Ransomware is an interesting twist on a business model – your customers (victims) contact you (the criminal) offering money (usually Bitcoin) for something that you create (decryption key) that only the customer can use (they hope). However, hope is not a strategy, and represents a last-ditch effort to recover when everything else goes wrong. Let's see what we can do to change the odds in favor of the good guys.
The 2017 Ransomware Damage Report from Cybersecurity Ventures[1] predicts over $5 billion in ransomware losses in 2017, up from $325 million in 2015. The ability of attackers to monetize attacks, combined with a lack of legal consequences and the perceived ease of implementation, suggest ransomware will continue. When everyone stops paying the ransom, then ransomware becomes mere vandalism. "Well, just don't pay it," sounds nice, but doesn't reflect the reality that many organizations do not have the ability to recover lost information or operational capability on their own. Until something breaks this vicious cycle, expect the scourge of ransomware to persist and even expand.
Learn more in my on-demand webinar "Why Federal Systems are Immune from Ransomware (and other grim fairy tales)". Register now
History of Ransomware
So, whose idea was this ransomware thing, anyway? The concept ties back to a 1996(!) paper titled, "Cryptovirology: Extortion-Based Security Threats and Measures."[2] In it, the authors present, "a twist on cryptography, showing that it can also be used offensively. By being offensive we mean that it can be used to mount extortion based attacks that cause loss of access to information". Thanks, guys. Well, we can't say we weren't warned – it's been 20 years and now these attacks are in full swing.
Traditional security solutions are often focused on the C and the I of Confidentiality-Integrity-Availability (C-I-A) triad. When it comes to Availability, we typically look toward backup solutions and recovery strategies. But most backup solutions are built to protect against misfortune, not malice. As a result, ransomware hits a seam in our defenses and is costing us dearly.
To recap, ransomware is direct monetization of an availability attack. Client-side ransomware requires no lateral movement, no command-and-control, and no egress of compromised information. There is no need to fence stolen goods or find a buyer, as the market is built into this business model. Victims will pay handsomely for the right 256 bits that represent the decryption key. The average ransom was up 266% in the past year to over $1000, and Symantec's 2017 Internet Security Threat Report stated, "Malicious emails were the weapon of choice".[3] One in 131 e-mails contained malware. Some of those are going to get through spam filters.
Ransomware Distribution
Client-side ransomware distribution methodology is straightforward: carpet bombing weaponized attachments in phishing email campaigns. Overload systems with variants of known and unknown attack mechanisms, and something will get in. All it takes is a single user to click on dancing bears, open an Excel spreadsheet titled, "Executive Salaries.xls," or click through on a link that misdirects the user to an infected website, and the fun begins.
Ransomware’s Weakness – Privilege
However, ransomware is not magic – it can only run with the privileges of the user or the application that launches it. Therein lies its weakness, and our chance to leverage tools to contain it before it starts. 94% of critical vulnerabilities reported by Microsoft in 2016 can be mitigated by removing administrative rights from users.[4] Operating systems are designed to be easy to use; otherwise they wouldn't sell well. Unfortunately, part of that ease of use includes the ability to run nearly any program by default, and it is only with third-party privilege management tools (or tedious file-by-file permission setting) that we can put that genie back into the bottle.
Server-side – A Bigger Threat
Although the press seems to have focused on client-side ransomware, the real danger may be server-side ransomware. Server-side ransomware requires more attacker effort -- compromise an internal endpoint, pivot internally, enumerate servers, assess backup infrastructure, create keys for each server, install ransomware, import keys to a script, and then launch the attack. For maximum impact, the attacker must run low-and-slow to establish the maximum "blast radius" within the target enterprise. This requires time and skill, and offers the defense an opportunity to interrupt the attack at any point before the final lockup.
An infected endpoint that has mapped network drives can result in server-wide damage in a short period of time. Simply disconnecting drives isn't a viable defense, as modern ransomware reconnects these as a "service". If your company is still using drive shares and mapped drives, you probably are at much greater risk of server-side ransomware.
