Ransomware that is tailored to enterprise attack campaigns has emerged in the wild. This is an obvious evolution of consumer-grade ransomware, driven by the larger bounties which enterprises are able to pay out coupled to the sheer scale of the attack surface area (internet-facing endpoints and unpatched software). To the attacker, your enterprise is a tempting target with a big fat wallet just begging to be knocked over.
Your Enterprise Presents a Tempting Target
Simple Google queries may already have identified unpatched internet-facing servers by the scores across your domain, or your credulous users may already be opening “spear phishing” emails crafted just for them presumably authored by people they know.
The weaponized invoices go to your accounting department, the weaponized resumes to your human resources department, the weaponized legal notices to your legal department, and the weaponized trade publication articles to your public relations firm. That should cover it, for starters. Add the watering hole drive-by’s planted on industry websites frequented by your employees, the social media attacks targeted to your key executives and their family members, the infected USB sticks strewn around your facilities, and the compromises of your suppliers, customers, and business partners.
Enterprise compromise isn’t an if but a when — the when is continual, the who is legion.
Targeted Ransomware Has Arrived
Malware researchers are now reporting on enterprise-targeted ransomware, a natural evolution in the monetization of enterprise cyber intrusions. Christiaan Beek and Andrew Furtak explain this in an excerpt from Intel Security Advanced Threat Research, February 2016:
“During the past few weeks, we have received information about a new campaign of targeted ransomware attacks. Instead of the normal modus operandi (phishing attacks or drive-by downloads that lead to automatic execution of ransomware), the attackers gained persistent access to the victim’s network through vulnerability exploitation and spread their access to any connected systems that they could. On each system, several tools were used to find, encrypt, and delete the original files as well as any backups.”
Careful reading of this citation immediately reveals steps to be taken. Initial penetration was by “vulnerability exploitation,” as is often the case. A sound vulnerability management program with tracked and enforced exposure tolerances (measured in days) is mandatory. Since the attackers “spread their access to any connected system,” it is also requisite to have robust network segmentation and access controls. Think of it as a watertight compartment on a warship to avoid sinking when the hull is breached. Of special note, the attackers “delete the original files as well as any backups,” so there must be no delete access from a compromised system to its backup files — systems must only be able to append to their backups.
You Do Have Current Backups, Right?
Of course, there must be current backups of any files that must survive an enterprise intrusion. Paying the ransom is not an effective option since any files created by malware are inherently suspect and must be considered tainted. Enterprise auditors or regulators cannot accept files excreted from some malware orifice as legally valid, the chain of custody having been completely broken. Financial data may have been altered with fraudulent transactions, configuration data may have been tampered with, viruses may have been planted for later re-entry, or the malware file manipulations may simply have had errors or omissions. There would be no way to place any confidence in such data, and accepting it as valid could further compromise all future downstream data dependent upon or derived from it. Treat ransomware data as garbage. Either have a robust backup plan — regularly tested and validated — or prepare to suffer your losses.
Do You Have a Breach Plan?
Even with sound backups confidentiality of affected data must be assumed to be breached because it was read by malware. Even with detailed network logs, it would be impracticable to prove that no data had been exfiltrated. In a targeted attack the attackers typically take data inventory, reviewing at least samples of the data to assess its potential value — they could be leaving money on the table otherwise. Data ransom demands may simply be the final monetization stage in an enterprise breach after mining all other value from the intrusion since the ransom demand exposes the compromise.
Your Remediation Plan Must Be Thorough
One should assume that competent attackers have arranged multiple, cunningly-concealed avenues of re-entry at various staggered time points (well after your crisis team has stood down and pricey consultants flown off to their next gig). Any stray evidence left behind was carefully staged to mislead investigators and deflect blame. Expensive re-imaging of systems must be exceedingly thorough, touching every sector of the disk across its entire recording surface and re-creating master boot records (MBR’s) and volume boot records from scratch. Some ransomware is known to compromise MBR’s.
Also, don’t assume system firmware has not been compromised. If you can update the firmware, so can hackers. It isn’t hard for hacking organizations to explore firmware hacking options when their enterprise targets standardize system hardware configurations, allowing a little lab effort to go a long way. The industrialization of cybercrime allows for the development and sale of firmware hacks on the dark net to a broader criminal market.
Good EDR Tools Can Help
After all of this bad news, there is an answer. When it comes to targeted ransomware attacks, taking proactive steps instead of reactive cleanup is far less painful. A good Endpoint Detection and Response (EDR) tool can assist on both ends. EDR tools are good for identifying exposed vulnerabilities and active applications. Some applications have such a notorious history of exposing vulnerabilities that they are best removed from the environment (Adobe Flash, for instance). EDR tools are also good at tracking all significant endpoint events, so that investigators can identify a “patient zero” and track the pivot activity of targeted enterprise-spreading ransomware. Attackers rely on endpoint opacity to help conceal their actions from security staff, but EDR is there to enable open visibility of notable endpoint events that could signal an attack in progress. EDR isn’t limited to the old antivirus convict-or-acquit model, that allows freshly remixed attack code to evade AV detection.
Good EDR tools are always vigilant, always reporting, always tracking, available when you need it: now or retroactively. You wouldn’t turn a blind eye to enterprise network activity, so don’t turn a blind eye to enterprise endpoint activity.