We’ve previously suggested that 2015 may have been the year “ransomware hit the big time,” but attacks involving the malware have only skyrocketed. Since then, some of the biggest ransomware attacks have crippled organizations across the globe, and most recently, 22 cities across the state of Texas have been held hostage for millions of dollars as a result of ransomware attacks.
While cyber swindlers always adjust their attack tactics, they’ve found enormous success with ransomware. But what are security leaders doing wrong and what can they do to get ahead of this threat? There’s no better person to answer those questions than Shawn Kanady, Director at Tustwave SpiderLabs Digital Forensics and Incident Response.
Since the early days of CryptoLocker to WannaCry and modern malware, Kanady has heard and seen it all when it comes to ransomware, so we decided to catch up with him following the recent attacks plaguing Texas to get the latest on these headline-grabbing threats.
Q: Texas has been hit pretty hard this month by ransomware. What has stood out to you the most about these recent attacks?
Shawn Kanady: We’re certainly seeing a lot more targeted attacks when it comes to ransomware in general. I guess the only thing that really stood out in the Texas case is a third-party organization may have been hit first – which isn’t really that surprising because we see supply chain attacks all the time in credit card data breaches. Using these same tactics to deploy ransomware is new and interesting and we can see how the attackers are evolving their strategies to get the biggest payoffs.
Q: Is there anything comparable between these attacks and others you’ve investigated in the past?
SK: It’s all comparable. These types of attacks seem very “rinse and repeat.” In these recent attacks, we are potentially seeing a new methodology for deploying malware but the supply-chain attack tactic is not new. Credentials of the third-party provider are compromised in some manner, then attackers have the keys to the castle in terms of all of these other businesses they service, so bad guys will use their access to then deploy their malware across multiple entities. Although the details haven’t been released just yet, we have seen a rash of modular malware that is part of a botnet used in deploying ransomware of different flavors. By modular I mean it’s a small payload with some simple functions to learn about the system and network it is sitting on and send that information to a C2 system or network of C2 systems. At this point, the attacker can be very precise in delivering another module to the target. This could be ransomware, a banking trojan, POS malware or anything else specific to the type of system it's on.
Q: So this is one of the areas that ransomware has evolved in?
SK: Absolutely! We’re seeing this modular malware more often. Back in the day, the malware that would get deployed would have one purpose. The victim would get a phishing email, the user would then click the link or open up an attachment, and the malware would run. In years prior, that malware would be the ransomware. Now what we’re seeing is that attackers know that the word is out. Companies know that they shouldn’t be paying the ransomware and should be recovering their backups. Once targets began to get smarter on that front the ransomware changed. Now, ransomware targets volume shadow copies and backups.
Today, what’s happening is not everyone is paying, so attackers want to hit the institutions or companies that are going to hurt the most because they’ll be put in a position where they’ll have to pay, like city municipalities or hospitals. If I had to make a prediction, I’d say that hospitals will be impacted the most next. Those types of institutions are put in a position where they have to pay because they have to get back to business because of who they’re serving.
Q: Given the success of ransomware, what are security leaders failing to do?
SK: Patching is still a problem, and it’s IT 101. The malware will always target open vulnerabilities and the problem is that patching is too far behind.
Microsoft puts out Patch Tuesday once a month, and companies need to shorten their patch cycle window—if there is one—to hopefully within 30 days, not after. Bad guys are also looking at those patch updates and seeing what’s vulnerable and developing exploits for them because they know that companies are not patching day one. That’s going to be hard for any company to do because they have to conduct tests to ensure nothing is impacted by the patch, but it has to get done within 30 days.
What we’re seeing a lot of is patch cycles go past 90 days. Another issue related to patching is not being vigilant in the patching of third-party applications (non-Windows). Those open vulnerabilities are going to get attacked. This is a problem that dates back to the first days of computing. Companies really need to put together a solid patch program.
Q: How much of the success of ransomware can be credited to human error?
SK: Ninety percent of the time attackers will always kick off their campaign with a phishing email. They’re looking to take advantage of the human error there, but you’re not going to solve that. There’s nothing in the world to solve it. You can certainly make it a little bit better with security awareness training, which should be more than once a year and on-hire activity.
