Ransomware: Here Today, Here Tomorrow

21st May 2020

With all our energy of the past several weeks focused on adapting to the global crisis, security may have taken a back seat. But cyber criminals haven’t forgotten. Networks have been turned inside out, and they have been very actively targeting remote workers that used to be protected by the network perimeter with fake COVID-related material and other social networking attacks. And they have been probing these new network environments for vulnerabilities in the hopes that may have been pulled together too quickly to have implemented adequate security protections and controls. 

FortiGuard Labs has been actively monitoring the threat landscape during this time, and they have seen a significant increase in threats targeting individuals through phishing and infected websites. Email attachments contain infected and malicious content, which explains why they recorded a 131% increase in viruses during March of this year. It also explains why they have seen a reduction in traditional attacks as cyber criminals shift focus. Incidents of ransomware are likely to rise as cyber criminals look to use compromised end user devices as a conduit back into a core network that may not be being watched as carefully as it once was.

So last week Fortinet pulled together three members of the FortiGuard Labs Team – Derek Manky, Aamir Lakhani, and Douglas Santos for a “digital” Q&A interview on ransomware. Their goal was to better understand the level of threat it poses and what organisations should do about it now, while their networks are still in a state of flux.

What Does the Ransomware Landscape Look Like Today? Is it Still a Leading Threat?

Derek

Among the types of attacks that keep security professionals up at night – it is ransomware for sure, and the threat shows no signs of slowing down. And when it comes to defending against ransomware, security tools are only as good as the team that manages them. Everything from configuration errors to solution sprawl can weaken the power of enterprise cybersecurity defences to detect and prevent cyber attacks. However, especially when it comes to ransomware, the biggest problem is the human factor. 

Douglas

I agree. But there are still are other things to consider, such as the lack of pervasive visibility and control experienced by most of the companies that have fallen victims to these attacks. With the number of new zero-day vulnerabilities out there, and the number of water-hole attacks using these zero-day exploits, the next big hack could be a Website visit away. Even with the latest security controls in place, if you have a zero-day breach you are going to have to rely on all three pillars of a robust cybersecurity program – people, processes, and technology – to identify the threat as soon as it breaks out. Anti-exploit and EDR (endpoint detection and response) solutions are excellent tools for discovering malware on an endpoint device before it migrates to the network and then shares that information downstream. ISFW (internal segmentation firewall) can then apply dynamic segmentation to quarantine the host. And SOAR (security orchestration, automation, and response) can quickly create remediation’s around that newly gathered intelligence. This strategy doesn’t just work for ransomware, but can be used to stop most advanced attacks.

Aamir

The reality is, ransomware is not complex and sophisticated malware. However, this actually makes it much more dangerous because the threshold of knowledge that attackers must possess is low, which means that ransomware tool-kits can be downloaded from the Internet and modified with minimum programming knowledge. It’s true that most of this ransomware probably won’t work on large organisations because security devices will catch and block it. But given the new environment, everyone is working in today – with novice remote workers, overworked IT teams, and new and largely untested security policies – this is when organisations are suddenly very likely to get attacked. Volume-wise, there are other threats that may be more prevalent. But ransomware is a leading threat based on impact it has within an organisation, as one ransomware attack can completely shut down a business.

Why Do Cyber Hygiene and the “Human Factor” Continue to be Primary Concerns for Ransomware?

Aamir

The sad truth is, most attacks can be avoided. Organisations have a hard time patching devices. Of course, this is not always their fault. Patches need to be tested, and that can take time in large and complex environments. Often, users have administrative rights on their system to ease the burden and costs of management and IT support staff, but that makes it difficult to automate patches and updates. And in large, mobile environments, getting users to apply patches can be difficult because of things like geographic disparity. However, if these problems were to be solved, most ransomware simply would not be effective. 

Derek

The problem is not awareness – it is rooted in human behaviour. Awareness and action are two very different things. In addition to broad brush attacks that target everyone, emails are also being cleverly written to target specific types of individuals at an organisation, either directly, or through a new technique where they insert phishing emails into an active email thread to increase the likelihood of it being clicked on. This type of attack is known as spearfishing, and if the target is a member of the C-suite, it is called “whale phishing.” But regardless of who is being targeted, everyone is susceptible to a carefully crafted email arriving when they are just distracted enough to not be paying attention. 

Douglas

And when we say human factor, we are not only pointing to naive people who click on links or open malicious documents. This also includes defenders and executives who don’t understand these threats or how to stop them. Threat technologies are advancing way faster than most of us are able to consume, understand, and apply. And the skills gap continues to widen as well. It’s a tough challenge.

How Do You See Ransomware Progressing During 2020?

