You might be surprised to learn that just about every reputable antivirus product on the market can reliably stop the majority of ransomware families. In fact, most ransomware authors don’t even try to hide their ransomware through obfuscation or packing, which makes detection fairly straightforward for good antivirus solutions.
Why then are so many organizations still falling to ransomware? The issue isn’t so much about the capabilities of your antivirus software, nor is it really about ransomware – it’s about what attackers can do after compromising your network.
In this blog post, we’re going to show you exactly how ransomware attackers evade your security solutions, what happens during a post-compromise attack and what you can do to secure your network.
The shift to post-compromise deployment
Historically, ransomware groups have taken a shotgun approach to attacks. They used spam campaigns, hacked websites and exploit kits to indiscriminately deliver ransomware to as many targets as possible and demanded a relatively modest three-digit ransom to decrypt files. It was a quantity over quality game, and attackers didn’t spend much time, if any, investigating victims’ networks before deploying their ransomware.
However, this has changed dramatically over the last couple of years as threat actors shifted toward more selective and sophisticated post-compromise attacks. While distribution methods have largely remained the same (along with the notable rise in RDP-based attacks) malicious actors now spend more time gathering information about the target network before deploying ransomware payloads. The median malware dwell time, defined as the length of time between compromise and detection, is 56 days, according to a report by threat intelligence firm FireEye.
Careful reconnaissance allows threat actors to maximize the impact of an attack and the corresponding ransom amount. But what exactly are attackers doing during these 56 days?
- Studying the compromised network to get a better understanding of which servers and workstations to hit to maximize impact.
- Installing malware that allows attackers to communicate with and control infected machines.
- Harvesting credentials and escalating privileges in order to move laterally to other machines on the network.
- Exfiltrating corporate data, which can be used to extort victims or sold on the black market.
- Figuring out which backup mechanisms are in place and how to ensure the backups are destroyed during the attack.
Importantly, post-compromise attacks also allow threat actors to assess a target’s security systems and disable security processes before the ransomware payload is delivered. After obtaining high-level privileges, attackers can disable security processes via the security product’s centralized dashboard or simply whitelist ransomware executables, ensuring the final ransomware payload escapes detection.
The most common attack vectors for ransomware
Ransomware is a symptom of a larger, systemic issue, and should be viewed as what it really is: a currently popular way to monetize compromised networks, just as cryptojacking, password stealing and financial fraud once were.
With this in mind, organizations should focus on detecting and blocking the initial point of compromise rather than investing in ransomware-specific protection. Organizations should pay particular attention to the biggest ransomware attack vectors, which include:
- Weak credentials: Weak login credentials are responsible for many ransomware incidents. Threat actors typically use brute-force tools to hack poorly protected remote desktop protocol (RDP) connections and gain access to an organization’s internal network.
- Vulnerabilities: Attackers frequently take advantage of known software vulnerabilities to gain unauthorized access to the network. Software that facilitates remote access carries a particularly high level of risk.
- Human error: Threat actors commonly use social engineering methods such as spear phishing to gain access to corporate networks. These types of attacks typically aim to trick the user into opening a malicious macro-embedded attachment, which deploys malware that allows attackers to pivot to other parts of the network after the initial infection.
Protecting against post-compromise ransomware attacks
Organizations shouldn’t rely exclusively on specialized ransomware protection products because, as we’ve learned, ransomware isn’t the core problem. Instead, organizations should focus on preventing the initial point of infection, using proven cybersecurity practices to minimize the risk of compromise.
Below is a non-comprehensive list of cybersecurity best practices that can help protect the network against compromise and, by extension, post-compromise ransomware attacks.
- Multi-factor authentication (MFA): MFA requires users to provide more than one form of authentication to prove their identity, making it one of the most effective ways of combating compromised credentials. MFA should ideally be implemented wherever possible, with particular attention given to administrator accounts, Internet-facing systems and valuable data repositories. Access to antivirus software settings should also be secured with MFA, which can be easily implemented in cloud-based antivirus management platforms such as Emsisoft Management Console.
- Credential hygiene: To reduce the risk of compromised credentials, organizations must practice good credential hygiene. Passwords used throughout the network should be long, unique and random. Organizations should also have systems in place to detect and challenge risky logins, such as login attempts coming from new locations, unfamiliar devices or TOR browsers.
- Patch management: Threat actors frequently take advantage of vulnerable software to remotely execute malicious code or escalate privileges after compromising a network. All organizations should have an effective patch management strategy in place that ensures security updates are applied quickly (ideally within the first week of the patch release).
- System hardening: System hardening is useful for reducing a system’s attack surface and managing potential security vulnerabilities. Depending on the needs of the organization, it may be possible to lock down or remove superfluous and potentially exploitable services, such as PowerShell, RDP, Windows Script Host, Microsoft Office macros, etc.
- Endpoint malware protection: As noted earlier, most reputable endpoint antivirus solutions can reliably detect and stop most ransomware families. Malware protection software should be installed and regularly updated on all endpoints in an organization.
- Principle of least privilege: The principle of least privilege stipulates that every user should have only the access privileges required to perform their job. Implementing this principle across the network can make lateral movement more difficult and prevent attackers from gaining access to critical systems or data after compromising a user’s account or device.
- Network segmentation: Network segmentation allows for better security and access control, and can help prevent unauthorized users from accessing specific network resources. Should the perimeter be breached, good network segmentation can also stop malware propagating across the network and prevent attackers from easily pivoting from one system to another.
Modern ransomware is typically deployed post-compromise, which allows threat actors to learn more about the target system, steal sensitive data, disable security processes and ultimately maximize the impact of an attack.
Reducing the risk of compromise also reduces the risk of ransomware. Thus, the most efficient and cost-effective way to mitigate ransomware attacks is to investigate and address potential network vulnerabilities rather than investing in ransomware-specific protection.