Sophos labs have come up with an informative 2020 threat report to help the reader to defend people and systems from attacks.
According to Sophos, Every year, criminals adapt to the best defenses from operators and vendors in the industry. At the same time, defenders must protect systems and processes with new functionality (read: attack surface area) constantly being introduced, and with an ever-increasing global interdependency on these systems’ operation.
Ransomware attackers raise the stakes
Ransomware affects an accelerating number of victims with every passing year, but it has an Achilles’ heel: encryption is a time consuming process, driven by the processing power of its host machine’s CPU. It takes time for suitably strong encryption algorithms to securely encrypt the data on whole hard drives. In the case of ransomware, the application is at least as concerned with optimizing its attack and evading detection by modern security tools as it is with encrypting.
Ransom-ware attackers seem to have developed a keen understanding of how network and endpoint security products detect or block malicious activity. With evasion a priority, these attacks always begin with an attempt to thwart security controls, though with varying levels of success. Once these attacks perpetrate, attackers have a greater chance to earn a ransom payment when the attack takes out just enough unrecoverable data to make it worth the victim’s ransom demand.
But there are other behaviors or traits to ransomware that modern security software can zero in on to help determine if an application has or is showing malicious actions. Some traits are hard for attackers to change, like the successive encryption of documents. But some traits can be changed or added, and this helps ransomware to confuse some anti-ransomware protection.
Ways that ransomware use to perpetrate into systems
Using our management tools against us:
Some companies use remote monitoring and management solutions manage the customers’ IT infrastructure and/or end user systems. RMM solutions typically run with high privileges and, once breached, offer a remote attacker “hands on keyboard” access, resulting in unwanted data hostage situations. With this access, they can easily distribute ransomware into networks from remote, potentially hitting multiple MSP customers at once.
Attacker code appears “trusted” while attackers elevate privileges:
While it is good practice to give user accounts – and therefore the applications they run – limited access rights, in today’s threat landscape that doesn’t help much. Even if the logged-in user has standard limited privileges and permissions, today’s ransomware may use a user account control (UAC) bypass or exploit a software vulnerability like CVE-2018-8453 to elevate privileges. And active adversaries that attack the network interactively will capture an administrative credential to make sure the ransomware encryption is performed using a privileged domain account to meet or exceed file access permissions and maximize success.
Attackers may attempt to minimize detection by digitally code-signing their ransomware with an Authenticode certificate.
Thriving off the security industry’s best tools:
- To automatically distribute ransomware to peer endpoints and servers, adversaries leverage a trusted dual-use utility like PsExec from Microsoft Sysinternals. The attacker crafts a script that lists the collected targeted machines and incorporates them together with PsExec, a privileged domain account, and the ransomware. This script successively copies and executes the ransomware onto peer machines. This takes less than an hour to complete, depending on the number of machines targeted. By the time the victim spots what’s going, on it is too late, as these attacks typically happen in the middle of the night when IT staff is sleeping.
- As an alternative to PsExec, active adversaries have also been seen leveraging a logon and logoff script via a Group Policy Object (GPO) or abusing the Windows Management Interface (WMI) to mass-distribute ransomware inside the network.
- Some ransomware abuses Windows PowerShell to hoist in a PowerShell script from the internet, which is set to automatically start the ransomware after several days. This makes the attack appear to come out of nowhere. In this scenario, the actual file encryption attack itself is performed by the trusted Windows POWERSHELL. EXE process, making endpoint protection software believe a trusted application is modifying the documents.
- To achieve the same goal, ransomware may inject its malicious code into a trusted running process like SVCHOST.EXE or use the Windows RUNDLL32.EXE application to encrypt documents from a trusted process. This tactic may thwart some anti-ransomware solutions that do not monitor or are configured to ignore encryption activity by default Windows applications.
Efficiency and prioritization give ransomware attackers an edge:
To ensure victims pay the ransom money, ransomware will try to:
- Encrypt as many documents as possible, sometimes even risking, or purposely crippling, the endpoint. These documents can be stored on local fixed and removable drives, as well as on mapped remote shared drives.
- The ransomware might even prioritize certain drives or document sizes first to ensure success before being caught by endpoint protection software or noticed by victims. For example, ransomware may be programmed to encrypt several documents at the same time via multiple threads, prioritize smaller documents, or even attack documents on mapped remote shared drives first.
As much as it is impossible to achieve 100% security for your systems, the following ways may help in preventing your systems from ransomware attacks:
- One of the ways we saw that ransomware-attacks can perpetrate into systems is by elevating privilages of user accounts. One of the ways of preventing this is by enable multi-factor authentication (MFA) on central management tools and leave tamper protection on endpoint protection software enabled.
- Keep software and OS updated since vulnerabilities not patched can create avenues for attackers into the sytems.
- Back up data: Should you experience a ransomware attack, your data will remain safe if it is backed up. Make sure to keep everything copied on an external hard drive but be sure not to leave it connected to your computer when not in use. If the hard drive is plugged in when you become a victim of a ransomware attack, this data will also be encrypted.
- Avoid downloading unnecessary apps that you have no use for and do not trust. Especially from unknown websites.
- Avoid clicking links in spam emails or on unfamiliar websites. Downloads that start when you click on malicious links is one way that your computer could get infected.Once the ransomware is on your computer, it will encrypt your data or lock your operating system.
- Do not open email attachments from senders you do not trust. Look at who the email is from and confirm that the email address is correct. Be sure to assess whether an attachment looks genuine before opening it. If you’re not sure, contact the person you think has sent it and double check.