When two large-scale ransomware campaigns – WannaCry and NotPetya – caused widespread disruption in 2017 the headlines suggested they heralded a new era of large-scale attacks.
WannaCry spread across 150 countries and severely affected the NHS in the UK and many other large organisations in the US including hospitals, vehicle manufacturers, petrol stations, railways and shipping companies. Its impact was more disruptive than financial since reports suggest that the perpetrators gained a mere $140,000.
Shortly afterwards, NotPetya wreaked cyber havoc in more than 60 countries, hitting Ukrainian infrastructure very hard. More advanced than WannaCry, it encrypted victims’ devices and displayed a screen demanding a ransom.
More recent campaigns, however, such as SamSam, which targeted the City of Atlanta, Georgia in March this year, have been much more specific about their targets.
The reality is that ransomware is constantly evolving and any organisation must employ a combination of innovation along with best practice processes if it is to adequately mitigate the risks. This should all be based on understanding of the nature of ransomware and how it is delivered.
The evolution of ransomware
Ransomware has been around since the late 1980s but it was not until the mid-2000s that it started to be a significant problem.
More recently we have seen CryptoWall, Teslacrypt, Cerber, CTB-Locker, Cryakl, Scatter, and Locky. SamSam first emerged in 2016 but has obviously been repurposed.
Now the increased availability of Ransomware-as-a-Service on the dark web is putting threats in the hands of criminals with little technical expertise, while also improving encryption and anti-virus evasion, ransom payment options, and applicability beyond the Windows operating system.
The common characteristics of ransomware
Despite the differences, there are characteristics of ransomware that give us a foundation for security policy. It can quickly spread in either a targeted or opportunistic fashion and as with other malware, it can avoid detection by anti-virus solutions. Even when it is picked up, the ability to eliminate the threat may be incomplete. We also know that the barrier to its use is now quite low and that although extortion is the purpose of most ransomware, a threat actor can just as easily use it destructively, with no intention of releasing encrypted files.
All the expert evidence indicates that ransomware will continue to evolve, with threat actors using ransomware to focus on specific victims. And while the common ransomware families appear to be dying, the ransomware that remains is being presented to victims through larger malware variants.
Email attachments are the vectors for precision attacks
We now find that potential victims are specifically targeted with tailored delivery mechanisms, such as spear phishing emails with attached malicious files. At the same time, increasing varieties of a particular piece of ransomware have the potential to avoid detection and prevention by signature and heuristic-based intrusion prevention, next-generation firewall and anti-virus solutions.
From a risk-management perspective, an organisation needs to understand where it falls in relation to the more nuanced trajectory of today’s ransomware.
Building an effective risk-mitigation strategy
There is no cause for doom and gloom, however. Risks can be significantly mitigated to an acceptable level by well-planned strategies and a combination of people, processes and innovative technologies along with implementation of back-up and recovery solutions.
Some ransomware and initial infection vectors exploit known, published vulnerabilities. This means of entry can restricted by a vulnerability management program, covering detection, patch management and other mitigations. Similarly, configuration management, proper network segmentation, and identity, credential and access-management can prevent or otherwise limit ransomware’s ability to spread laterally within an organisation.
Finally, the ransomware threat vector can be mitigated. Common approaches include the use of intrusion prevention systems, next-generation firewalls, antivirus and sandboxing solutions.
Countering email-borne threats through innovative technology
These are all good, but only a start. Focusing on the common threat vector of ransomware delivered via a spear phishing email, organisations should consider how to improve their defensive postures.
Generally, email attachments are scanned by traditional, signature-based anti-virus solutions at the email gateway and upon execution, at enterprise endpoints. Heuristic-based anti-virus solutions and sandboxing opportunities have also been added.
Success is largely based on attributes of previous attacks including a combination of malicious files and modes of behaviour.
Despite this, email-based malware continues to compromise individuals and organisations. Increasingly, it is used as a pivot-point for so-called “file-less” malware. As recently observed, the number of ransomware variants also appears to be increasing, thereby reducing the chance of successful detection and prevention.
Considering the success of phishing emails loaded with ransomware attachments, it is apparent that while detection is necessary for effective cyber security, it is not sufficient. Even though advanced behaviour-based detection tools are being purchased, it would appear they are often not used due to lack of training and time.
While the cyber security community has been trying to identify and stop malicious file attachments before they infect an endpoint or network, the truth is that automated assembly-line ransomware, coupled with sandbox-aware or at least sandbox-evading attributes will continue to defy detection.
Use innovation to admit only the “known good” in emailed files
The goal of preventing malicious files from infecting an enterprise remains sound, but it requires the solution to a simpler problem. Instead of detecting and preventing “known-bad” files, enterprise email security must incorporate technology to look for, generate and pass “known-good” files.
Generating and passing “known-good” files can be achieved using deep-file inspection, remediation and sanitisation technology. In near real-time, it will compare a file to that file type’s standard or specification (such as Microsoft Office specifications, ISO 10918 for JPEG, ISO 32000 for a PDF file), regenerate the file in accordance with that specification, and pass the file forward.
The events of 2017 demonstrated that while ransomware is a tool for financial gain, nation states are also ready to adapt and employ it for their own specific aims. How ransomware will develop next is unclear, yet whatever the nature of threat is poses, organisations should know a common set of established and emergent risk management practices is available. The threats behind major ransomware attacks will not cease evolving, but we know that smart prevention, response and recovery investments are available to address them.