Marie Hattar
Chief Marketing Officer

Don’t give ransomware a free ride

December 8, 2016 by Marie Hattar

San Francisco’s Muni Metro had to give thousands of passengers a free ride recently, when hackers successfully targeted the company’s computer systems with ransomware, and tried to extort $73,000 in ransom in return for unlocking them.  Muni Metro refused to pay up, and instead opened up the gates on its stations to give passengers free rides over the Thanksgiving holiday weekend, and set about dealing with the attackers with help from the Department of Homeland Security.

This is just another in the long series of high-profile ransomware attacks in recent months, and the ransomware onslaught shows no sign of slowing down:  in the first half of 2016, 80 new ransomware "families" were discovered, an increase of 172 percent over the same period in 2015.  As such, it’s no longer a question of if an organization will be hit, but when – and how many times it will be hit. 

This in turn raises the question:  how should you deal with a ransomware attack?  Although it’s tempting, paying the ransom is never a good idea.  Every profitable ransomware attack simply encourages the perpetrators to launch more.  They will put more resources into developing increasingly sophisticated ransomware, and into highly targeted social engineering campaigns with which to inject it.  Instead, the attack should be reported as quickly as possible to the relevant authorities, as information such as Bitcoin wallet addresses, transaction data, and any email correspondence with the criminals can be extremely useful in bringing cybercriminals to justice.

As such, I applaud Muni Metro’s response to the attack. Of course, the specifics of the attack made it easier for the company to entirely reject the possibility of paying the ransom to the criminals behind it.  No customer or financial data was directly at risk.  But the firm still lost money by offering thousands of free rides for a weekend.  What would your business stand to lose if it was unable to process customer payments for even a day or two?

This is why it is critical for businesses in all sectors to build ransomware-specific protections into their overall security posture.  And it’s here that organizations need to move beyond traditional solutions. 

Revisiting ransomware’s routines

Ransomware, like other forms of malware, was traditionally prevented from getting into organizations’ networks by signature-based antivirus products. These check the core files of an attachment against a bank of known ransomware – if the attachment matches a profile in the signature bank, then it will be blocked.

However, cybercriminals are able to mutate and adapt the core files of ransomware just enough to make it stop matching the antivirus signature bank and sail straight past the organization’s defenses.  And of course, they are encouraged to carry out such tweaks every time an unfortunate organization pays a ransom.  Such ransomware variants are called ‘Zero Day Mutations’. Once the security industry has identified them then it can update its ransomware signatures and antivirus products will block the new ransomware variant – but this could take hours, or days. During this time, organizations could find their files scrambled and networks frozen.

An alternative mitigation strategy takes a broader view of how ransomware actually works. In most cases, this follows a clear, repeated process. It begins with a carefully targeted phishing email containing an attachment – and the attachment contains a macro.  The macro is able to enter the corporate network as it is not detected by conventional security measures – but once the document is opened, it connects to the attacker’s remote command and control server.  Only then is the ransomware payload downloaded onto that machine – and what’s more, the macro actually rewrites the payload as it downloads.  This means that the ransomware content can only be detected by conventional tools when it actually enters the machine in question – by which time, the damage has already started. 

Nullifying attacks at source

However, the attack can be completely neutralized if the focus is shifted from what is connecting to the user’s machine, to where it comes from.  The payloads that start the final stage of ransomware infection come from IP addresses out on the internet.  But such IP addresses are relatively scarce, as far as cybercriminals are concerned. They must either find, and compromise an individual server or hijack a range of IP addresses.  Neither process is easy, so malicious IP addresses tend to be continually re-used, and generally, once an IP address has ‘gone bad’, it remains compromised.  Even brand-new malware variants are invariable connected to a relatively small number of known compromised IP addresses – tens of millions out of the several billion addresses available.

As such, a macro attempting to download content from one of these IP addresses onto a corporate network is almost certain to be carrying out a ransomware attack.  By detecting this download attempt, the potential infection can be filtered and blocked before it can take hold – with no need to examine the email, the macro, or the malicious content.

Ixia’s ThreatARMOR provides the fastest, most comprehensive method of blocking known malicious IP addresses, with its continuously updated threat intelligence feed – which makes it the fastest, and most effective way to protect your networks against ransomware attacks.  It ensures that your organization will not give ransomware a free ride.