Ransomware Protection 2021


What is Ransomware?Ransomware is a subset of malware which in most cases uses sophisticated evasion techniques to avoid detection  and gain a foothold in the target device or network. It has multiple goals which range from encrypting the victim’s data and demanding a large payment for it’s safe return, to stealing sensitive data and insisting on a ransom in order for the information to be unpublished.

Often downloaded from a malicious link or website, ransomware is designed to spread rapidly and works discreetly in the background and tries to avoid detection for as long as possible. During this time, files are copied and exfiltrated to the threat actor.  The data is then encrypted and the threat actors demand a ransom to release the mathematical key that will unencrypt them. They also threaten to publish the copied files if payment is not made. Unfortunately, paying the ransom does not guarantee a safe release of the encrypted files, prevent proprietary data from being released publicly, or stop future attacks.

The Expansion of Ransomware

Ransomware is a booming business for threat actors. In 2020 alone an estimated $350 million was made in ransom payments. The damages incurred by victims to ransomware attacks includes not only data damage and loss, but also business downtime and stained reputations. “Global ransomware damage costs will reach $20 billion by 2021 – which is 57X more than it was in 2015.” Alongside an increase in attacks, in particular on the healthcare, government, and education industries, the US government implemented new policy and laws. Ransomware is now recognized as a threat to national security, and victims falling foul of cybercrime are warned against paying attackers.

Why Are Attacks Getting Easier?

The attacks which are most difficult to prevent make use of evasive techniques. While in the past these evasive attacks were strictly related to nation-state attacks, today malware strains can be easily purchased on the Darkweb by anyone. A threat actor with even limited knowledge can launch a sophistical ransomware attack, if he has malicious intent.

One of the results of the global shift to remote working is an increase of unmanaged devices. These are especially vulnerable if they lack sufficient security solutions to adequately protect the remote connection and are used by a workforce, yet must recognize the dangers of malicious links and websites. There are multiple dangers with remote working, namely potentially-infected systems connecting remotely. On-premises endpoints are increasingly under threat as well, as insufficient ransomware protection has led to more targeted attacks from even stealthier malware, capable of bypassing the perimeter security to reach the endpoint. Conti was able to hit more than 120 networks in its first two months because of its speed of encryption and advanced evasive capabilities.

Ransomware as a Service (RaaS)
This is readily available for sale on the dark web as an executable kit. It is supplied with regular updates and simple to navigate interfaces, similar to any other IT product purchased online. The RaaS provider helps to set up and execute the attack, and even enables a communication channel with the victim -a true one stop shop for malware. FickerStealer for example, sold on hacking websites, is easily deployed to steal sensitive information and passwords, which are then sent back to the malware owner.

Targeted Attacks
These are undertaken with an explicit motivation driving the attack such as monetary, political or data theft from a specific company or institution. These attacks are most often executed as a campaign to infiltrate the target over time, and not as isolated events. Sectors targeted include government agencies, political associations and specific businesses, such as banks. For example, targeting the SWIFT application of a bank. The attacker will write a specific piece of malware code to run through the network and only search for SWIFT applications. Once found, the money will be redirected to the attacker instead.

Reusable Code
This is used in more than one attack can still evade detection from most ransomware protection solutions, which only safeguard against known Malware strains. Using a copy and paste strategy of starting with the same lines of code then tweaking the code just a little, or adding additional lines of code, the ‘version 2.0’ Malware can bypass security tools reliant on identifying the DNA of the malware, by being just different enough to fool virus checkers.

SMBs on the Hit List
Small and medium sized businesses (SMB’s) are particularly vulnerable to ransomware with limited budgets assigned to ransomware protection and remote user protection to secure their assets, they are often viewed as an easy target. All sensitive data and private details are an attractive target for threat actors. In 2019, as many as two out of five SMB’s fell victim to a ransomware attack.

Anatomy of a Ransomware Attack 

1. Planning – Ransomware can be purchased on the darkweb as Ransomware As A Service (RaaS). Not only that, but anyone with a minimal level of skills can develop it, using legitimate tools to create it. A subscription model that provides an attacker with a ready made ransomware kit, RaaS is leased with bitcoin and does not require the technical developer skill level. Anyone with basic technical skills is able to launch highly sophisticated attacks.

2. Setting up a beachhead – After establishing a beachhead, for example using the endpoint as a point of entry to the network, the malware can spread through the network laterally. Malware aims to compromise data through exfiltration and encryption, while remaining undetected.

3. Bypassing perimeter security – Evasive techniques are the key to ransomware success. Techniques employed include tweaking malware so antivirus and EDR tools cannot identify the new malicious pattern, avoiding slowing the endpoint and residing in the endpoint memory. The detect and destroy approach doesn’t work, especially with evasive malware. Only familiar malware can be flagged by most ransomware protection or remote user protection options, leaving systems vulnerable to all new malware.

4. Exfiltrating data – Sensitive data, such as login credentials, PIN numbers or intellectual property are stolen, often as part of a targeted attack. Data is first copied from the system, then later used to extort the victim.