When I speak to companies about incident response plans and security awareness training, I always suggest for them to gamify the training and reward people for submitting suspected phishing emails. We, unfortunately, live in a shaming culture. So, when users click on a malicious link, they’re afraid to report it because they made a mistake. People are going to make mistakes, but because of that mentality they won’t say anything, and unfortunately, the malware is then deployed.
In the case of modular malware, you may not see anything right away. It’s going to sit there, wait, and the attackers will use it to figure out where they are in the network and possibly pivot. Next thing you know, a month later the final payload will hit. When we conduct our investigation and track it back to the initial infiltration vector and find that user that clicked and didn’t say anything. Why didn’t they report it? Well, because the company policy is that if you click the link, you’ll face a serious consequence, rather than a “thank you” from IT for alerting them so they and security can address it right away.
Q: Are there any particular misconceptions tied to ransomware by security leaders?
SK: I don’t know if this is a misconception, but one of the problems I’m constantly seeing is security leaders becoming hyper-focused on ransomware. They’ll do anything to prevent ransomware when really, they should be protecting themselves from all malware.
Ransomware may hurt the most, but what we’re seeing now with this modular malware, the ransomware is not the initial piece of malware. So, if you’re only hyper-focused on the Ryuk ransomware, well then, you’re putting your focus and effort on the wrong place. You need to be focused on the part that brings on the Ryuk, the TrickBot or the Emotet, or one of these other parts that are part of a botnet.
The ransomware is just the end payload. You need to focus on how the attacker got in. When everything gets sensationalized, people get hyper-focused. Last year a lot of people were obsessed with cryptominers, so that’s all they looked at. Even now I’ve had discussions with security leaders wanting to conduct tabletops with the sole focus being ransomware because it’s in the news a lot. But that’s just one element.
Q: Given these recent attacks, what do you think we’ll be seeing more of when it comes to ransomware?
SK: Certainly, what we’re seeing now is municipalities and city systems being affected. These are low-budget systems that probably have very loose IT and security and are easy wins for attackers. But if attackers are taking any lessons, and I certainly don’t want to give them any advice, but if they were taking any lessons from the WannaCry problem that hit hospitals, I would think that they would be a prime target next.
They’re crushing systems owned by entities that have to get back online. Right now, we’re seeing cities get hit where you have police and fire departments and utilities that have to get back online. If you look at it from the WannaCry lens, where hospitals were hit badly, they are forced to pay because then we’re talking about impacting people’s lives. Unfortunately, hospitals aren’t always the most secure and have IT staffing issues.
Given the increasing threat posed by ransomware, Kanady advises security leaders to focus on the following seven areas:
- Backup Your Data
Have an online backup, but also keep an offline copy of it as well.
- Inventory Your Systems
Conduct an IT audit of your systems. Make sure that anything that’s legacy or something that can’t be patched (like a Windows 2003 server) is isolated and highly monitored because it will be your biggest liability.
- Conduct Continuous Awareness Training
Keep your security awareness training up because humans are the weakest link.
- Implement a Patch Cycle Program
Have a good patch management program when you’re patching within 30 days. Make sure that third-party apps are also patched.
- Perform Application Whitelisting
This is a huge factor in these types of attacks. This goes beyond just ransomware, but even those malicious downloaders. Doing application whitelisting where you have your systems and you only allow the applications that you know about to run on those systems.
- Deploy an EDR Solution
Baselining your systems and keeping aware of any new or rogue processes on your systems will curb those first-stage pieces of malware from going by unnoticed and causing more harm.
- Secure Email Gateway Solution
A strong secure email gateway solution will go a long way in protecting what is commonly the initial infiltration vector by removing malicious emails from the user's mailbox.
- Initiate a Proactive Threat Hunt
To have a great defense in place, sometimes you have to go on the offense. Initiating a proactive threat hunt is a proven methodology to identify ransomware threats.
Marcos Colón is the content marketing manager at Trustwave and a former IT security reporter and editor.