Marie Hattar
Chief Marketing Officer
Blog

Blocking the Rise of Ransomware

April 28, 2017 by Marie Hattar

In the cybercrime economy, ransomware has become the criminal’s favorite tool for trying to make a fast buck. The latest Verizon Data Breach Investigations Report (DBIR) states that it is the most common type of crimeware, as “holding files for ransom is fast, low risk and easily monetizable — especially with Bitcoin to collect anonymous payment.” It’s no surprise that ransomware has become a global epidemic, with attacks targeting companies growing by 300% since January 2016, and a frequency of an attack every 40 seconds. 

The methods of ransomware delivery have also evolved, as criminals look to increase infection rates and grow their illegal revenues. The early conventional methods of delivery, as an infected file attached to an email, could be detected and blocked relatively easily by signature-based antivirus products and security sandboxes. But the current infection vectors are specifically designed to bypass these conventional defenses. 

Criminals can easily mutate and adapt the core ransomware code just enough so that it isn’t detected by the signature banks of antivirus software.These ransomware variants are known as ‘Zero Day Mutations’. Once security analysts have identified these new variants, ransomware signatures can be updated and rolled out so that antivirus products will block the new ransomware variant – but this could take hours, or days. During this time window, organizations are still vulnerable to the new mutations, a fact which criminals continue to exploit to their advantage. You can find out more about 'Zero Day Mutations' in the Ixia Security Report.

Ixia Security Report

As such, we need to evolve defenses against ransomware, to identify and block Zero Day Mutations.We need to look outside the box at how ransomware actually behaves, and where the email-based attacks originate from – so that any content exhibiting these behavioral traits can be detected before it has a chance to start encrypting files. 

Targeting the chain of infection

The ransomware infection chain invariably starts with a targeted phishing email, with an attached document. The document will contain a macro, small enough to appear innocuous even to sandboxing technologies. When the document is opened, the macro activates and connects to the attacker’s remote server on the internet, to start downloading the ransomware payload onto the machine. The macro also rewrites the payload as it downloads – so the content appears harmless until it actually enters the host machine. 

Focusing ransomware protection on the content being sent to the organization is a losing battle. Email-based macros are unlikely to be picked up even by advanced virtualized sandboxing, because they don’t exhibit malicious-looking behavior when examined. Also, the payload doesn’t appear malicious until it is actually on the machine and starts encrypting. 

To block infections, we should look instead at the vital clues of where the infection is coming from, rather than just at what it is.The reason for this is simple: the payloads that start the final stage of ransomware infection are delivered from known, malicious IP addresses on the internet. As IP addresses are relatively scarce, as far as cybercriminals are concerned, the same ‘bad’ IP addresses tend to be continually re-used. Even brand-new malware variants are linked to a relatively small number of compromised IP addresses. 

This means that if a machine in your network attempts to download content from a known malicious IP address, you are almost certainly in the initial stages of a ransomware attack: there’s no need to examine the macro that is attempting the download, or the content being downloaded. From there, it is a relatively easy task to block, en masse, all corporate connections to known malicious IP addresses, at a single stroke slashing your chances of falling victim to a ransomware attack. 

ThreatARMOR breaks the ransomware infection chain, by automatically blocking known bad IP addresses using a continuously updated threat intelligence feed. This enables it to nullify both new attacks and existing, dormant infections, making it the simplest, fastest, and most effective way to safeguard networks from Zero Day Mutations and ransomware attacks. Why not contact us for a demo?