5. Encrypting data and demanding a ransom – After the data is copied and sent to the threat actors, the local data is encrypted on the system, causing significant business disruption. The ransom will then be demanded while the attacker holds the decryption key. The copied data is used to threaten release or sale to competitors if the ransom is not paid.

Inside the Mind of a Threat Actor

Targeting the end-user – Employs psychological manipulation (AKA social engineering) techniques to breach a user’s device.

Phishing attacks appear in the form of fake emails, which may seem to legitimately come from the bank, a charity or any other business. They ask for sensitive information such as bank details to be entered or verified and often contain a link to fake websites in an attempt to steal personal details, to trick you into sending money or install malware.

Fake installers downloaded from torrent sites can wreak havoc on corporate systems. It may be common knowledge that pirated software, applications and even movies could contain malware, but this doesn’t seem to affect their download popularity amongst millions of seeders worldwide. For example, take the case of a rigged Windows installer with the aptitude to bypass WindowsDefender. On execution, the binary was set to release a smorgasbord of malware including adware, crypto-miner and Xtreme RAT, enabling monetization of the device. Legitimate software from known sources is always safest.

Hiding in common document types such as a PDF, Word doc or Excel files, malware like IcedID and BazarLoader, are released when a user clicks on malicious attachments. BazarLoader installs and remains dormant for a short time before downloading a backdoor to enable malicious actions such as delivering other malware. IcedID simply uses the Windows download API to drop and execute the payload.

Targeting the data – Cloud or no Cloud, all data is at risk. Many businesses prefer to keep all sensitive data on the cloud and no files on the local endpoint in an attempt to stay safe. While that could be successful in theory, in reality, most people have at least some sensitive data downloaded locally. Information that is routinely downloaded, edited locally and then re-uploaded to the cloud increases the exposure risk. Even creating a shared folder locally syncs information from the cloud on to the endpoint. If malware runs on the endpoint, it can encrypt local information and can also encrypt the information on the cloud.

Threat actors’ two biggest needs – Time and evasiveness. Exporting data takes time but evasive malware is able to remain concealed until it wants to be found. The user may notice their system has slowed down, but without a security threat alert, they most often remain unaware. Perhaps the user will try to reboot the system, or try to improve the network connectivity, but meanwhile the data encryption and file copying quietly continues. Only after a ransom request is made, would the user become aware they’ve been attacked.

Minerva Labs: Preventing Ransomware Attacks

Pre-Execution Threat Prevention by preventing breaches even by unknown strains of malware is what Minerva does best. The key to successful ransomware protection is really breach protection.

Simulates Hostile Environments

By simulating a hostile environment, Minerva is able to mimic the presence of security tools that evasive malware is designed to bypass, including antivirus, sandbox products, emulators and     forensic toolkits. Minerva prevented a SolarWinds memory injection attack, which resulted from the attack on their system. The malicious backdoor was unable to work and the malware refrained from execution as the presence of blacklisted security processes were simulated in the operating     system.

The evasive malware usually uses a decision-based logic, which allows it to be environmentally aware, checking for example if a Cyrillic keyboard is being used. Minerva’s ransomware protection is able to deceive the malware and thwart the attack, by breaking the decision-based logic of the malware. An analysis of Egregorrevealed that before the malicious procedure commences, Windows API functions are called to determine the locale, ensuring the attack is aborted in Russia and CIS countries.

Prevents Living Off the Land Attacks

Threat actors use trusted system tool applications in the operating system to compromise the     endpoint by hiding in plain sight. Minerva interferes with attempts to misuse tools built into the system to cause damage, without using classic forms of malware. We prevent threats from “trampolining” off such tools to infect the endpoint or cause damage. Minerva’s living off the land protection is able to thwart these attacks by hiding the key operating system features, such as with the Rig Exploit Kit.

Prevents Fileless Attacks

Fileless attacks are stealthy, hiding within legitimate processes and applications. Malicious software might hide itself in a legitimate process and inject a piece of code directly into the memory without passing through the disk to avoid detection by anti-malware and endpoint solutions. Minerva blocks these attempts by avoiding executing code from the file system. This capability interferes     with injection attempts, causing such malware to exit or crash.

Prevents Browser Isolation Techniques

Browser isolation capabilities that work on three vectors. Firstly, when navigating a website and a download occurs in the background, Minerva’s ransomware protection prevents any child process     that is not signed by the browser manufacturer from running. Memory injection prevention allows only legitimate access through the browser into the memory, as described above. Thirdly, this prevents a malicious piece of code within the downloaded document from running, from email,     cloud, SharePoint etc,.

Backups for File Recovery

Better backups (that you’ll probably never need), are in place to further protect sensitive data. Minerva’s ransomware protection solution backs up every file and document that has been changed to enable easy recovery of documents, images and sensitive organization information before any changes are made to the files. If an API call for encryption is made, even if a file is deleted or saved with a password before,Minerva’s ransomware protection will catch it and save it in a secure local database on the endpoint. A simple click away from recovery.