The pandemic has been great for business — if you’re in the ransomware business. Ransomware criminals tripled their income in 2020, collecting at least $350 million in ransom payments according to a new report from firm Chainalysis. The company notes that the actual figure is likely much higher because many victims choose not to report attacks.
Ransomware has become a growth industry for cyber criminals because many organizations are poorly equipped to address the threat. Conventional anti-malware solutions alone are not effective because there are countless strains of ransomware with a variety of unique characteristics that complicate detection and analysis. Further, modern exploit kits are modular allowing an attacker to pivot attack strategies to obfuscate their behavior.
To strengthen defenses, analysts say organizations must learn to identify the sequence of an attack — the so-called “cyber kill chain.” Armed with that understanding, organizations can deploy a variety of mitigation efforts at any stage in order to stop an attacker from advancing through the chain and thwart an attack.
Originally used as a model for describing the stages of a military attack, the kill chain concept has been adapted for use as a cybersecurity threat assessment and prevention tool. Lockheed Martin developed the original cyber kill chain in 2011, but a number of organizations have developed modified versions over the years.
Here’s an example of a ransomware kill chain, along with a few suggested defensive techniques for each stage of the attack:
Discovery & Delivery
In the initial stage, attackers are looking for targets. Most cast a wide net. Sending mass numbers of email phishing lures to see who bites was a tactic often used. However, attackers now seem to be using a more targeted approach, using social engineering techniques and scanning social media profiles to learn more about potential targets. After an initial infection, malware may spend days or weeks assessing the network topology to identify essential assets, backup sources and other valuable targets.
- Defensive actions: Effective email security is critical and can keep the majority of phishing emails out of users’ inboxes, stopping the threat at this stage. Modern day email protections must include robust spam detection, examine the veracity of embedded URLs, examine the hygiene of attachments, and other advanced threat detection & protection engines. Ongoing employee education is also necessary to help users identify and avoid phishing threats.
Exploitation & Infection
Once the infected payload has been successfully delivered, an executable program is often installed on the target system. The ransomware program will then connect to the attacker’s command and control (C2) server, giving the attacker control of the infected computer. Most ransomware variants also retrieve an encryption key from the C2 server during this stage.
- Defensive actions: You can use policy management features in Active Directory to track any account changes. Security information and event management (SIEM) solutions can help detect C2 traffic by examining log files from DNS servers, firewalls, intrusion detection systems and other security devices. You can use firewall rules to block C2 traffic. Additionally, newer cloud-based security services such as Cisco Umbrella can block C2 traffic at the DNS layer.
Scanning & Encryption
At this stage, attackers will often change user account privileges so the ransomware can move laterally through the network and infect more machines. After that, they will upload the encryption key and the malware will begin encrypting files, including backups on file shares. A ransom note containing instructions for payment to unlock the files is created in every folder containing encrypted files.
- Defensive actions: Multifactor authentication makes it harder for attackers to gain control of additional accounts. Once encryption is underway, however, the ability to respond & restore your data becomes much more complex. Your best defense at that point is to have a good backup of all data, files, applications and other resources that is isolated from other systems. It is also critical to have End User Behavior Analytics capabilities available. Ransomware attacks can be used to distract organizations as threat actors use the customers network as a jump point to gain access to other connected customers & their systems. Watching for anomalous traffic and behavior patterns can help identify such an attack.
Ransomware is a highly lucrative endeavor for nefarious cyber syndicates around the world, which increases the likelihood of more frequent and sophisticated attacks. However, applying defensive measures at the various stages of the ransomware kill chain can mitigate your risk. Contact us to learn more about specific defensive techniques for each phase of an attack.