Survival of the fittest is not always about strength but almost always about adaptability — a phrase particularly applicable when referring to ransomware. In 2017 alone, ransomware attacks infected hundreds of thousands of devices, significantly impacting countless industries and market segments.
If enterprises suffered any kind of infection during the first quarter of 2017, chances are it was ransomware. According to Malwarebytes researchers, in the first quarter of 2017 roughly 60 percent of malware payloads consisted of ransomware. Cisco researchers in its 2017 Annual Cybersecurity Report estimated that ransomware grew at a rate of 350 percent from the previous year.
This upward spike in attacks indicates a greater number of cybercriminals and malware authors who are setting their sights on bigger targets, and as such, are creating ransomware attacks with a better ability to adapt to surroundings than ever before. Each year, new ransomware threats employ better techniques to lure and infect victims, encrypt their files, and bypass security. In 2017, ransomware attacks combated enterprise defenses by employing heavy obfuscation, anti-analysis, persistence, and other stealth capabilities designed to move laterally within a network once the malware managed to infect a device.
However, rising ransomware infections can also be attributed to a new era of digital transformation that has effectively torn down traditional perimeters in the network and opened up new threat vectors. Enterprises reshaping their network architecture as part of a comprehensive overhaul are now required to support an explosion of data-intensive applications and services, including a myriad of resource-intensive software-as-a-service (SaaS) applications like Workday, Salesforce.com and Office 365. While this mass migration to the cloud has enabled organizations to become more streamlined, cost-effective, and efficient, it has also exposed them to additional threats.
Like a living organism, ransomware and other advanced threats constantly adapt to their surroundings in order to propagate and survive. Going forward, enterprises will need to adopt technology that can assess the threat’s capabilities and evolve with it, while strengthening their defenses to combat future attacks quickly and effectively.
The Evolving Threat of Ransomware
Perhaps one of ransomware’s biggest secrets to survival is its ability to assess its environment and mutate accordingly. This holds particularly true in its ability to propagate and infect users.
Notorious attacks WannaCry and Petya, for example, can discover and infect other computers without any user intervention. The Locky ransomware attack arrives via a phishing email and macro-embedded Microsoft Word attachments, while adding itself as a run key in the Window’s Registry to achieve persistence. And the Cryptomix attack is so versatile that it can infect a user either via email or by redirecting the victim to a website hosting the Rig exploit kit.
The most common method of ransomware infection is a technique that leverages common and seemingly innocuous Microsoft Office files embedded with macros in the structure. Threats arrive as an email attachment and then entice users into opening the infected documents with socially-engineered messages and other tactics that appear to come from a familiar source. Once opened, the embedded macros initiate the infection process, which includes decoding and extracting additional scripts at runtime. The scripts, in turn, download more malicious code from the attacker-controlled machines. From there, they schedule tasks and set the stage for the infected devices to receive additional commands or malware from an attacker-controlled server.
Yet email is far from the only method relied upon for propagation. Ransomware can also infect machines via a “drive-by-download,” where the victim browses to a website that gets redirected to a server hosting exploit kits. Kits like Rig and Angler come packed with several exploits that leverage vulnerabilities in a wide array of software, commonly exploiting applications such as web browsers, media players, and document renderers.
Some of the most notorious ransomware attacks also employ lateral movement techniques, giving them the ability to self-replicate quickly and broadly. WannaCry, for example, employs the EternalBlue attack, while Petya leverages both EternalBlue and EternalRomance attacks for propagation. In the final stages of these attacks, the victim computer is left with instructions on how to make the payment while the malware moves laterally to infect more machines on the network.
While we have some understanding of propagation techniques used for major attacks, ransomware authors are constantly developing and improving their attacks with new stealth techniques designed to spread more rapidly and better evade security defenses. Looking ahead, it will be incumbent on enterprises to adapt their network to these threats or risk becoming their next victim.
A Network Ripe for Attack
Numerous organizations have already embarked on the digital transformation process and the transition to multi-cloud environments with the aim of improving efficiencies, cutting costs, and increasing their competitive edge. For countless others, it’s only a matter of time until they too transform. As part of that process, organizations are rapidly moving data and applications to a wide range of private clouds, SaaS-based applications, public cloud storage apps such as DropBox, as well as large-scale consumer cloud applications such as Google Cloud, Amazon Web Services (AWS), and others.
By migrating copious amounts of data across the network, organizations are also inadvertently opening their environment to a host of new threats. By breaking down traditional network boundaries, a multi-cloud architecture exposes countless new threat vectors and exploitable vulnerabilities, making the corporate network more susceptible to direct attacks than ever before.
As a result, ransomware, advanced persistent threats, and other malware are more present and dangerous because they can enter the network through significantly more avenues — many of which are either inadequately secured or not secured at all.
The rapidly evolving threat environment, coupled with a more vulnerable enterprise network signals a paradigm shift in how organizations will protect data residing on multi-cloud systems. In addition to rearchitecting their networks, organizations will also have to rethink their entire security infrastructure and posture.
Evolving Into a Secure Network
The good news is that enterprises can evolve their own network defenses to align with increasingly stealthy and sophisticated ransomware attacks as they simultaneously implement a multi-cloud environment. It starts by being able to assess the capabilities of ransomware and adapt network defenses accordingly.
To protect networks from some of the most severe ransomware attacks seen in 2017 organizations, above all, will need integrated, in-depth, and comprehensive protection with numerous layers of defense for varied protocols and file formats. This includes adopting secure software-defined wide area networking (SD-WAN) infrastructure as a major component of their arsenal to protect against these threats and to secure the WAN.
Among other things, organizations will require a network security solution armed with features that can inspect both files and traffic at various stages of infection. Because initial infection often starts with a drive-by download or a malicious email attachment, organizations will require a network security solution capable of extracting files transferred over a myriad of protocols like HTTP, SMB, and SMTP attachments, even when encoded.
In the case of payloads delivered by exploit kits, organizations need an intrusion prevention system (IPS) engine that is updated regularly to detect and block the different exploits that they leverage as well as identify techniques enabling attackers to move laterally within a network.
To stay one step ahead of ransomware, a network security solution should be equipped with capabilities that prevent an end host from communicating with IP addresses or URLs that have touched ransomware. This enables the attackers to take control of the machines and use them as a staging area to download additional malicious code. Finally, organizations need to include DNS security functionality preventing a DNS query from resolving, and thus, blocking any contact with a malicious domain.
As with the threat landscape in general, ransomware is becoming more treacherous and more adaptive. New iterations of attacks like WannaCry, Petya, Locky and others are becoming increasingly stealthier with each new variant, honing and refining techniques that obfuscate their presence, erase their tracks, encrypt files and spread laterally.
That said, the evolving network landscape that has become more open, streamlined, and efficient while the influx of multi-cloud infrastructure has in many ways also set the stage for advanced iterations of these attacks. Consequently, integrated and multi-layered security will have to be top of mind for enterprises looking to protect their networks and stay ahead of future attacks.
Locking down infrastructure amid this digital transformation will not be the answer. Instead, it will be incumbent upon organizations to strengthen SaaS applications and cloud architecture and evolve their network’s software-defined security capabilities within their own evolving multi-cloud framework. Only then will they have a shot at effectively combating new waves of ransomware and other malicious attacks that will almost certainly come their way.