Best Practices for Protecting Networks Against Ransomware

According to the 2020 Verizon Data Breach Report, ransomware is the 3rd most frequent malware attack. Recent evidence for that happened on October 4th, where Universal Health Services (UHS), a Fortune 500 hospital and healthcare service provider, reportedly shut down systems at different healthcare facilities around the US after a cyber-attack hit its internal network.

A healthcare attack of any kind can be lethal, especially given the current state of the pandemic. This is yet another recent cyber-attack that ends with IT infrastructure being shut down due to a ransomware attack. In this case UHS is redirecting some patients to nearby hospitals.

However, many people are not aware that activating the ransomware is just the final stage in an attack. Prior to the execution, there are many phases and opportunities to stop the attack.

Well, what exactly is ransomware?

Ransomware is a malicious software designed to prevent use of computer system files with a demand of paying out a ransom. Most variants of ransomware encrypt the files on the affected device, rendering them unavailable and demanding a ransom payment to restore access to them.

Ransomware code is often sophisticated, but it doesn’t have to be, because unlike other forms of conventional malware, it doesn’t generally need to stay undetected for a long time to achieve its target. This relative ease of implementation versus high-profit potential, attracts both sophisticated actors of cybercrime and novice actors to run ransomware campaigns.

“In 7% of the ransomware threads found in criminal forums and market places, “service” was mentioned, suggesting that attackers don’t even need to be able to do the work themselves.” - 2020 Data Breach Investigations Report, Pg. 16.

Ransomeware is so over popular that there are services you can purchase that take care of the implementation on behalf of the cybercrimial. With such a thriving market, ransomeware and ransomeware services are only expected to increase.

How ransomware finds its way into the network?

The most common approach for an attacker to deliver malicious files is exploiting common human errors such as phishing attacks, where the attacker sends an email which appears to be legitimate, but is encouraging the person to click links or download an attachment. The attached often carriers a payload which delivers the malicious software. Attackers tend to exploit exposed interfaces such as RDP or unpatched web applications. Ransomware is also delivered on compromised or malicious websites, via drive-by-download attacks. Some ransomware attacks were also sent using messaging from social media.

Usually ransomware is used in the “shotgun” approach – where attackers acquire email lists or compromised websites and blast out ransomware.

Protect against ransomware

Several stages to stop malware exist during the attack life cycle. The first stage is prevention from entering the network; the second stage for stopping ransomware (assuming it is not autonomic) will be preventing it from communicating with the Command and Control (C2) server; the third stage will be stopping it immediately after starting to execute and before making lateral movement within the network.

The first stage – preventing malware from entering the network – is the most important one. Attackers usually will try to use phishing techniques or take advantage of unsecured remote access connections such as misconfigured RDP connections and through endpoints which do not comply with company policy. These devices can enable the ransomware to piggyback on the connection into the network organization.

The second stage – not enabling malware to communicate with a C2 - is usually done by implementing a FireWall and network-based detection system to look for network signatures.

The third stage – stopping the Ransomware from being activated and expanding in the network – is at this point much more complicated and resource consuming.

OPSWAT offers preventative solutions so you can defend yourself from being attacked. Our solutions help organizations prevent malware from getting into networks, such as the email gateway security solution to stop phishing, the secure access solution to help with compliance validation, and

file upload security that performs Deep CDR (Content Disarm and Reconstruction) using MetaDefender Core. These are just some of the many products which OPWAST offers to help keep critical infrastructures networks secure from ransomware. For more information, contact us today.

References

https://tcrn.ch/3jaFgmL

https://enterprise.verizon.com/resources/reports/dbir/

https://www.blackfog.com/the-state-of-ransomware-in-2020/

https://www.microsoft.com/en-us/download/details.aspx?id=101738