Ransomware Underscores Need for Layered, Predictive Defenses

A congressional investigation into the ransomware attacks that targeted CNA Financial Corp., Colonial Pipeline Co., and JBS Foods USA found that in all three cases the attackers exploited “small failures” in the security postures of the companies.

“Ransomware attackers took advantage of relatively minor security lapses, such as a single user account controlled by a weak password, to launch enormously costly attacks,” according to a Nov. 16 memorandum from the House Committee on Oversight and Reform. “Even large organizations with seemingly robust security systems fell victim to simple initial attacks, highlighting the need to increase security education and take other security measures prior to an attack.”

In the CNA attack, the attackers convinced a single employee to accept a fake web browser update from a website. The Colonial Pipeline attack began with a stolen password for an outdated user account. At JBS, ransomware attackers took advantage of an old administrator account that had not been deactivated and was protected by a weak password.

Robert Bigman, President of 2BSecure Inc. and the former Chief Information Security Officer at the Central Intelligence Agency, said the most capable ransomware gangs are funded by the Russian Mafia and supported (both knowingly and unknowingly) by talented hackers around the world.

“It’s just not enough anymore to simply be good at security,” Bigman said in an interview. “I’ve seen a major company that had good compliance-level security forced to pay a ransom because they didn’t know that a server in their DMZ was running archiving software that leveraged an outdated version of IIS. And the attackers were able to use a fairly common exploit to install a memory-resident remote access trojan (RAT),” he said. 

Three Layers of Predictive Ransomware Protection

PREVENT

The ransomware ecosystem is complex and constantly expanding. In the wild today, both novel and commoditized ransomware strains are in active use. 

Machine learning makes it possible to uncover the most novel strains of ransomware. Behavior-based protection goes beyond signatures to include blocking malicious behaviors across the enterprise that are specific to never-before-seen ransomware. 

When ransomware technologies are created they don’t go away over time; they stay around for years and years. That’s why your ransomware protection must address both old and new strains. 

To accomplish this, your platform must be capable of enriching static signatures with threat intelligence that contextualizes attacks without the need to research off-platform and provides clear details on what took place and how to respond and recover. And since many organizations receive their threat intelligence in the form of SHA-256 values, your anti-ransomware platform should support the collection, detection, and querying of malicious activity by SHA-256 hash values.

Behavioral document protection is also critical to preventing next-generation tactics like document-based attacks. Adversaries will often try to hide malware in documents leveraging malicious macros that create a foothold in the network once an unsuspecting user clicks on the document. 

In addition to preventing document-based attacks, your anti-ransomware platform must address script-based attacks. There must be a prevention layer for attacks leveraging PowerShell, .NET, living-off-the-land techniques, fileless, and in-memory attacks.

Cybereason integrates with the Anti-Malware Scan Interface (AMSI), which provides additional visibility into native scripts that attackers use for lateral movement (JScript and VBScript), as well as Office Macros, and Windows Management Instrumentation (WMI).

An anti-ransomware platform that lacks fileless protection presents a major security gap. We know that attackers can bypass AMSI, and older operating systems, like Windows 7, don’t require AMSI.

Bigman highlighted in the recent attack he observed that the attacker leveraged a memory-based attack. Solutions that are unable or ineffective at preventing script-based and other memory-based attacks such as those delivered via PowerShell, .NET, JScript, VBScript, or WMI will miss these critical—and seemingly small—holes in defenses. 

PREDICT

A best-in-class predictive ransomware platform will always assume that an attacker will find a way to avoid detection. That’s why it is critical to be able to predict the encryption phase of a ransomware attack. By leveraging artificially intelligent endpoint technology and kernel-to-cloud visibility, we’ve made it possible to identify encryption behavior and activity at the earliest possible moment and predict the trajectory of the attack more rapidly than most other platforms.

Through Global File Manipulation Detection, Cybereason can monitor files for behavioral changes that are indicative of encryption or other stages of ransomware. 

We also know that adversaries are constantly changing their tactics, techniques, and procedures in an effort to avoid detection. Global File Manipulation Detection leverages a technique known as fuzzy matching, meaning that it calculates a significant level of difference between file contents that enables malicious alterations to be identified. Monitoring files at the binary level enables this analysis to detect when the contents of the file are being randomized, indicating malicious activity.

All defenders are racing against time when it comes to defeating ransomware. So being able to detect encryption at the kernel level and reducing your mean-time-to-respond is essential. And to keep that prediction layer running at full speed requires the ability to push updates to sensors on Windows and Linux endpoints in real-time without the need to reboot.

RESTORE

Given the capabilities outlined above, the vast majority of ransomware that Cybereason customers might come into contact with will be stopped dead in its tracks long before it reaches the encryption stage. A rollback feature is still an important tool to have. But your anti-ransomware platform should not rely on a rollback feature as its primary defense strategy. Relying solely on data backups and rollbacks is a defeatist mindset and assumes adversaries are able to escalate their activities to the point of an enterprise-wide breach. 

Cybereason prevents ransomware before escalation and includes the ability to restore encrypted files to their previously unencrypted state as a final layer of defense against ransomware operations.

Cybereason is dedicated to teaming with defenders to end ransomware attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about the Cybereason Predictive Ransomware Protection solution, browse our ransomware defense resources, or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Dan Verton
About the Author

Dan Verton

Dan Verton is Director of Content Marketing at Cybereason. Dan has 30 years of experience as a former intelligence officer and journalist. He is the 2003 first-place recipient of the Jesse H. Neal National Business Journalism Award for Best News Reporting – the nation’s highest award for tech trade journalism and is the author of the groundbreaking work, Black Ice: The Invisible Threat of Cyber-Terrorism (McGraw-Hill, 2003). He most recently served as an intelligence advisor and co-author of a nationwide TSA anti-terrorism awareness training program.

All Posts by Dan Verton