Jeff Harris
Chief Marketing Officer

How to Avoid Being Held to Ransom by the Botnet Blizzard

July 5, 2016 by Jeff Harris

Botnets have traditionally been used by cybercriminals for launching DDoS attacks against organizations, and for mass spamming campaigns.  But in recent months, they’ve been used for delivering a payload which is more lucrative for the criminals, and potentially much more damaging for their victims.  Botnets have become the launch-pad for large-scale ransomware attacks, which aim to penetrate an organization’s defenses through social engineering, encrypt critical files and data, and demand a ransom for unscrambling them. 

Just last week, the notorious Necurs botnet suddenly reappeared after a period of being dormant, and began delivering massive volumes of email (estimated in the tens of millions) harboring an improved version of the potent ‘Locky’ ransomware.  Locky was used in the attack on the Hollywood Presbyterian Medical Center in California back in February, which secured a $17,000 ransom for the crooks.

Necurs is believed to be one of the largest botnets in existence, comprising over six million infected machines, and has been responsible for millions of dollars of losses related to ransomware attacks and ‘Dridex’ banking Trojan infections.  It is estimated that the malicious traffic generated by Necurs has been netting its controllers between $100,000 and $200,000 per day.

So how do organizations protect themselves against such large-scale ransomware campaigns?  Ransomware is particularly difficult to defend against, because it uses social engineering to dupe unwitting users into opening the file infected with the payload.  Latest ransomware variants even include evasive features which enable the malware to avoid being detected by anti-virus products, and even to bypass virtualized ‘sandboxes.’

However, a key line of defense is to use threat intelligence gateways such as Ixia’s ThreatARMOR.  We posted a couple of weeks back about how organizations can use these gateways to mitigate the impact of DDoS attacks on their networks and services, by pre-filtering network traffic to prevent packets from known malicious or infected sources from reaching their networks in the first place.  

This same principle applies to ransomware attacks launched by established botnets such as Necurs.  ThreatARMOR continually monitors for, and proactively identifies known bad IP addresses, powered by real-time, constantly-updated data feeds on addresses that are proven to be malicious.  When traffic from these known-bad addresses is received by the gateway, it is filtered automatically at up to 10 GB line speeds – so that malicious traffic never touches your networks, and your staff will not receive those social-engineering emails containing the ransomware exploit from those known bad IP addresses.  

Even if there are existing bot-infected machines within your organization that could be exploited to download ransomware, the threat intelligence gateway prevents the bots from connecting with known bad IP addresses that are botnet command and control centers on the Internet, which further reduces your risk exposure.  So IP address filtering can play a key role in stopping organizations’ critical resources being held to ransom.