Amritam Putatunda
Technical Product Manager
Blog

Fighting malware. What’s in your arsenal?

October 7, 2019 by Amritam Putatunda

Ransomware, or as we call it during the Halloween season, “Boo!”, is indeed a terrifying situation. Especially In the modern world where computer-stored data has become one of our most prized artifacts and any entity that is a threat to our data is no less frightening then scary monsters. It’s also not an unlikely threat like the zombie apocalypse, as every other day we find news reports of ransomware wreaking one havoc after another.

In this blog, I want to discuss some of the conventional and non-conventional ways you can fight the ransomware threat. 

Where do we start? Ensure the basics work.

The first and seemingly straightforward way to block ransomware is to have security products installed inline that look for all known types of ransomware. Most organizations already have some sort of security perimeter with advanced malware detection and blocking implemented. But what some don’t realize is that these need validations to ensure efficacy. 

Ixia’s BreakingPoint validates the security perimeter with a representative set of malware and a highly notorious set of ransomware samples, showcasing how effective your cybersecurity is in blocking ransomware among other attacks. With monthly and daily updates to BreakingPoint’s application and security traffic emulations that also include a selected number of ransomwares, you can extend validation to a daily, bi-weekly, or weekly basis to ensure your security tools are keeping updated with the latest signatures. If your security tools fail to block the majority of the known ransomware, it may be the time to look for new solutions within the security perimeter that have better signature matching capabilities. 

1

Daily Ransomware provided by BreakingPoint helps in vetting the security tool’s ability to block ransomware on a continuous basis.

Where do we go from there? Check other possible avenues to block ransomware.

Signatures to catch any malware that has been already seen in the wild is one way to block the ransomware. Unfortunately, no matter how many signatures you block, there will be some ransomware that will find its first zero-day victim. So, look to alternative ways to prevent ransomware that don’t rely on the signatures. 

This is where Ixia’s ThreatARMOR helps. Using IP-blocking for both incoming and outgoing traffic, it identifies any blacklisted IPs that are known to be associated with ransomware activities.

2

ThreatARMOR blocking IP addresses.

Looking at it from a different perspective-the unconventional approach

Everything that I described above deals with known bad. Be it signature, black listed IP address, a notorious command and control (C&C) server, a country that you never expect traffic from—all are known and you can rely on signatures and rules to detect them. But even with this protection, you can still suffer an attack because ransomware creators develop techniques like code obfuscation, polymorphism, and metamorphism-basically strategies to avoid getting caught through static analysis. This is where detecting bad activity through dynamic/behavioral analysis can be highly effective in blocking ransomwares. Let’s look at a few ransomware triggers that such a system can detect when inspecting network traffic:

  1. Users trying to access IP addresses of unique domain extensions (like .xyz), signifying possible C&C server activities
  2. Files getting downloaded that have a collection of words usually associated with ransom notes like “bitcoin”, “ransom”, “lock”, and “encrypted”
  3. Users trying to access network shares and doing a large number of reads and writes of approximately similar sizes 
  4. Files that are being transferred over the network with extensions know with ransomware, like “encrypt” and “.luck”
  5. Users trying to sweep the entire network and looking for open ports indicative of ransomware trying to infect other systems within your organization 
  6. Certain preferred exploits usually used by ransomware like CVE-2018-8453 and the RIG-E exploit kit

BreakingPoint superflows and actions provide all types of applications like DNS, HTTP, SMB, NFS, and RDP, along with port scans and exploits to provide the flexibility to create such behaviors and others common to ransomware. This can help in vetting your behavioral/machine learning based tools efficacy in detecting patterns and flows that are known to be associated with ransomware activities.

3

Reading and writing similar-sized files from a file share can indicate of ransomware activities.

In Conclusion…

There is no single strategy that can help us fight the ransomware epidemic, but we must include a combination of efficient static analysis, blocking commonly-known bad actors, and doing behavioral analysis. BreakingPoint and ThreatARMOR are among the many important tools that you need in your arsenal to effectively fight ransomware. 

AMPLIFY YOUR RANSOMWARE DEFENSE