Derek

What has been on the rise, and what I predicted to get worse in 2020, are the more targeted ransomware attacks that cost businesses more from an operational and regulatory perspective. Malware and ransomware attacks in general are a completely different game now because these attacks are being targeted and specifically crafted to certain internal systems. Another factor contributing to the growing attacks on businesses and enterprise organisations is the ready availability of Ransomware-as-a-Service (RaaS) offerings, which is something I predicted years ago would happen as an evolution of ransomware. And in 2020 we are already seeing another shift, with ransomware jumping to leverage the timely cyber criminal opportunity around COVID-19, which demonstrates that ransomware evolution is not just about targeted attacks. And this sort of multi-pronged attack front is much harder to defend against.

Douglas

Yes, but I also believe that we still may see another mass ransomware exploit, such as the one we experienced with WannaCry, simply because there are a lot more ‘wormable’ vulnerabilities out there, like BlueKeep and the newest one in SMBv3, which has been dubbed SMBGhost. It’s just a matter of time.

Aamir

I think we will see a significant rise in ransomware attacks. The COVID-19 pandemic has caused a shift in many projects, but it has also caused urgency in timelines. This includes cloud-based migration, remote access, and more reliance on web-based applications. There are many people in IT that are working under more stress and more pressure than before. Additionally, other industries, such as healthcare and some types of manufacturing and transportation, are under more pressure than before to keep their networks up and running. Attackers understand that these industries would rather pay a ransom rather than deal with any slowdown or shutdown in their operations.

If the device of a remote worker can be compromised, it can become a conduit back into the organisation’s core network, enabling the spread of malware to other remote workers. The resulting business disruption can be just as effective as a ransomware attack that targets internal network systems at taking a business offline. Since help desks are now remote, devices infected with ransomware or a virus can incapacitate workers for days while devices are mailed in for re-imaging. Cyber criminals understand that times of rapid transition such as this can cause serious disruptions for organisations. In the rush to ensure business continuity, things like security protocols can get overlooked, and criminals are looking to take advantage of any inadvertent security gaps.

What Can Organisations Do?

Derek

We are at an especially vulnerable moment in our transition to a digital economy. Organisations need to take steps now to protect their networks and networked resources from the growing problem of sophisticated ransomware. While each network environment is different, here are 20 things any organisation can begin to implement today to reduce their risk from ransomware and other advanced threats.

1. Wherever possible, patch and update operating systems, devices, and software. Make this a priority for your remote workers ¬– especially those using personal devices to connect to the corporate network. 
2. For devices that can’t be patched, ensure that appropriate proximity controls and alerts are in place.
3. Make sure that all endpoint devices have advanced security installed, such as anti-exploit and EDR solutions. 
4. Also make sure that access controls, such as multi-factor authentication and even Network Access Control solutions are in place. 
5. Use NAC to inspect and block bring-your-own-devices that do not meet security policy.
6. Segment your network into security zones to prevent the spread of infection and tie access controls to dynamic segmentation.
7. Use inventory tools and IOC lists to prioritise which of your assets are at the most risk.
8. Update your network IPS signatures, as well as device antivirus and anti-malware tools.
9. Back-up systems and then store those backups offline – along with any devices and software you may need in the event of a network recovery. 
10. Make sure that ransomware recovery is part of your BCDR, Identify your recovery team, run drills, and pre-assign responsibilities so systems can be restored quickly in the event of a successful breach.
11. Update your email and web security gateways to check and filter out email attachments, websites, and files for malware. 
12. Make sure that CDR (content disarm and recovery) solutions are in place to deactivate malicious attachments.
13. Use a sandbox to discover, execute, and analyse new or unrecognised files, documents, or programs in a safe environment. 
14. Block advertisements and social media sites that have no business relevance. 
15. Use zero-trust network access that includes virus assessments so users can’t infect business-critical applications, data, or services.
16. Use application whitelisting to prevent unauthorised applications from being downloaded or run. 
17. Prevent unauthorised SaaS applications with a CASB solution.
18. Use forensic analysis tools to identify where an infection came from, how long it has been in your environment, ensure you have removed all of it from every device, and ensure it doesn’t come back.
19. Plan around the weakest link in your security system – the people who use your devices and applications. Training is essential but limited. Proper tools, such as secure email gateways, for example, can eliminate most if not all phishing emails and malicious attachments.
20. Leverage people, technology, and processes to quickly gather threat intelligence about active attacks on your networks and act on it, using automation where possible. This is crucial to stopping an advanced attack in its tracks.

Now Is Not the Time to Take Your Eye Off the Ball

Even though we are all running as fast as we can to keep our businesses up and running, we are also more exposed than ever to criminals who want to take advantage of this crisis. Ransomware and other advanced threats have not slowed down just because we are busy. In fact, based on Fortinet’s ongoing analysis of the threat landscape, the opposite is true.

Most organisations should have their remote worker strategy in place. Now is a perfect time to review the steps outlined above, conduct a thorough review of your security policies, and make necessary adjustments. Prioritise your challenges and work through them one at a time. Every step you take now to tighten down your policies and practices is a threat averted. And we could all use one less thing to worry about right now.