Countering the evolving threat of ransomware
Article by Zscaler regional vice president and A/NZ country manager Steve Singer.
Since first gaining mainstream attention more than ten years ago, ransomware has grown to become one of the most severe cybersecurity threats facing organisations around the world.
Awareness of ransomware as a threat rose further in 2017 when examples such as WannaCry and NotPetya were released. Since then, cyber-criminals have evolved their approach considerably. We now regularly see stolen copies of the data and threats to release or sell it if the ransom payment is not made.
During the past few years, the sophistication of the malware code being used has been rising. According to research completed by Zscaler ThreatLabZ, there was a 500% increase in incidents of ransomware using encrypted SSL channels in 2020, compared with the previous year. During the same period, there was a 30% increase in malware delivered via trusted cloud services such as Google Drive, AWS, or Dropbox.
During 2020, IT security teams also noticed an increase in the use of COVID-19 related spam attacks to spread malicious ransomware code. This is evidence that cyber-criminals will continue to change their methods to maximise the chance of success.
Constant evolution and double extortion
The types of malware being used in attacks are also continually evolving. Recently, a ransomware code dubbed REvil was first detected in the wild. This code started using the technique of double extortion (encryption and data theft) and was found to gain access to networks using known security vulnerabilities and phishing campaigns.
The sophistication of REvil means it can disable many security tools and bypass user account controls. It can also configure itself to undertake privilege escalation and automatically exfiltrate data.
Another example of ransomware code, dubbed RagnarLocker, also appeared within the past year. Recently, the code began deploying within virtual machines to evade detection and, like REvil, spreads by using known security vulnerabilities and phishing campaigns.
RagnarLocker executes by using scripting and can embed itself in a system’s registry to achieve persistence. Its aim is to encrypt data and inhibit the recovery of infected systems.
A third example of ransomware code, named Maze, also deploys virtual machines to avoid detection. IT security teams found 70 different payloads carried by Maze, which also began using double extortion techniques.
Maze often appears as a spear-phishing email attachment and can bypass user account control measures. Like its ransomware counterparts, this code automatically exfiltrates data and is designed to make system recovery difficult after an attack.
Protecting against attack
Protecting against a ransomware attack is critical and requires an understanding of three potential delivery methods that cyber-criminals will use. The first is social engineering, and works when a user is tricked into opening an infected email or file, thinking it has come from a trusted source. Opening the file triggers the malware, which infects the user’s device and then spreads to the wider network.
The second method involves taking advantage of devices on a network that have already been infected with different code. This early code gathers details such as system configuration and defences, which cyber-criminals use to improve the success of their ransomware attack.
A third method uses techniques such as remote desktop protocol (RDP) and browser exploits to gain access to a network and deploy the ransomware code. This method can be tougher to prevent as it can get around many of the security measures that may be in place within a network.
Zero trust is the best defence
In light of the increasing use of data exfiltration and encryption, IT security teams should treat ransomware attacks as data breach incidents. A strategy of zero trust will provide the best possible level of protection.
Under a strategy of zero trust, users can only access the applications and data resources for which they have been authorised. All other attempts to access these resources are prevented and reported to the IT security team.
Should ransomware code manage to gain access to an IT infrastructure, it will be prevented from undertaking lateral movement and thereby be unable to seek out the data it is trying to steal and encrypt.
A single infected device machine should not give an attacker the ability to bring down an entire IT infrastructure. By following a zero trust strategy, a business can better protect itself from threats in the future.