Ransomware is one of the biggest security threats facing companies today. Criminal ransomware gangs have steadily developed their attack tactics in recent years and continue to put the squeeze on companies. They threaten to disseminate stolen data publicly or sell it on the darknet. In order to defend against increasingly sophisticated attacks, it is important to understand how ransomware groups operate and how they use their insidious tactics. We cast light into the darkness and show you how to break a ransomware kill chain.
Rise and spread of ransomware
Ransomware, once (just) an annoying piece of malware that cyber criminals used to restrict access to files and data by encrypting them, is now turning into an attack method of epic proportions. While the threat of permanent data loss alone is frightening, cybercriminals and state-backed hackers are now so sophisticated that they’re using ransomware to penetrate and paralyse companies, state and local authorities, global infrastructures and healthcare organisations. Many of these groups also offer their services as Ransomware-as-a-Service (RaaS).
Ransomware and its devastating consequences
The consequences of a ransomware attack can be devastating: downtime brings business operations to a standstill, disrupts productivity and jeopardises your data. A leak or compromise of confidential company data not only damages your reputation, but can also have legal consequences. Not to mention the fact that cybercriminals can use this sensitive data against your organisation or carry out other insidious acts – including selling confidential data.
Understanding the cyber kill chain of ransomware
Ransomware attacks are complex. Breaking into your IT system can mark the start of a dangerous game of cat and mouse. To maximise the damage, the attackers distribute their malicious payload throughout the network and then start the encryption process. If the attackers can only encrypt a single computer, they don’t have enough leverage to demand a ransom. For the ransomware attack to be successful, the attacker needs to carry out various steps, such as identifying the network resources, moving laterally in the network etc. These steps are often referred to as the cyber kill chain of ransomware attacks.
Figure: Ransomware Kill Chain, source Akamai
The ray of hope: every single step taken by the ransomware gang opens up opportunities for your company to detect and defend against attacks. Let’s now take a look at how you can minimise and contain the damage caused by ransomware.
Deception strategy against exploration
A ransomware attack begins with an initial intrusion, often enabled by a phishing email, a vulnerability in the network environment or brute force attacks, creating gaps to distract defences from the attacker’s real intent.
When attackers infiltrate a network, they initially have no knowledge of the network structure and the various assets it contains. To close this knowledge gap, they’re forced to probe “in the dark” and “feel” their way manually.
Take advantage of this fact by using a deception service – for example based on the Akamai Guardicore Segmentation. This lures attackers into a honeypot server and monitors their activities separately. If an attacker penetrates the network and attempts to obtain the SSH login data of a Linux server using a brute force strategy, this anomaly is identified and the attacker is forwarded to a dynamically generated honeypot. In addition, the Akamai solution monitors all communication on your network and has integrated detectors that recognise scans and notify you, which prevents the spread of the malware before it even starts.
Stop lateral movement to protect against ransomware
Once an attacker has gained access to the network and learnt about its topology, they will use this to move laterally across the network and maximise infection and encryption points.
Typically, the attackers seek to take control of a domain controller and compromise the credentials before searching for and encrypting the backup. Their goal is to prevent the victim from recovering the data. Lateral movement is therefore crucial to the success of an attack. If the malware cannot spread beyond its landing point, it’s useless. Preventing lateral spread is therefore critical in defending against attack. You should therefore use security solutions that restrict such lateral movements and thus minimise the extent of the attack.
Detecting and preventing lateral movement within your network can be reduced to two main areas: first, reduction of the original attack vector; and second, limitation of propagation paths.
You can limit the number of servers exposed to the Internet, optimise patch management and thus reduce the attack surface. You should also practise ring-fencing to reduce the propagation paths between applications. Regular (offline) backups of your data help you to get back online after a successful defence against an attack without having to settle for extensive data loss.
You can find out how to efficiently block lateral network movement in our five-step infographic:
Blockade against extraction domains
In recent years, attackers have adapted their blackmail tactics and started to distribute their victims’ confidential files and use them as additional leverage. Attackers try to hide in the network noise while extracting data from the organisation. The good news is that they can often still be recognised and blocked in this phase.
Attackers usually use public tools to steal data from the network. Public hosting services such as MEGA, Dropbox and Google Drive are a very common option. The challenge in monitoring these domains is to ensure that they are being used legitimately within the network. For example, accessing the MEGA domain via a browser can definitely be considered legitimate. In contrast, access using the rclone utility, which is actively used by several attack groups for data extraction, would be classified as malicious. Minimise this risk by blocking access to such domains on all endpoints that do not require it. However, allow access via authorised applications such as browsers.
Find out how Akamai Guardicore Segmentation can help you minimise the impact of ransomware attacks on your business and protect your valuable assets in our detailed whitepaper.
Five-point ransomware defence strategy
Despite the best protective measures, security gaps are unavoidable. That’s why you need a defence strategy that minimises the effectiveness of an attack and prevents it from spreading within your network.
We’ve prepared a five-point summary for such a ransomware defence strategy:
| 1. Prepare: |
You need a solution that enables you to identify all the applications and systems running in your IT environment. This detailed insight enables you to quickly allocate critical systems, data and backups and recognise vulnerabilities and risks. If you have a complete picture of your network environment, you’ll be able to react quickly and activate rules in the event of a security breach. |
| 2. Prevent: |
Your security solution should allow you to create rules to block common ransomware distribution techniques. Software-defined segmentation allows you to create zero-trust microperimeters around critical applications, backups, file servers and databases. You can also create segmentation policies that restrict traffic between users, applications and devices, ultimately blocking attempts by lateral entrants. |
| 3. Detect: |
Implement a solution that informs you about all access attempts to segmented applications and backups. These blocked access attempts provide indications of sideways movements. You should also include reputation-based detection that warns of the presence of known malicious domains and processes. By quickly detecting attacks that have successfully breached the perimeter, you can minimise dwell time and intercept attackers before they can do any damage. |
| 4. Remediate: |
The automatic initiation of measures to contain threats and quarantine as soon as an attempted attack is detected is crucial. Apply isolation rules that allow the affected network areas to be shut down quickly, while segmentation policies block access to critical applications and system backups. |
| 5. Recover: |
Finally, you need visualisation features that support phased recovery strategies, where connectivity is gradually restored as different areas of the network are deemed “safe”. |
Table: The five-pointstrategy against ransomware attacks
Multi-layered defence against ransomware attacks
As you can see, attackers have to go through various attack phases to achieve their goal. Each of these phases gives you the opportunity to block and recognise the associated harmful activities. With our Cyber Defence Services and Akamai’s segmentation solutions, defenders can take defensive measures at every stage of a ransomware kill chain to detect unusual behaviour and stop attackers.
This is also a requirement of NIS2, which calls for the implementation of holistic and strict security controls to reduce risks and prevent cyber security damage to systems and data. The requirements also address protection against ransomware, phishing and unauthorised access.
Stop ransomware! We’d be happy to show you how you can optimally secure your network and prevent lateral movements with our Managed Detection & Response Services and Akamai Guardicore Segmentation.
Caption: with DALL-E generated image
