Unless you have been living under a rock for the past year you will have seen the rise of ransomware attacks worldwide. There are lots of great online resources that cover ransomware in great detail so we will not repeat that here. Instead, we are going to look at three questions that we are often asked when discussing ransomware.
- “What are the current delivery methods for Ransomware that you are seeing?”
- “How should we respond to an incident?”
- “What should I do to mitigate?”
This article will look at each question in turn.
Ransomware Delivery Methods
We have seen a split between the different delivery methods used by various ransomware gangs, and the methods used differ due to the technical skill set of the attackers and also when targeting end users or corporate systems directly.
Targeting end users
The main methods employed to get the ransomware on to the target system still fall within the following two categories:
- Email based attachments – often using fake invoices with embedded malicious macros.
- Malicious Websites – where exploit kits are used to deliver the malicious payload. This can be through accidentally visiting a site while browsing the Internet or via clicking on a link within a malicious email.
Targeting Corporate Systems
- Internet Exposed Remote Management – where remote management systems are compromised (often through weak passwords) and the ransomware is directly delivered on to corporate servers.
In terms of remote management compromise, the attacks appear to use the following approach:
- Identify remotely exposed RDP with weak credentials.
- Create further administrative level accounts on the server to maintain access.
- Maintain access for a period of time (in one case, we dealt with, access was maintained for at least four weeks).
- Drop ransomware.
It would appear that stages 1-3 is most likely a separate party to those dropping the ransomware. From what we have seen, it is likely that access to the compromised server is being sold once the entity responsible for the initial breach has gained everything they want from the server. My assumption is that the entity selling access, could easily be selling access to a number of malicious parties and if one happens to be focused on ransomware, then that is the impact on the end client.
When dropping the ransomware, more capable gangs are mapping a drive and running the malicious code remotely, while those at the lower end are most likely purchasing ransomware kits and often drop the executable directly on to the box.
Responding to a Ransomware Attack
A key action at an early stage of any incident is to stop the ransomware from continuing to encrypt files and causing further damage. As attacks can be focused towards end users as well as directly against corporate environments, steps should be taken to identify the type of attack. Identification of the type of attack is fundamental to understanding right approach for remediation to allow for the most effective infected asset identification and its removal from the network.
The following high-level approach is suitable for most ransomware attacks, while being agile enough to enable the incident analysts to address the ever changing nature of ransomware families.
- Identify patient zero and isolate from the network.
- Analysis of the ransomware family to identify clean up activity required and if files can be recovered directly.
- Identify route of compromise (email / web browsing / remote access).
- Block access to malicious sites / remote access solutions / remove infected emails to prevent further re-infection and or command and control.
- Identify the technology flaw exploited to gain initial compromise and remediate wider environment to protect from repeat infection.
- Identify key documents encrypted and conduct Internet search to confirm no external exfiltration of data.
Again there are many online guides and resources that outline how to mitigate ransomware1. However, this is in essence an arms race between the ransomware gangs and the current defences that can be deployed. As such, it is likely that new approaches that do not have current mitigation will be identified and exploited by the gangs. Therefore, incident planning and response should also play a significant part in your preparation.
Beyond maintaining effective backups that are protected from ransomware attacks and can be successfully restored in a timely manner, a number of further key mitigating activity can be deployed to reduce the likelihood of a successful attack:
- Reduce technology surface – remove any unnecessary software, technology stacks such as java, flash etc from the enterprise.
- Hardening of web browser – protect end users from opportunistic attack via malicious web sites by applying additional security controls within the browser.
- Patching – keep technology up to date, especially java, adobe, browsers and main operating systems.
- User awareness- work with your staff to raise awareness of phishing style emails, malicious documents and what actions to take if an infection occurs.