Internal segmentation is critical – a single infected desktop shouldn't take out the entire corporate network. Proper segmentation is akin to water-tight compartments on a ship – flooding one should not result in the loss of the entire vessel. Similarly, a properly segmented network will act to contain the spread of any infection that gets loose, or at least buy defenders time to notice, isolate, stop, and remediate the malware.
The Best Defense Against Ransomware
The best defense against server-side ransomware is properly established and managed access control. Ransomware cannot "cheat" and bypass system privileges. In many cases, it doesn't have to – enterprises leave far too many rights turned on either as a matter of culture ("Don't you trust me?"), laziness (takes too much work), or ignorance of toolsets that can manage access control at scale.
Role-based access control (RBAC) is a great concept – identify for each job description the minimum rights needed to accomplish the job. But this requires careful enumeration of both job descriptions and users, and staying on top of these assignments. Even if one does this, traditional RBAC fails in one very important function– monitoring the activities of users once rights have been granted.
Even if we extend traditional RBAC thinking to devices such as multi-function printers, that strategy will miss what happens AFTER the device is validated and connected. Anything from MAC spoofing to full compromise of the device can result in your "printer" attempting to enumerate drives and servers, sniff traffic, and exfiltrate data. Or, since mostly everyone can connect to the printer, it can serve as a ransomware server within your enterprise. Oops.
We tend to think of endpoints as user interfaces (PCs, laptops, etc.), but with smart phones, tablets, and common software codebases on servers (think Windows Server), nearly every device in our enterprise has endpoint characteristics. "Anything that can be a target of an attack or merely a conduit to a device that can be attacked must be included and coordinated in defenses."[5] So what can we do?
Ransomware uses predictable infection vectors such as browser links and exploit kits, e-mail attachments and links, network worms, IM/SMS apps, and P2P or torrent file-sharing applications. A common defense exists for this wide range of vectors, and that is to limit the privilege of the user running the application, monitor and interdict when unusual activity occurs, and maintain central reporting on the state of the enterprise so that attempts at ransomware can be identified quickly, devices isolated before they can damage others, and ideally prevent the infection in the first place as the code will not be able to run with required privilege.
Gullible users, incorrect endpoint configurations, incorrect network configurations, incorrect access control – a lot of things have to go wrong for ransomware to go right. Backups are fine if you want to recreate the past, but the most effective countermeasure you can deploy is to reduce your attack surface by proactively managing privileges to your endpoints, servers, and systems, and monitoring carefully for attempts to do evil. When ransomware ceases to be a viable attack vector, it will go away. Help drive it away sooner by stopping it before it can start.
Learn more in my on-demand webinar "Why Federal Systems are Immune from Ransomware (and other grim fairy tales)". Register now
[1] Steve Morgan, "Global ransomware damage costs predicted to exceed $5 billion in 2017, up from $325 million in 2015," Cybesecurity Ventures, https://cybersecurityventures....
[2] Adam Young and Moti Yung, "Cryptovirology: Extortion-Based Security Threats and Measures," Proceedings of the 1996 IEEE Symposium of Security and Privacy, May 6-8. 1996, http://citeseerx.ist.psu.edu/v...
[3] Symantec Internet Security Threat Report, Volume 22, Symantec Corporation, https://www.symantec.com/secur...
[4] BeyondTrust Corporation, "PowerBroker for Windows: Privilege and Session Management for Microsoft Windows", 2017
[5] G. Mark Hardy, "Behind the Curve? A Maturity Model for Endpoint Security," https://www.sans.org/reading-r...
G. Mark Hardy, CISSP, CISA President, National Security Corporation
G. Mark Hardy has been providing information security expertise to government, military, and commercial clients for over 25 years. A long-standing industry veteran, he is a perennial speaker at major industry trade shows. As president of National Security Corporation, he directs the efforts of the information security consulting firm he founded in 1988.