At the end of October 2020, the Cybersecurity & Infrastructure Security Agency (CISA) posted an alert stating they had received credible evidence that the organization behind TrickBot was preparing an imminent attack on US healthcare providers and hospitals. This cybercriminal organization also commanded headlines in 2018 for their targeted and high-profile ransomware attacks. Using Ryuk ransomware, it is estimated that around $61m in Bitcoin has been paid to the cybercriminal syndicate to date for the retrieval of encrypted files.
The global COVID-19 pandemic has strained healthcare organizations across the globe. As they struggle to manage coronavirus cases while also delivering their core services, they’ve been stretched thin and cybercriminals were quick to pounce. While most of us see COVID-19 as a threat to our safety and security, and a time for our to unite together to defeat a common enemy (the virus), threat actors see it as a prime opportunity to exploit weaknesses and achieve profits..
Much like FEMA did in late 2019, the FBI and the Department of Homeland Security are calling on the healthcare industry to prepare themselves for an outbreak – however, this outbreak is one targeting their digital infrastructure. There are similar strategies that can be employed to prevent or mitigate both kinds of outbreaks.
The reactive response
The many combined minds across the world’s leading medical/biopharma research laboratories are actively seeking a vaccination. Over several months, medical researchers have narrowed down trials of some 154 potential vaccines to 11 candidates. They could be just months away from being able to roll out a vaccine. Typically, this process can take upwards of 10 years, so the very fact that we could have a vaccine well within 2 years of the initial outbreak is nothing short of phenomenal. But questions are still being asked about the effectiveness in immunizing everyone, as well as whether COVID-19 will evolve or mutate in ways that evade attempts to control it.
While everyone agrees that a vaccine is needed, not everyone agrees it will be effective, and certainly no one thinks that we can wait. So, more proactive methods have been adopted in the meantime.
The proactive response
Mandatory face masks, pocket hand sanitizers, social distancing, strategic and tactical lockdowns. These are all things that, just 12 months ago, we couldn’t imagine being part of day-to-day life. But here we are. These are measures taken to prevent, or at least limit, the spread of the virus. For many of us, whether we like them or not, it is these measures that have kept us safe. We all have our own personal attack surface for a viral infection, and we have reduced that attack surface by keeping our faces covered, our hands clean, and distancing ourselves from others.
While the reactive approach is regarded as the endgame, it is the proactive approach which has helped stem the tide of the coronavirus. This was only possible because it doesn’t rely on a deep understanding of COVID-19, only an understanding of how viruses spread.
How attackers gain a foothold
Cyber-attackers tend to leverage a complex multiple step process to gain an initial foothold within a target environment. They may use a combination of droppers, trojans and encryptors amongst other tools and techniques. Trojans like TrickBot are constantly evolving to evade reactive tools such as antivirus (AV) and endpoint detection and response (EDR), and it is this rapid evolution that makes the task of detecting and stopping the attack equally complex – much like finding the vaccine to a virus.
But when you break down the characteristics of the actual attack, you start to uncover that there are some basic commonalities that are fundamental to success. In 2019, reportedly 70% of attacks started at the endpoint. And this means many, if not most, ransomware attacks start there. A user may innocently open an email attachment or be duped into visiting a website. With perimeter security controls being stronger than ever, it makes no sense to forcibly breach a network – it is much easier for an hacker to be invited in by a user. Users have email, users have web access, and through social media, users are easy to discover and contact.
These same users are running applications with built-in functionality to run macro—and these are business tools almost universally running on those desktops. Microsoft Word, Excel, Adobe Reader, web browsers, will all run embedded code with the consent of the user. It’s only a matter of time before someone makes the innocent mistake of following the instruction to enable the macro.
If your users are logged in with a full administrator account, this gives an attacker free access to a level of privilege required to, not only take control of the endpoint and secure their access to your network, but to also begin their surveillance and to harvest other credentials that give them lateral movement.
And this is how such high-profile attackers succeed again and again. These three basic pre-requisites – user access to email and the web, user ability to open infected documents, and users logged in as local administrators – form the modus operandi of many ransomware attacks. It takes just one of your users to make the wrong decision for a breach to occur.
Stopping ransomware attacks with proactive defense
But there is a strategy that can be employed which will stop the majority of attacks at the source. By leveraging a privilege management product like BeyondTrust Endpoint Privilege Management (EPM), even advanced and targeted attacks can be prevented.
The BeyondTrust solution provides a preventative approach to endpoint security that stops ransomware and fileless malware attacks at the source by protecting those vulnerable applications that make these attacks possible. By applying privilege enforcement rules to web browsers, Office applications, and Adobe document readers, BeyondTrust blocks the primary entry point for attackers.
BeyondTrust Endpoint Privilege Management includes a powerful feature called Trusted Application Protection (TAP). This feature:
- Provides out-of-the-box defense against malware and ransomware attacks
- Applies proactive protection for the most vulnerable and most actively exploited attack vector - end users
- Has zero dependency on detection - protects against unknown and zero-day threats
- Blocks malicious code at the source – email attachments, phishing links, compromised websites
- Stops infected documents from leveraging script engines and exploitable utilities
- Prevents untrusted DLL loads
- Ensures only trusted and legitimate processes can execute
TrickBot and other cybercriminal organizations leverage cutting-edge software to circumvent the capabilities of Endpoint Security Suites and EDR monitors. The key to successfully defending your organization is to eliminate the one basic, but critical, step that attackers rely on – documents embedded with macros, distributed to your users through targeted spam.
To prevent ransomware attacks, like RYUK, organizations need to consider a preventative approach to endpoint security. To learn more, please download the quick guide: 5 Critical Steps to Endpoint Security.
Kris Zentek, Senior Product Manager
Kris Zentek is a Senior Product Manager at BeyondTrust, focusing on Endpoint Privilege Management solutions. Based in the UK, he has over 20 years of experience working in the cybersecurity industry.