Ransomware Detection 101: Six Best Practices To Prevent Propagation And Minimize Damage

2237 0

Research shows that, on average, more than 4,000 ransomware attacks have occurred daily since January 1, 2016. Ransomware is a type of malware designed to either block access to a victim’s data, or threaten victims with publishing or deleting data, unless a ransom is paid.

While the threat vector has been around for years, it’s now becoming an epidemic because of its lower execution costs, high returns and minimal risk of discovery (compared to other forms of malware). Not to mention, thanks to Ransomware as a Service (RaaS) toolkits available on the dark web, it’s now easier than ever for virtually anyone – even individuals with minimal security knowledge – to extort money from companies and individuals.

Ransomware can have a huge impact on business operations within a very short period. For example, within one day, the WannaCry malware forced the National Health Service (NHS) in the U.K. to cancel thousands of operations and medical appointments due to ransom threats. Within hours, WannaCry infected more than 200,000 computers in over 150 countries. Other high-profile examples of detrimental ransomware campaigns that you’ve likely heard about include Petya, Locky, TeslaCrypt, CryptoLocker, CryptoWall and CryptoDefense.

Ransomware attackers don’t seem to have a preference on who they target; they’ll hit organizations of any size, of all types and across industries. According to a June 2016 survey from Osterman Research, nearly one in two participants indicated that their organization suffered at least one ransomware attack in the previous 12 months. And, ransomware criminals collected $209 million in the first three months of 2016 alone.

So, whether you’re a one-person shop or working for a Fortune 500 company, knowing how to detect ransomware as quickly as possible to isolate the infected systems and prevent the malware from spreading can minimize its impact. Here are six best practices to help you in this endeavor.

  1. Perform Asset Discovery and Vulnerability Scans – Because the goal of a ransomware attack is to steal your most valuable assets – data and applications – having an updated and reliable asset inventory is critical. This means knowing what’s on your network, and in your public and private clouds, at all times. Additionally, periodic vulnerability assessments are also important, so susceptible assets can be patched or reconfigured to address new vulnerabilities and exploits.
  1. Implement Intrusion Detection – While ransomware can be difficult to detect before it’s too late, it’s not impossible. If you know what to look for, and you have the right intrusion detection systems (IDS) in place (e.g., cloud-based IDS, network-based IDS and host-based IDS), you can act quickly to contain the damage and quarantine the infected systems. Examples of ransomware signature behaviors include: communicating with an IP or domain with a bad reputation (e.g., Command-and-Control or C2 Server); forcing group policy updates to fail; sending data via a covert channel; updating an audit policy; disabling firewall or antivirus software; or running unauthorized or unexpected network scans.
  1. Enable File Integrity Monitoring – Ransomware, like most malware, will kick off system processes and access system files that aren’t necessarily part of normal system operations. With File Integrity Monitoring (FIM) technology, you’ll be alerted any time a critical system file is accessed, modified or changed in any way. Once the encryption process begins, you may not be able to save that particular system; but, once alerted, you can prevent further spread of the ransomware attack by isolating the compromised system.
  1. Implement Security Automation and Orchestration – Rapid response is a critical success factor in any type of emergency, and a ransomware outbreak is no exception. The faster you can detect and respond to a potential ransomware attack, the more likely you can contain the damage. Unfortunately, cyber security defenses are often a patchwork of controls and consoles, making it difficult to respond quickly and in a coordinated way when attacks happen. But, recent innovations in security automation and orchestration have enhanced incident response by allowing disparate security tools to work together more effectively – all from a single management platform.
  1. Conduct Log Monitoring and Analysis (via SIEM) – The sheer volume and endless variety of event log data (e.g., system logs, application logs and access and activity logs) makes it essential to have an automated event correlation solution (e.g., SIEM) in place to parse through massive volumes of information and alert you when ransomware attacks happen.
  1. Integrate Security Monitoring with Updated Threat Intelligence – Ransomware attackers have an entire ecosystem at their disposal, and they’re constantly evolving their methods. Security researchers have studied their tradecraft and infrastructure in-depth, and continue to monitor their attributes, activities and innovations. These insights translate into fine-tuned security controls (e.g., event correlation rules) to detect the latest ransomware attacks and a better understanding of how an attacker’s tools, techniques and procedures work for an enhanced response. Additionally, leveraging continuous threat intelligence updates can help you stay ahead of emerging threats.

Today’s reality is that no matter how thick or high the wall, cybercriminals are finding ways in. And this prompts the question: Do you and your company have the tools and strategies in place to detect and respond to vulnerabilities and attacks quickly? Being able to immediately identify and act on threats is the most effective way to minimize risk. And, in today’s cybersecurity landscape, this is the best outcome we can hope for.

About Javvad Malik
Javvad MalikJavvad Malik, Security Advocate at AlienVault

In this article