Ransomware goes into stealth mode – What you need to know and what you can do!

By Joseph Carson

Ransomware has become a major threat and high risk to many individuals and organizations worldwide. It is a very destructive variant of malicious malware that when it impacts systems it makes critical systems and sensitive information inaccessible until a ransom is paid, typically bitcoins within 72 hours and if unpaid the key to unlocking the data is deleted making it almost impossible to recover. Previous variants have also started deleting data within the 72 hours making the urgency to unlock the systems more time sensitive. The impact this can have to organizations is temporary loss of systems and access to sensitive information, downtime of operations, financial impact or loss and reputation damage.

The most recent variants of Ransomware have gone into stealth mode meaning they are fileless and avoid detection by hiding the payload into memory or the kernel so they avoid any detection from traditional Anti-Malware software that scans the hard drive for malicious software. Some of the first techniques using these sophisticated cyber-attacks surfaced a few years ago when Kaspersky discovered a fileless malware that was targeting financial, government and telecommunications. The fileless malware had been used to record administrator credentials and passwords that allowed the attackers to gain access to almost anywhere within the network and infrastructure and ultimately used to withdraw money from ATM’s.

It is important to note that more than 3 billion user credentials and passwords were stolen in 2016, with 8.2 million passwords being stolen every day and approximately 95 passwords stolen every second. And per Verizon Data Breach Investigations report threat actors used stolen passwords 95% of the time in the most common types of attacks.

The destructive nature of Ransomware and the impact it has had to individuals and organizations globally has led the Department of Homeland Security, US-CERT, and the FBI to release alerts to help organizations take this threat more seriously before it is too late.

Ransomware has become so effective and efficient that many organizations have resulted in paying the ransom sometimes in the costs of thousands of dollars. It was found that it was more cost effective to pay the ransom (no guarantee however) than restore a backup, which in some cases would cost more.

Organizations should consider multiple security controls to reduce the risk of Ransomware, which are also considered best practices for cyber security and will also reduce the risk of other malicious malware threats.

What steps can be taken? What can you do?

Educate employees about their responsibility and the IT Policy. Statistics indicate that 1 in 5 employees will open and click on emails containing malicious malware. Educating employees on how to identify targeting phishing emails containing malicious malware will be a major risk mitigation to all organizations with some achieving more than 50% reduction in cyber risks as a result of good training and security awareness programs and can be a very cost effective solution. This not only protects the employees on corporate systems, but also allows the employees to use that same knowledge to protect their own personal systems, information and families from the same threats.

Understanding how hackers operate will give you cyber advantage. In advanced threats, the attacker will spend a large amount of time researching a list of potential targets, gathering information about the organization’s structure, clients etc. Social media activity of the people in the target company will be monitored to extract information about the systems and forums favored by the user and any technology vulnerabilities assessed. Once a weakness is found the next step the attacker will take is to breach the cyber security perimeter or send emails containing malicious software like Ransomware – the basic security most companies adopt – and gain access, which, for most attackers, is easily done. Organizations should use similar analysis techniques to identify which types of threats like Ransomware will target and use that knowledge to deploy security controls to mitigate the risks.

Backup critical and sensitive data online and offline. In the situation that Ransomware has impacted the organization then it is ultimately important that a recovery plan is considered, critical and sensitive data can be easily restored to get the organization operational again. Offline backups are important in the case that the Ransomware is able to spread across the network and also make the online backup systems unavailable as well. A good backup plan can reduce the impact that Ransomware has on an organization though while it will provide the ability to restore it is not considered a preventive security control, but a business continuity measure and can also be used for other types of disaster recovery situations.

Least Privilege and Application Whitelisting. By removing Administrator privileges or super privileges from users will reduce the possibility of an employee unknowingly opening or clicking on a Ransomware, or in the situation where the employee visits a supplier website or public website that is infected and distributing the malicious software and prevent the malicious software from getting the privileges required to make the system unavailable stopping the malware in it tracks. This however sometimes makes employees unable to perform certain functions to do their day to day tasks and this is where application whitelisting together with least privilege enables and empowers the employee to continue doing their day to day tasks with little to no disruption and at the same time keeping them safe from malicious software, application whitelisting, reputation and intelligence allows an organization to analyze software or an executable prior to providing the application with the privileges they need to perform the tasks required, it checks whether it is coming from a trusted source, software library, reputation and whether the current system security controls increase the risk and as well as inform a security analyst of the request and intervene if required. Using least privilege and application control together is one of the most effective ways an organization can reduce the risk against Ransomware and other variants of malicious software.

Password and privileged account management should be a major concern for every organization. Implementing effective security controls can be the difference between properly defending yourself against a simple perimeter breach or experiencing a cyber catastrophe.

Companies should provide suitable training for employees on best practices for password choices. Often, when a very complex password is required, many employees revert to writing them down due to difficulty in remembering them. Or, they might use the same password for corporate and personal social accounts. This leads to a possible external threat, which companies should continuously assess.

If your company is giving employee’s local administrator accounts or privileged access then this type of ineffective password management seriously weakens the organization’s cyber security. It could mean the difference between a single system and user account being compromised or compromise of the entire organization’s computer systems. Advanced Persistent Threats that use privileged accounts often result in major data loss, malicious activity, and financial fraud or worst case Ransomware.

Organizations should quickly ensure that they continuously audit and discover privileged accounts and applications that require privileged access, remove administrator rights where they are not required and adopt two-factor authentication to mitigate user accounts from easily being compromised.

Keeping Systems patched and up to date. Another security control which today has shown that many organizations, while they continue to patch systems, is not quite as effective as it should or could be. Most of the breaches or impacts of Ransomware has been using known vulnerabilities and exploits to expose weaknesses in systems in order to infect the system with malicious software. By keeping systems security updates current will significantly reduce the risks of malicious software exploiting those vulnerabilities.

Anti-Virus should be kept up to date and scan all attachments and downloads prior to executing them. While Anti-Virus is no longer the only security control required it is still a basic essential risk mitigation that should be deployed. It is not as effective but can still help detect many of the known malicious software that can impact an organization.

Source:: Thycotic