loader

What is the 1st Line of Defence against Ransomware Attacks?

Introduction

Freeze, I’m Ma Baker. Put your hands in the air and give me all your money!

This snarling from Boney M’s “Ma Baker” song has, in today’s digital world, become:

All servers and working computers of your company have been hacked and encrypted. Your money or your data!

Imagine waking up in the morning to start your day and finding you cannot perform any work since your systems are down and all your data encrypted. 

Then, receiving an email from a hacker demanding money in exchange for the decryption key and threatening to publish and sell your data on the dark web if you don’t pay.

In today’s world, we rely on computer systems to function. So being in such a crisis raises difficult decisions on how best to protect the company’s stakeholders, brand, operations and profit. This is a situation in which more than 459 Australian entities (and possibly many more who remain silent) have faced in the past year alone! 

UnitingCare, Australia’s first fully digital hospital in Queensland, was in this situation back in April 2021, when hackers knocked their operational systems offline, leaving staff struggling with vital communications and unable to access patient records. The hospital implemented some manual processes where possible while other services were redirected or rescheduled.  

This blog post identifies the first line of defence organisations must have to protect themselves from such situations.

The rise of Ransomware

The above-mentioned type of cyber attack is called “Ransomware”. Ransomware is a type of software intentionally designed to block data access or threaten to publish the victim’s sensitive data unless a ransom is paid.

Since 2017, the Australian CyberSecurity Centre (ACSC) has observed a significant increase in ransomware incidents against Australian organisations. The FY20 and FY21 ACSC annual threat reports identified ransomware as one of the most significant threats, given the potential impact on business operations and the minimal technical knowledge required to execute them. 

Furthermore, in today’s dark web marketplaces, there are numerous adversaries offering ransomware tools as a service in what’s referred to as Ransomware-as-a-Service (RaaS). 

Ransomware has a significant impact on core business functions, resulting in organisations paying large ransoms. 

The below figure illustrates the top five reporting sectors for ransomware-related incidents, which accounted for approximately 50 per cent of all ransomware-related incidents reported to the ACSC during the 2020–21 financial year.

Ransomware attacks are costly. The FBI’s Internet Crime Complaint Center (IC3) received 2,047 ransomware complaints in 2019 that cost victims over US$8.9 million. This number does not include estimates of lost business, time, wages, files, equipment, or any third party remediation services acquired by a victim. 

Every organisation is an attractive target for cybercriminals. The size and sensitivity of information stored by the organisation is largely irrelevant, and cybercriminals will take advantage of any situation to disrupt business operations and demand a ransom. So, every organisation should take the right actions to defend against ransomware.

To Pay or Not to Pay

Ransom payments are mostly demanded via prepaid cash services, Western Union transfers, gift cards or premium rate SMS services, with cyber criminals relying on Bitcoin and other cryptocurrencies to get paid.

The ACSC advises not to pay ransoms. This is because if you do so, you’ll be dealing with criminals, and there is no guarantee that cybercriminals will restore your files and services after payment. Furthermore, the payment process might expose more information about the organisation, targeting more sophisticated attacks.

Ransom payments fuel criminals, providing them with money to survive and invest in growing their crimes.

Organisations should never pay a ransom. Instead, they should invest money to be prepared to defend against ransomware attacks.

The First Line of Defence

There is no single mitigation that will protect against ransomware. The ACSC has developed a prioritised list of mitigation strategies called “Essential Eight” to help organisations address ransomware attacks. However, in today’s world, where most businesses are working in distributed environments and using cloud applications and cloud storage, the recommendation that stands out to protect organisations from ransomware is the use of Endpoint Detection and Response (EDR) software.

EDR is an integrated endpoint security solution that combines continuous real-time monitoring of endpoint data with behavioural-based analysis capabilities to detect and prevent attacks before they even start. The EDR has other capabilities, such as responding to an attack to isolate and quarantine suspicious or infected items. However, the detect and prevent capability is the one we are interested in for this blog.

EDR is not an antivirus. Antivirus software relies heavily on the characteristics of malicious files, such as file names to detect and prevent attacks. In comparison, the EDR relies on behavioural analytics to recognise threats that antivirus may not easily recognise. For example, if a process spawns a PowerShell process and executes an unknown script, that’s concerning and the EDR will block that.

EDR is more advanced than traditional antivirus. Hence, we recommend investing in an EDR to adequately protect against ransomware attacks rather than solely relying on your operating system’s default antivirus, like Windows defender. 

How does EDR work?

The best way to explain how EDR works is by giving an example.

Carbanak is a threat group that mainly targets financial institutions. The group was discovered in 2014 and since then have stolen over 900 million dollars, not only from banks but from more than a thousand private customers.

One of the Carbanak attack scenarios begins with a legitimate user receiving an email via a spear-phishing attack. The user opens a file that unknowingly executes a malicious payload. Following the initial compromise, Carbanak then expands its access to other hosts through privilege escalation, credential access, and lateral movement to compromise money processing services, automated teller machines, and financial accounts. 

As Carbanak compromises potentially valuable targets, they establish persistence to learn the financial organisation’s internal procedures and technology. Using this information, Carbanak transfers funds to bank accounts under their control, completing their mission.

To achieve the attack, there are specific techniques performed. The scenario begins with an initial breach, where a legitimate user opens a Word document and clicks on an embedded object. This causes an encoded Visual Basic script contained within the object to execute. If the file has not circulated on the internet for long, it will not be included in the Antivirus database and therefore, it will not be detected as a malicious file. As a result the script will be executed and that attack will start!

On execution, this script decodes and writes two files to disk, starter.vbs and TransBaseOdbcDriver.js. The script then executes starter.vbs, which in turn executes TransBaseOdbcDriver.js. TransBaseOdbcDriver.js is a remote access trojan (RAT) that establishes encrypted command and control with the attacker over HTTP/S. Once this happens, the attacker is on the machine!

Each of the above steps is behaviour analysed and monitored by the EDR and will be blocked when happening. So, having an EDR will go beyond checking files; it will evaluate what happens in the background and act accordingly.

Act now

The UnitingCare breach is an example of how ransomware can affect the operations of any organisation. The costs resulting from a ransomware attack include lost business, time, wages, files, equipment, or any third party remediation services acquired to restore business operations. Furthermore, it can cause reputational damage that may be unrecoverable.

Organisations should implement an EDR solution to build a safety net and detect advanced forms of ransomware to protect their data and systems against attacks. The cost of an EDR solution is undoubtedly much less than the cost of a ransomware attack.

References:

https://www.theaustralian.com.au/weekend-australian-magazine/ransomware-attacks-the-fastest-growing-most-lucrative-of-cyber-crimes/news-story/1b711f4bb1e0b67eca5f51d55719102d

https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/acsc-annual-cyber-threat-report-2020-21

https://www.ic3.gov/Media/PDF/AnnualReport/2019_IC3Report.pdf

https://en.wikipedia.org/wiki/Carbanak

https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/carbanak/Emulation_Plan/Scenario_1

Author: Mouaz Alnouri