Turning Back Time on Ransomware

By   ISBuzz Team
Writer , Information Security Buzz | Apr 03, 2019 01:45 am PST

Ransomware no longer dominates the malware landscape – but it still has the power to inflict serious disruption. Orli Gan, Head of Product Management and Product Marketing, Threat Prevention at Check Point looks at why organizations still need to be vigilant about ransomware – and how they can stop attacks causing damage

Just when it seemed that ransomware was becoming a thing of the past, it has reared its ugly head again.  While cryptomining malware dominated the malware landscape throughout 2018, replacing ransomware as the most popular method for cybercriminals to earn illicit cash, ransomware didn’t disappear entirely – it just got more targeted.  

Cybercriminals moved away from distributing millions of emails with no specific victim in mind, to carefully planned and targeted ransom attacks. A key example is the recent attack on Norsk Hydro, one of the world’s largest aluminum manufacturers, which showed that ransomware has lost none of its power to cause disruption despite the decline in its usage.

Late in the evening of Monday 18 March, Norsk Hydro was hit by the ‘LockerGoga’ ransomware, a relatively new variant which was first seen in January 2019.  The malware forced the company to isolate all plants and operations across the US and Europe, and switch to manual operations and procedures wherever possible. The malware encrypted critical systems, and a request for a ransom payment made.

Even though the company’s actions during the attack have been widely praised as textbook examples of internal and external incident response processes, it still suffered serious disruption.  While the company was able to quickly get many systems back to something approaching normal operations, it experienced ‘production challenges and temporary stoppages at several plants’. The company has said it is slowly bringing affected systems back online, but the preliminary cost of the incident had been estimated at 300 – 350 million Norwegian kroner (around $30M).  

Basics of ransomware readiness

So how can companies avoid being similarly disrupted by ransomware attacks?  The good news is, even highly sophisticated malware attacks can be neutralized and even prevented outright with relatively simple cybersecurity tools and processes.  Network segmentation, for example, is easy to implement – it’s a basic principle of intelligent network architecture – but it is incredibly effective at containing the spread of malware, preventing it from moving laterally across networks to infect and scramble other system.  

It’s critical to have good backups of data, which are stored separately from the organization’s main network. This is the only way to ensure that, if the worst happens and a ransomware attack takes hold, critical files and information can be recovered once the infection is removed.

Employee education is also a powerful weapon. Attachments and links should only be opened from truly trusted sources. If a user is asked to run macros on a Microsoft Office file, then the simple answer is – don’t! Macros are frequently used as the trigger for downloading ransomware, so being asked to run them on a simple Office file is a common indicator of a ransomware attack. Spreading this type of awareness should be a core part of employee IT training.

And of course, keeping traditional antivirus and other signature-based protections up to date is critical.  But these measures can still be bypassed by modern ransomware. More advanced protections, such as threat extraction and advanced sandboxing, are needed to reinforce existing defenses.

Preventing infections

Threat extraction works on a simple premise:  the vast majority of ransomware and malware is distributed via email, hidden in the common file types used for business – Word documents, PDFs, Excel spreadsheets and so on. So from a security standpoint, it’s best to assume that any email attachment is always infected – and to extract any potential threat from it before passing it to the user.  Documents attached to emails are deconstructed at the email gateway, and suspicious content (such as macros and external links) removed. The document can then be reconstructed safely and sent onto the intended user. This eliminates the risks from infected files without delaying users’ work.

Advanced sandboxing works in parallel with threat extraction, to detect even unknown malware for which signatures do not yet exist. Sandboxing inspects an incoming file for suspicious elements at the CPU level, below the application or OS layers on the processor, enabling it to see through any evasion techniques built into the malware, and block the potential infection before it can take hold.  

But even these measures are not perfect – no defense can ever be 100% failsafe.  There’s always a slim chance that ransomware could slip through. However, an additional layer of last-ditch protection is available to nullify even the most advanced ransomware that manages to successfully breach the organization’s defenses and start the infection process.

This final defensive line works by monitoring endpoints continually for the behavioral indicators which all types of ransomware variant follow.  These indicators are:

  1. Creating a text document, which will include the ransom message to the user
  2. They delete, or attempt to delete, all shadow copy and backup files so that information cannot easily be recovered
  3. They then start to encrypt some or all of the files on the machine

These give an opportunity for ransomware forensics tools to identify an attack in microseconds and act to mitigate its impact.

Rolling back attacks

These forensics-based ransomware defenses sit on individual machines, monitoring for the tell-tale signs of ransomware described above.  Once ransomware indicators are detected, an infection is nullified using a ‘rollback’ mechanism. This works by creating an instantaneous backup of everything on the machine, but only during the process of infection (rather than creating continuous shadow copy files which, as mentioned, ransomware attempts to seek out).  Then the ransomware is quarantined to block further spread, and the backed-up files, together with the back-up image of the PC, can be used within minutes to replace the files encrypted by the ransomware. This minimizes disruption and enables normal business processes to restart within minutes, rather than days or weeks.  

In conclusion, ransomware is unlikely to ever disappear.  It’s unlikely that organizations can ever fully prevent and block every ransomware attack that targets them.  However, with a forensics-based approach as a critical last line of defense against these damaging attacks, it’s possible to turn back time and nullify their impact.