Tuesday, September 6, 2016

The Evolution of Ransomware and What You Can Do To Fight It [feedly]

The Evolution of Ransomware and What You Can Do To Fight It

-- via my feedly newsfeed

  • Ransomware is this year's most buzz worthy malware story.
  • Access is easy – your end users simply click on something that appears trusted and the bad guys are in.
  • While old methods attempt to stop the threat, we offer a different approach that will protect your data and your network.

The cybercriminal world is not much different from the commercial industry.

Just like you, bad guys are continuously trying to accelerate their business and get closer the customer so they can maintain their competitive edge. Yep, they may not have a Board of Directors, but they do have business requirements and that pushes them to create new avenues for getting ahead.

Get it: Technical whitepaper on ransomware.

Upping their game.

Not too long ago you would hear about or be a victim of money mules, who'd commit fraud with stolen credit cards for a fee. Then an industrious cybercriminals came up with the idea of cutting-out the middle-man (the money mule) and ransomware was born. It delivered a more direct, higher paying gain. If you are not too familiar with what ransomware is, Microsoft has a good explanation.

Even though ransomware started becoming more popular for cybercriminals in 2013, it was catapulted to fame earlier this year when a Los Angeles hospital was crippled by an attack for a few days until they eventually paid the $17,000 to regain access to their patient files.

Like most threats for the last 20 years, ransomware relies on the weakest link in your enterprise security strategy—the end user. It's usually delivered via an email as a malicious attachment – like an invoice or travel itinerary – something that looks innocuous and like a regular business communication. It can also happen when someone visits a compromised website, which in most cases is a legitimate website that the end user would normally visit, but has been infected with malware. There's absolutely no way to know the site has been compromised.

The definition of madness is doing the same thing and expecting different results.

There are a multitude of recommended strategies to protect your organization from ransomware. Some include things like regularly backing-up your files, disabling macros, reducing admin rights, patching often, exercising caution when opening email attachments and making sure your anti-virus is up-to-date.

But if you consider all these steps, the big news is you are basically doing the same thing everyone's been doing for the last 20 years. And it doesn't work (we're pretty darn sure this new idea won't either).

Changing the game: it's time for a different approach.

We believe it's time to change the game based on guiding principles that the industry has come accept:

  • There will always be software vulnerabilities
  • Malicious code and threats will always exist
  • You will get owned; you cannot anticipate an adversaries next move

Taking these principles into consideration, it creates an interesting conundrum. How can I protect my business against ransomware (or any other threat today) given the fact that 99% of malware morphs into new, undetectable variants in under a minute?

The answer is actually very simple; you let it run!

You let it run with one critical caveat. And that's the difference.

You deploy a CPU-enforced and isolated environment that traps the malware – it cannot escape – and then while it runs, it is fully monitored. That's right: the ransomware and anything else that is not trusted is contained. The detailed forensics information – including the full kill chain analysis – is then used to automatically hunt across the entire enterprise network to identify any related IOCs.

The Bromium difference.

Cybercriminals take advantage of soft targets all the time. One example is Human Resources opening resumes for review. In the following example, Cryptolocker is embedded in a resume that someone in HR opened. Thankfully, they were using Bromium to protect their machine. When the word document was opened, it was opened in a secure enclave completely isolated from the system.

The next screenshot shows the Cryptolocker ransom note. Had this been not been protected by Bromium, the user would have two choices, pay up or lose all their data. With Bromium, the ransom note is annoying as a mosquito – with some virtual insect repellent, it will be gone.

As soon as the document is closed, the micro-virtual machine (VM) where the ransomware executed its payload, is terminated and discarded with no impact to the host system or compromise to the system.

The security team also received a full trace of the kill chain so they could use it to hunt across the entire enterprise network. The attack was a complete fail and the network was protected.

And we'd like to imagine somewhere, there's a cybercriminal getting terminated for poor job performance.

No comments:

Post a Comment