Is Your Network or Security Tool Blocking Ransomware? It “Pays” to Validate Early.
The most simplistic definition I can think of for ransomware is "a class of malware that allows an attacker to extort money from its victim." It's true that the popular method is restricting user access to their own data, but it can spiral into other options like threatening them make their personal data public or other leverages that attackers can discover by going through the data. Anyways, this blog is not about the Ransomware itself, but more about what you can do to ensure your network or security device can detect and block the most common/recent ransomware programs and accompanying campaigns.
Keeping up with the recent spurt in ransomware attacks, Ixia's ATI team has released emulations of several new high-profile ransomware like Sam Sam, Petya, AceDeceiver, locky , and KeRanger in its recent malware releases. So, this seems to be a good time to write a blog on how to create a quick ransomware test in BreakingPoint and validate the ransomware resiliency of your device/network.
As this will be a quick blog, I won't go in to the details of the pre-configurations that are needed for BreakingPoint's Network Neighborhood and the like. You can quickly learn or recap them from the video tutorials. Before going on, please ensure you have installed all the available malware packs from Strike Center so you have access to all new ransomware.
To search and add them in BreakingPoint, open the BPS Sessions -> Managers -> Strike Lists
Now, follow the 1, 2, 3 steps to create a new strike list, give it a unique name that you can remember like “Ransomware_All”, and click “Ok”. Refer the below image for details.
Pressing “Ok” will take you to a page where you can “add strikes” to the newly created “RansomWare_All” strike list. In the next page, you can type in keywords like “ransom”, “ransomware”, or “petya”. As with any other searches, the briefer the keyword, the better are the chances of finding a larger set of matches. Generally you would get a match of the available ransomware and would see the likes of Samsam, Petya, Locky, or any newer ransomware that may have cropped up. Once the list appears, you can either select a small subset by using the “+” button or use the “Add All” option to add all the available ransomware. If interested, you may expand some of the ransomware to get more details about them and click on the associated links to check their history.
Once finished with the Ransomware list, click “OK”. Now you have a new strike list “Ransomware_All” at your disposal. You can now select a security test and use the newly created “Ransomware_All” strike lists for the test. To make the test more interesting, you can select some background traffic and apply SMTP evasions that make it much more realistic and at the same time, make the job of the devices more challenging. Again, if you need more help in running tests, check out the video tutorials. Once the test starts running, the statistics will show the ransomware that were allowed (in the below example, I was just running a B2B test). You can also open the packet captures in BreakingPoint to get more details on the Ransomware methodologies.
The Ransomware threat is not new, however its popularity means that we will continue to see more of these threats in near future. Keeping up the practice of validating ransomware resiliency with a quick BreakingPoint test will ensure that your network/tool is providing the needed protections from ransomware. Also, since security is always a moving target, ensure that you're subscribed to BreakingPoint's ATI feed so that you can continue to validate with the latest ransomware or any other kinds of attacks as they appear.
Leverage Subscription Service to Stay Ahead of Attacks
The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.