Archive for June, 2016

Chuck Leaver – Beware Of Ransomware Targeting Your Organization

Written By Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver


Ransomware that is customized to enterprise attack campaigns has emerged in the wild. This is an apparent development of consumer-grade ransomware, fueled by the bigger bounties which businesses are able to pay coupled to the sheer scale of the attack surface area (internet-facing endpoints and un-patched software applications). To the enemy, your business is a tempting target with a huge fat wallet just begging to be knocked over.

Your Organization is an Enticing Target

Easy Google inquiries might currently have determined unpatched internet-facing servers by the scores across your domain, or your credulous users may already be opening “spear phishing” emails crafted just for them probably authored by people they know.

The weaponized invoices are sent to your accounting department, the weaponized legal notices are sent to your legal department, the weaponized resumes are sent to your human resources department, and the weaponized trade publication articles are sent to your public relations firm. That ought to cover it, for starters. Add the watering hole drive-by’s planted on market sites often visited by your staff members, the social networks attacks targeted to your key executives and their family members, the contaminated USB sticks strewn around your facilities, and the compromises of your providers, consumers, and business partners.

Enterprise compromise isn’t an “if” but a “when”– the when is continuous, the who is legion.

The Arrival Of Targeted Ransomware

Malware analysts are now reporting on enterprise-targeted ransomware, a natural advancement in the money making of enterprise cyber intrusions. Christiaan Beek and Andrew Furtak discuss this in an excerpt from Intel Security Advanced Threat Research study, February 2016:

” Throughout the past few weeks, we have actually gotten info about a brand-new campaign of targeted ransomware attacks. Instead of the regular modus operandi (phishing attacks or drive-by downloads that result in automatic execution of ransomware), the opponents obtained consistent access to the victim’s network through vulnerability exploitation and spread their access to any connected systems that they could. On each system, numerous tools were used to find, secure, and erase the original files as well as any backups.”

Careful reading of this citation instantly reveals steps to be taken. Preliminary penetration was by “vulnerability exploitation,” as is often the case. A sound vulnerability management program with tracked and imposed exposure tolerances (determined in days) is mandatory. Because the cyber attackers “spread their access to any connected system,” it is likewise requisite to have robust network division and access controls. Think about it as a water tight compartment on a warship to prevent sinking when the hull is breached. Of unique note, the enemies “delete the initial files in addition to any backups,” so there must be no delete access from a jeopardized system to its backup files – systems must just be able to add to their backups.

Your Backups Are Not Current Are They?

Obviously, there must be current backups of any files that need to endure an enterprise invasion. Paying the ransom is not an efficient choice because any files developed by malware are inherently suspect and should be thought about polluted. Enterprise auditors or regulators can not accept files excreted from some malware orifice as legally valid, the chain of custody having been entirely broken. Financial data might have been altered with fraudulent transactions, configuration data may have been tampered with, infections may have been planted for later re-entry, or the malware file manipulations may just have had mistakes or omissions. There would be no way to place any confidence in this data, and accepting it as legitimate might even more jeopardize all future downstream data dependent upon or derived from it. Treat ransomware data as trash. Either have a robust backup strategy – frequently evaluated and confirmed – or prepare to suffer your losses.

Exactly what is Your Preparation for a Breach?

Even with sound backups privacy of impacted data need to be presumed to be breached due to the fact that it was read by malware. Even with in-depth network logs, it would be impracticable to show that no data had been exfiltrated. In a targeted attack the hackers usually take data stock, evaluating at least samples of the data to assess its possible worth – they could be leaving money on the table otherwise. Data ransom demands might merely be the final money making stage in an enterprise breach after mining all other worth from the invasion since the ransom demand exposes the compromise.

Have a Thorough Remediation Strategy

One should presume that skilled opponents have actually arranged numerous, cunningly-concealed opportunities of re-entry at different staggered time points (well after your crisis group has actually stood down and costly specialists flown off to their next gig). Any stray proof remaining was carefully staged to misguide detectives and deflect blame. Costly re-imaging of systems must be extremely comprehensive, touching every sector of the disk throughout its whole recording surface area and re-creating master boot records (MBR’s) and volume boot records from scratch. Some ransomware is understood to jeopardize MBR’s.

Also, do not assume system firmware has not been compromised. If you can upgrade the firmware, so can hackers. It isn’t hard for hacking groups to explore firmware hacking choices when their enterprise targets standardize system hardware setups, allowing a little lab effort to go a long way. The industrialization of cybercrime enables the development and sale of firmware hacks on the dark web to a more comprehensive criminal market.

Assistance Is Readily available With Good EDR Tools

After all of this negativity, there is an answer. When it concerns targeted ransomware attacks, taking proactive actions instead of reactive clean-up is far less painful. A great Endpoint Detection and Response (EDR) tool can assist on both ends. EDR tools are useful for determining exposed vulnerabilities and active applications. Some applications have such a notorious history of exposing vulnerabilities that they are best eliminated from the environment (Adobe Flash, for example). EDR tools are likewise good at tracking all substantial endpoint incidents, so that investigators can recognize a “patient zero” and track the pivot activity of targeted enterprise-spreading ransomware. Attackers rely on endpoint opacity to assist with hiding their actions from security staff, but EDR exists to allow open visibility of notable endpoint incidents that could signify an attack in progress. EDR isn’t limited to the old anti-virus convict-or-acquit design, that permits newly remixed attack code to avert AV detection.

Excellent EDR tools are always alert, always reporting, always tracking, offered when you require it: now or retroactively. You would not turn a blind eye to enterprise network activity, so do not disregard enterprise endpoint activity.