Jeff Harris
Chief Marketing Officer

Protect Yourself From Ransomware

October 11, 2016 by Jeff Harris

Ransomware:  defend, and don’t pay

Paying a fee to get out of a bad situation has always been a tempting option.  We get caught speeding, most would rather pay the ticket than go to court.  Someone steals our phone or computer, we would gladly pay a reward to get it back.  So the temptation is understandable to pay up in the case of ransomware.  You should never pay up, but rather report the incident immediately to the FBI’s online Internet Crime Complaints Center. That’s the latest advice from the FBI, and it seems likely that other national law enforcement agencies will soon follow suit.

The FBI’s advice is based on two factors. First, truly enormous damage can be dealt by a ransomware attack, not just on the target organization but also further down the line. Success breeds success, so every time a ransom is paid it encourages cybercriminals to keep trying the same technique in the future. Ransomware, as a result, proliferates. Second, even the tiniest fragments of information that ransomware victims may report, including Bitcoin wallet addresses, transaction data, malware hashtags, or any email correspondence, can be enough to lead the FBI to the source.  The more people who report, the more fragments they have to aid in their investigation.  

This is sound advice. We would always advise ransomware victims to refuse any attempts to extort payment, and instead go down the investigation path.    However, advice like this comes easy when the contents of your machine or database have been irretrievably scrambled and your operations have ground to a halt.  We get that.  So while we all go about our lives patiently hoping the next victim will be someone else, is there anything we can do to prevent ransomware attacks from occurring in the first place?  Why yes, it turns out there is.  

Attack of the Mutations

A critical reason why ransomware is so successful – and keeps on proliferating – is the ability of ransomware bait to mutate and adapt their core files just enough to bypass traditional signature-based antivirus and other protections. Such variants are called ‘Zero Day Mutations’. They only work for as long as takes the security industry to scramble to update its ransomware signatures – which might be days or even hours – but this, of course, is more than enough time to launch multiple successful attacks.

To protect against such Zero Day Mutations, we need to fundamentally rethink our approach to identifying and blocking ransomware. Rather than solely focusing on identifying ransomware on its way in, we need to think more generally about how ransomware behaves and where it comes from – so that any content exhibiting these general characteristics can be flagged up.

The first step is to look at the typical delivery process for ransomware – this generally follows multiple stages. To start it off, a genuine looking phishing email with an attached document is sent to a target. The document contains a macro, small enough to appear innocuous even to sandboxing technologies, which is activated once the document is opened. It connects to the attacker’s remote server on the internet and only then downloads the ransomware payload onto the machine.  The macro actually rewrites the payload as it downloads – so the content sent across the network is harmless until it actually enters the machine.

Focusing ransomware protection on the actual content being sent to the organization is a losing battle. Macros are unlikely to be picked up even by advanced virtualized sandboxing, because they are so small and simple, and don’t exhibit malicious-looking behavior when examined. The payload doesn’t appear malicious until it is actually on the machine and starts encrypting.

Blocking the malicious payload

But what if, rather than focusing on what is connecting to the user’s machine, we focus on where it comes from?  The payloads that start the final stage of ransomware infection come from IP addresses out on the internet.  But such IP addresses are relatively scarce, as far as cybercriminals are concerned. They must either find and compromise an individual server (which may be concurrently used in another criminal campaign), or hijack a range of IP addresses via internet routing manipulation. Neither process is easy, so malicious IP addresses tend to be continually re-used, and generally, once an IP address has ‘gone bad’, it will not become benign again tin the future. Even brand-new malware variants are invariable connected to a relatively small number of known compromised IP addresses – tens of millions out of 4.3 billion IPv4 IP addresses.

In other words, if a macro in your network attempts to download content from one of these known malicious IP addresses, you are almost certainly in the throes of a ransomware attack. And you know this without examining the macro, or the content it is downloading.

From there, it is a relatively easy task to block, en masse, all corporate connections to known malicious IP addresses, slashing at a single stroke your chances of falling victim to a ransomware attack.  Advanced screening techniques such as sandboxing still have a vital role to play in protecting organizations from cybercrime. But by combining the ‘what’ approach with the ‘where’ of malicious IP address blocking, you have a far more robust and agile means of preventing your organization being held to ransom.

We would always recommend testing your network with the broadest spectrum of the latest attacks.  You can do that with Ixia's Breaking Point software.  When you are in operation, though, you need a fast method of blocking known bad IP addresses using a continuously updated threat intelligence feed.  For that, you should look at ThreatARMOR.  It is the simplest, fastest, and most effective way to safeguard your network from Zero Day Mutations and ransomware attacks.