boot records (MBR’s) and volume boot records from scratch. Some ransomware is known to jeopardize MBR’s.
Likewise, don’t presume system firmware has not been compromised. If you can update the firmware, so can hackers. It isn’t really hard for hacking groups to explore firmware hacking choices when their business targets standardize system hardware configurations, enabling a little laboratory effort to go a long way. The industrialization of cyber crime allows for the development and sale of firmware hacks on the dark internet to a broader criminal market.
Help Is On Offer With Excellent EDR Tools
After all of this negativity, there is an answer. When it comes to targeted ransomware attacks, taking proactive actions instead of reactive clean-up is far less agonizing. A great Endpoint Detection and Response (EDR) tool can help on both ends. EDR tools are useful for identifying exposed vulnerabilities and active applications. Some applications have such a notorious history of exposing vulnerabilities that they are best eliminated from the environment (Adobe Flash, for example). EDR tools are also proficient at tracking all considerable endpoint incidents, so that detectives can determine a “patient zero” and track the pivot activity of targeted enterprise-spreading ransomware. Attackers rely on endpoint opacity to help with concealment their actions from security personnel, but EDR is there to make it possible for open visibility of noteworthy endpoint incidents that might signify an attack in progress. EDR isn’t restricted to the old antivirus convict-or-acquit model, that enables freshly remixed attack code to evade antivirus detection.
Good EDR tools are always vigilant, always reporting, constantly tracking, readily available when you require it: now or retroactively. You would not turn a blind eye to enterprise network activity, so don’t disregard enterprise endpoint activity.