Over the past few years, ransomware attacks have grown in ferocity and frequency across the globe, wreaking havoc on enterprises and costing them billions of dollars. The emergence of the WannaCry and NotPetya attacks in 2017 transformed ransomware from nuisance to security nightmare, as these attacks were the first to couple an encryption payload with automated propagation.
This propagation breakthrough enables threat actors to bypass the delivery and execution security measures, leverage compromised credentials, and then rapidly encrypt the data of one endpoint machine after another — until an organization is brought to its knees. Most, if not all, enterprises cannot proactively prevent the automated propagation of a ransomware payload.
The Structure of a Ransomware Attack
Every ransomware attack has three stages: delivery, execution, and propagation.
At this crucial first stage, the ransomware payload is inserted into a target machine. Attackers have a wide range of delivery methods and security vulnerabilities to choose from: notably spam/phishing emails, poor user practices/gullibility, lack of cybersecurity training, weak passwords, and open remote desktop protocol (RDP) access.
This graphic, from Statista, reveals the spectrum of delivery vectors and vulnerabilities.
To protect against ransomware delivery, most enterprises use an email security gateway or a sophisticated endpoint protection platform (EPP). A gateway manages and filters all inbound and outbound email traffic, detecting and removing risky content. An EPP provides comprehensive protection from ransomware, as it often uses multifactor authentication (MFA) on RDP connections to stop attackers from connecting with compromised credentials.
At this stage, the payload starts running on a workstation or server, quickly encrypting all data files.
While there are many variants of ransomware, WannaCry remains the most active, threatening, and costly. Kaspersky Labs has noted that "WannaCry is the largest ransomware infection in history, with damage totaling at least $4 billion across 150 countries. In 2019, 21.85% of users that encountered crypto-ransomware encountered WannaCry."
For protection, enterprises typically use an EPP in the hopes that it will terminate the execution of any process it detects as ransomware.
This is the endgame stage, where the ransomware gets copied to as many machines as possible in the shortest time, generally via malicious authentication with compromised credentials. A favorite attack surface is shared folders because every enterprise user has access to at least some of them.
Detection and Protection Challenges
Once ransomware gets to the propagation stage, extensive damage is the likely result. However, this stage is a blind spot for enterprises because no security solution can prevent automated ransomware propagation in real time. If a ransomware variant succeeds in bypassing the delivery and execution security measures — and some variants always do — it will propagate.
The first big challenge is detecting what the ransomware is doing: using compromised credentials to perform a standard authentication with another machine. While this activity is malicious, it looks identical to any legitimate authentication in the environment. The identity provider will approve the connection because it cannot distinguish between legitimate authentications and malicious ones.
Obviously, the second big challenge is finding a way to block malicious authentications in real time.
Keys to Defeating Ransomware
The only way to stop ransomware is to build or buy capabilities that prevent the use of compromised credentials. Ideally, this must be performed in real time and integrate natively with all identity providers to apply continuous monitoring, risk analysis, and policy enforcement on every access attempt to on-premises and cloud resources.
Here are some guidelines for implementing defensive measures that prevent ransomware from moving laterally within your environment:
This functionality should review and analyze all user account authentication and access attempts, creating precise behavior profiles of the normal activities of users and their machines. The goal: to identify abnormal behavior and block ransomware authentication attempts.
A risk engine is essential to preventing automated propagation, which launches numerous login attempts in real time from a single machine and user account. A risk engine should automatically flag such anomalous behavior and increase the risk score of both the user account and the machine.
-Dynamic Access Policy Enforcement
This capability would enable security personnel to change an access policy based on real-time risk scores — and step up authentication with MFA or even to block access. In the event of an automated ransomware propagation, the policy would require MFA wherever a user account's risk score is high. The policy would apply to all access interfaces. By enforcing a policy based on real-time risk scoring, propagation can be prevented, limiting attacks to a single endpoint.
Preventing ransomware incidents that lock down business processes requires a strong security posture that spans timely patching, end-user security training, and Web filtering. However, once ransomware establishes a foothold in your environment, the last line of defense is to monitor, risk score, and block malicious authentication requests.