If you work in information security, the odds are high that you spend a significant amount of time battling ransomware. In a previous article I covered the fundamental issues and economics that are fueling the rise of this particular type of malware. For the TLDR crowd, it boils down to profitability – ransomware doesn’t require a complex ecosystem to monetize stolen data and practically any data is fair game.
And while early versions of ransomware targeted individuals, the approach is now rapidly evolving and been successfully adapted to target enterprises. This has literally raised the stakes, prompting considerable changes to current best practices in order to protect data from ransomware.
Ransomware meets the APT
The combination of ransomware and advanced persistent threats may sound like a 1950s monster movie for cybersecurity professionals, but it is unfortunately becoming a reality. Recent research from Microsoft into the Samas strain of ransomware (also known as MSIL) reveals a far more targeted and patient approach to extorting money from enterprises.
The Samas operation begins by using a common vulnerability scanner to find potential victims. However, things get more interesting once the initial victim is found. Attackers then leverage a tunneling tool called reGeorg. Using this tunnel, attackers run a variety of tools inside the network to extend the threat and lay the groundwork for a more strategic approach to ransomware.
With initial access established, attackers capture credentials from compromised machines to extend their reach further into the network. Then they spread malware to other machines in the network using the old Windows Internals tool, PsExec.
This is when things take an even more insidious turn. Next, attackers scan the network and compromised devices for backup files. If backup files are found, they are deleted before the attackers begin encrypting files.
Adapting your defenses
The evolution of ransomware from simple malware to more persistent attacks has a major impact on the way security teams have to think about mitigation. A solid data backup plan has traditionally been a lynchpin in the fight against ransomware. If you can replace the encrypted data, then the would-be extortionists have no leverage.
But with Samas, attackers go the extra mile to seek out and destroy backups prior to encryption. Although it currently seems to be limited to searching for local backups, the strategy could extend to cloud-connected backup as well. The same user credentials that cybercriminals use in other attack phases can be repurposed to access remote cloud backups.
The good news is that these complex attacks give security teams ample opportunities to detect threats before damage is done. External tunnels like reGeorg enable all sorts of remote attacker mischief that can be detected if you know what to look for. Likewise, credential abuse and the internal spread of malware leave behavioral footprints that security teams can detect if internal traffic is monitored.
In this regard, ransomware in the enterprise is the new face on an attack trend we have seen before. Commodity threats often target as many victims as they can to make money in bulk. However, as threats mature and focus on the enterprise, it behooves attackers to be more patient and persistent in their search for high-value data within an organization.
Whether attackers want to steal data or encrypt it for ransom, the focus on key assets remains consistent. It comes as no surprise to see ransomware travel the same evolutionary path as other threats. The end result may be damage instead of theft, but the strategy is the same.
The upside is that our defensive strategies still apply in either case. Attackers will continue to get in the front door, but if we look for the progression of the attack, we can stop the threat before damage is done.