Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

08:00 AM
Simon Crosby
Simon Crosby
Connect Directly
E-Mail vvv

Crypto Malware: Responding To Machine-Timescale Breaches

The game has changed again with hackers' ability to steal your data at record speeds and cripple your organization before the first alert.

The thousand-fold increase in crypto-malware highlights a profound change in the cyber-landscape: Previously, an attacker seeking to steal intellectual property, personal identifiable information or payment card information would need to successfully breach and persist on one or more endpoints, carefully research the network, stealthily exfiltrate data, and finally process it in order to sell it on the dark web – a lot of effort for an uncertain payout. But crypto-malware is a clear signal that hackers have changed the game. 

With crypto-malware – ransomware that encrypts files until a ransom is paid – every compromised device, whether company or personally owned, can be quickly monetized. If money isn’t the goal, attackers can use it to cripple a target for political or military advantage because it’s quick, precise and lethal, and much simpler and more effective than a messy kinetic weapon.  For organizations whose missions depend on availability of computer systems, including hospitals, law enforcement and military targets, this new form of attack is a nightmare.

A crypto-malware attacker avoids the risk of post-breach detection or interrupted exfiltration by leaving data in place, but encrypting it without being detected. The attacker also maximizes fear and impact in a shocking way: via the ransom notice. That is, a personalized victim ransom page usually containing the initial ransom amount, instructions for how to purchase Bitcoins, and a countdown clock, which adds pressure to the victim by letting them know how much time they have to pay up before the ransom doubles or the data is deleted.

The attacker doesn’t even have to decide what data is valuable. Encrypting all data forces the victim to decide. Being both fearful and unsure, the victim is very likely to pay the ransom. Likewise, rather than having to sell stolen data at a discounted black-market price, encrypting it in place allows the attacker to directly demand top dollar from the victim, who values the data most.

Most importantly, crypto-malware breaches occur at machine speed, meaning there is no need for a remote human attacker to carefully dig deeper searching for valuable data. As soon as the endpoint is compromised the attack inflicts maximum damage.  And since most such malware is undetectable by design, legacy AV suites offer scant assurance that you will be protected.  Enterprise security teams have no opportunity to detect and respond to a breach as they do with traditional attacks. 

Lest you think that crypto-malware is consumer focused, or that paying to decrypt your files is a simple way out, think again:

● Attacks have rapidly evolved to incorporate traditional breach techniques. Enterprise variants can propagate through the network to other devices and encrypt file shares and cloud storage to maximize impact.

● Following the classic approach of extortionists, attackers can charge different amounts to decrypt different parts of your data, or demand regular payments to keep data from being re-encrypted.

● It won’t be long before encrypted data is exfiltrated so the bad guys get to keep a copy too. 

“Sorry, you’re going to be pwned”
Sadly, the security industry was already failing to protect its customers from traditional manual adversaries before attackers realized the benefits of machine-speed breaches.  Vendors continue to peddle “maybe” technologies, like “next-gen antivirus” (NG-AV), that try to “detect to protect.” They tout their unbelievable ability to detect yesterday’s attacks – when in fact 99 percent of today’s malware morphs into new, undetectable variants in under a minute, according to the latest Verizon Data Breach Investigations Report. And they fail to protect against threats at the time of infection, instead offering remediation instead of prevention. Once the damage is done it’s too late.

Security vendors dodge responsibility for their failures, glibly encouraging their customers to continually look for signs of a breach they missed. But if you try to secure your organization assuming you will be breached by an adversary who operates on a human timescale, whose stealthy theft of data you must detect post-breach, you will undoubtedly be devastated by a machine-speed attack that cripples your organization before the first alert, then drains your bank account to “help” you back on your feet.

Protection at Machine-Speed
Today’s NG-AV tries to detect attacks and protect each endpoint individually, using signatures and heuristics updated by vendors on a human timescale. With absolute certainty this approach will fail, giving an attacker the foothold he needs to breach the enterprise at machine-speed. 

To protect the entire enterprise at machine speed, you cannot rely on detection. The only solution is to protect “by design” -- architecting your environment to be resilient to attack.  For a start, you ought to segment your network according to privilege or “need to know:” PCs that only access web applications need never be fully trusted on the enterprise network. Instead isolate them on their own VLAN or network subnet, and make users jump through authentication “gates” to get to high value applications or back-end services.  

Don’t give users access to file shares that are not necessary, and keep database access limited to database applications. This concept of micro-segmentation of the enterprise network is being promoted by vendors of private and public cloud infrastructure, and the concepts apply on end user PCs through micro-virtualization.  Ensure that users that need administrative access to corporate infrastructure are only able to elevate their privileges on a separately managed, VDI-based backend that can only be accessed from the enterprise intranet. Prohibit privilege escalation without forcing the user to log in under a different identity.

Rigorous separation of duties, with enforcement using tools from virtualization -- VDI, micro-segmentation and micro-virtualization -- are fundamental to building an enterprise infrastructure that is inherently more resilient to machine timescale attacks. Rigorous infrastructure-based enforcement of the principle of least privilege is a fundamental requirement for a resilient enterprise infrastructure architecture.

It is time to move beyond a model where we bet the security of the enterprise on the security of a single endpoint and human-timescale detection tools. The only way to defeat machine-timescale attacks is to embrace virtualization-enforced isolation to help enterprises protect themselves by reducing the enterprise attack surface.

Related Content:


Simon Crosby is co-founder and CTO at Bromium. He was founder and CTO of XenSource prior to the acquisition of XenSource by Citrix, and then served as CTO of the Virtualization & Management Division at Citrix. Previously, Simon was a principal engineer at Intel where he led ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/3/2016 | 4:08:26 PM
Re: In my humble opinion
You're presuming that crypto-malware gets onto your machine and starts its nasty business of encryption. What do you do if it simple lies dormant for a day, a week, or a month and then proceeds to destroy your machine?

And yes, for an Enterprise these are the types of attacks that keep people like me awake at night. Even if you have backups (on-site, off-site, cloud, etc), something there might have been compromised beforehand.

Don't get lulled into a false sense of security.
Olaf Barheine
Olaf Barheine,
User Rank: Apprentice
8/1/2016 | 8:49:07 AM
In my humble opinion
Crypto malware is not really a problem for me. My solution is quite simple: I have always a copy of my hard disk in my desk. And every day I make a backup of my data. Thus, after a successful attack it would take perhaps 10 minutes and I could continue with my work. But sure, in bigger companies it could be more complicated.

Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...