Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver
Ransomware that is customized to enterprise attack projects has emerged in the wild. This is an apparent advancement of consumer-grade ransomware, driven by the larger bounties which businesses have the ability to pay combined to the sheer scale of the attack surface area (internet facing endpoints and unpatched software applications). To the assailant, your business is an appealing target with a big fat wallet simply asking to be knocked over.
Your Organization is an Attractive Target
Easy Google queries may already have recognized un-patched internet facing servers by the scores across your domain, or your credulous users might already be opening “spear phishing” e-mails crafted just for them presumably authored by individuals they know.
The weaponized invoices are sent to your accounting department, the weaponized legal notices are sent to your legal department, the weaponized resumes go to your human resources department, and the weaponized trade publication short articles are sent to your public relations company. That should cover it, to begin with. Include the watering hole drive-by’s planted on market sites often visited by your staff members, the social media attacks targeted to your crucial executives and their families, the contaminated USB sticks strewn around your centers, and the compromises of your providers, customers, and organization partners.
Enterprise compromise isn’t really an “if” however a “when”– the when is continuous, the who is legion.
Targeted Ransomware Is Here
Malware analysts are now reporting on enterprise-targeted ransomware, a natural advancement in the monetization of business cyber intrusions. Christiaan Beek and Andrew Furtak discuss this in an excerpt from Intel Security Advanced Threat Research study, February 2016:
” Throughout the past few weeks, we have actually gotten information about a new project of targeted ransomware attacks. Instead of the normal modus operandi (phishing attacks or drive-by downloads that lead to automated execution of ransomware), the hackers gained consistent access to the victim’s network through vulnerability exploitation and spread their access to any connected systems that they could. On each system, several tools were utilized to find, encrypt, and erase the original files as well as any backups.”
Cautious reading of this citation instantly exposes steps to be taken. Preliminary penetration was by “vulnerability exploitation,” as is frequently the case. A sound vulnerability management program with tracked and implemented direct exposure tolerances (measured in days) is obligatory. Given that the opponents “spread their access to any linked system,” it is likewise requisite to have robust network segmentation and access controls. Think about it as a watertight compartment on a warship to avoid sinking when the hull is breached. Of special note, the cyber attackers “delete the initial files along with any backups,” so there need to be no delete access from a jeopardized system to its backup files – systems must just be able to append to their backups.
Your Backups Are Not Up to Date Are They?
Of course, there must be current backups of any files that must endure a business invasion. Paying the ransom is not a reliable option because any files created by malware are naturally suspicious and must be thought about tainted. Enterprise auditors or regulators can decline files excreted from some malware orifice as lawfully valid, the chain of custody having been entirely broken. Financial data might have been modified with deceitful transactions, configuration data might have been interfered with, viruses might have been planted for later re-entry, or the malware file manipulations might simply have had mistakes or omissions. There would be no way to place any confidence in such data, and accepting it as legitimate could even more compromise all future downstream data reliant upon or originated from it. Treat ransomware data as trash. Either have a robust backup strategy – routinely evaluated and verified – or prepare to suffer your losses.
What is Your Preparation for a Breach?
Even with sound backups privacy of affected data should be assumed to be breached since it was read by malware. Even with detailed network logs, it would be impracticable to prove that no data had been exfiltrated. In a targeted attack the assailants typically take data inventory, evaluating a minimum of samples of the data to evaluate its prospective value – they could be leaving cash on the table otherwise. Data ransom demands might merely be the last money making stage in an enterprise breach after mining all other value from the intrusion because the ransom demand exposes the compromise.
Have a Thorough Removal Strategy
One need to assume that skilled opponents have set up several, cunningly-concealed avenues of re-entry at numerous staggered time points (well after your crisis group has actually stood down and pricey experts flown off to their next gig). Any roaming proof remaining was thoroughly staged to deceive investigators and deflect blame. Expensive re-imaging of systems should be exceptionally extensive, touching every sector of the disk across its entire recording surface and re-creating master boot records (MBR’s) and volume boot records from scratch. Some ransomware is understood to jeopardize MBR’s.
Likewise, don’t assume system firmware has not been jeopardized. If you can upgrade the firmware, so can hackers. It isn’t tough for hacking groups to check out firmware hacking options when their business targets standardize system hardware setups, permitting a little laboratory effort to go a long way. The industrialization of cyber crime permits the advancement and sale of firmware hacks on the dark net to a wider criminal market.
Help Is On Offer With Great EDR Tools
After all of this bad news, there is an answer. When it comes to targeted ransomware attacks, taking proactive actions instead of reactive clean-up is far less uncomfortable. A great Endpoint Detection and Response (EDR) tool can help on both ends. EDR tools are good for identifying exposed vulnerabilities and active applications. Some applications have such a notorious history of exposing vulnerabilities that they are best eliminated from the environment (Adobe Flash, for example). EDR tools are likewise proficient at tracking all significant endpoint incidents, so that investigators can identify a “patient zero” and track the pivot activity of targeted enterprise-spreading ransomware. Attackers rely on endpoint opacity to assist with hiding their actions from security staff, but EDR is there to make it possible for open visibility of notable endpoint incidents that could signal an attack in progress. EDR isn’t restricted to the old anti-virus convict-or-acquit model, that enables freshly remixed attack code to evade AV detection.
Excellent EDR tools are always vigilant, constantly reporting, always tracking, readily available when you require it: now or retroactively. You would not turn a blind eye to business network activity, so do not turn a blind eye to enterprise endpoint activity.