Coping With the Ransomware Threat

This blog was originally published by Oracle here.

Written by Eric Maurice, Oracle.

News of successful large-scale ransomware attacks are becoming more frequent. In some instances, companies considered part of the U.S. Critical Infrastructure have been compromised and their normal operations have been disrupted. Ransomware has become a collective concern and many organizations are seeking guidance on how to protect themselves against it. Oracle has fielded many such inquiries from concerned customers. The purpose of this blog is to provide some clarity about the ransomware threat, introduce certain nuances, and provide general security recommendations for coping with this threat.

What is ransomware?

Ransomware is a type of malicious payload. The term “ransomware” best describes the malevolent intent of the perpetrator who seeks to extort a payment from the victim (the “ransom”, typically paid in the form of crypto currency) because the attacker has managed to successfully take control of the victim’s data or systems.

The perpetrator will typically use multiple menaces. Unless the ransom is paid:

• The perpetrator will publish the victim’s data (when data was exfiltrated),
• The perpetrator will expose the victim’s poor operational practices (when obvious mistakes such as misconfiguration have led to the compromise),
• The perpetrator will permanently block access to the victim’s data (when sensitive data was maliciously encrypted) or permanently disable compromised systems (when the attacker took administrative or root control of the targeted systems).

Ransomware is technically one of the means used by criminals to engage in cyber extortion. Cyber extortion is not a new phenomenon, and it can take multiple forms. Generally, malicious actors will seek to obtain payments because they can compromise IT systems and adversely affect the normal operations of their victims with or without the use of malware (e.g., a number of years ago, the simplest form of cyber extortion was by threatening a denial of service attacks or a web site defacement).

Why are ransomware attacks more frequent?

It can be argued that ransomware attacks are more frequent because of two reasons.

The first reason is that easy-to-use resources are available to malicious perpetrators to design and execute attacks on a large scale. Perpetrators are generally opportunistic and will not typically single out a specific organization. In some instances, criminals may target specific industries because of the belief that security expertise in the targeted industry is lacking, or because of the high value of the data (e.g., trade secrets) typically associated with the industry. Criminals will typically develop malicious payloads (using toolkits available on the dark web) that can technically be executed on a large number of systems. Generally, they will distribute this payload indiscriminately through malicious web sites and spammed emails. Interestingly enough, it seems that some crooks may place self-imposed limitations in their malicious payload to avoid angering certain countries. As in the case of email spamming, it is also likely that cyber extortionists leverage social media sites to identify potential victims.

The second reason ransomware attacks are more frequent has to do with the impunity with which crooks can operate and the availability of payment forms that provides some form of anonymity while allowing transfer of tangible wealth. Global ransomware attacks would decrease if the commission of such crime was more systematically punished (increasing personal risks to the perpetrators), and at the same time, the financial gain was made less certain by lowering the potential reward for the perpetrators.

What can organizations do to be more resilient against ransomware attacks?

The short answer is that basic security hygiene and good operational practices can help organizations prevent ransomware outbreaks and limit their impact. Let’s put this short answer in the context of a typical ransomware attack lifecycle.

Generally, ransomware attacks can occur because the unsuspecting victim has let untrusted code execute on the targeted environment. Ransomware attacks occur through successive phases:

1. Phase 1: The malicious payload is initially delivered,
2. Phase 2: The payload is then executed, and
3. Phase 3: The payload may replicate and further propagate.

How can organizations attempt to prevent the initial delivery of malicious payloads?

Organizations can take a number of steps to prevent the initial delivery of malicious payload in their environment.

Organizations need to recognize that human nature can be an enabler of ransomware attacks. General users need to be educated and remain vigilant in two areas:

• Safe email and internet browsing practices: users need to be aware that emails and internet browsing are not inherently “safe.” Emails can be used to trick unsuspecting users into executing dangerous payloads (e.g., by clicking on an attachment) or visiting malicious sites by clicking on a link. Users need to realize that not all programs obtained from the internet are safe and only software from reputable sources should be used. Generally, users need be made more security aware and receive periodic reminders about safe online practices.
• Safe use of social media platforms: users need to be aware that publicly available information about them can be used to target them or target others in the organization for example, by making it easier for a malicious perpetrator to impersonate someone in the organization.

Organizations need to implement technical controls around the various technological enablers of the propagation of malware. For example, organizations need to:

• Implement filtering tools and techniques for email and other communication platforms (to prevent as much as possible the delivery of malware to employees) and for internet access such as reputation filtering can be used to prevent access to known malicious sites
• Implement anti-malware scanning, link validations, and sandboxing techniques for their mail servers (to scan for malicious attachments) and internet gateways (to prevent malicious content from the internet)
• Define and enforce effective policies regarding the download and use of external and untrusted code in their environment (to prevent the compromise of systems through installation of malicious software or execution of malicious scripts). For example, more sophisticated attacks were enabled by system administrators who downloaded tainted components and maliciously altered software updates and database administrators who executed malicious scripts they obtained from the internet. Note that anti-malware solutions typically provide limited protections against these issues.

How can organizations attempt to prevent the execution of malicious payloads?

In addition to running endpoint protection products (with up to date signatures) where appropriate (to provide some level of defense against known malware), organizations should have identity and access management practices that reflect the nature and are commensurate with the value of the data and systems they’re intending to protect. For example:

• Organizations need to have stricter control over mission-critical systems and sensitive data stores.
• Organizations need to enforce appropriate limitations for collaboration tools, file-sharing resources, and other commonly accessed systems.
• Organizations should mandate additional authentication challenges where and when appropriate (e.g., systematic challenges when accessing sensitive systems or additional challenges when systems are accessed from potentially untrusted sources).
• Organizations should take a zero-trust approach where required and assess their resiliency while assuming that a number of systems (e.g., end user workstations) will ineluctably be compromised.

Generally, organizations need to ensure that strong authentication and the principle of least privilege are enforced throughout their technical environments. This obviously includes:

• Elimination of anonymous login, generic accounts, and the use of weak credentials
• Strict control over privileged accounts (e.g., root and admin OS accounts, DBA accounts)
• Use of User Account Control on Windows (and teach users to pay attention to the prompts) and relevant security mechanism on other operating systems such as SE Linux

Obviously, all the above recommendations could become useless if the organization fails to maintain basic security hygiene:

• Organizations need to define and maintain known security configuration baselines (and deploy systems in accordance with the appropriate security configuration guidelines)
• Organizations need to apply security patches in a timely fashion (This is particularly important as malicious payloads will tend to leverage known software vulnerabilities).

How can organizations attempt to limit the propagation of malicious payloads?

Many of the above recommendations will help limit the introduction and propagation of malicious payloads that make their way into an IT environment. However, a number of additional recommendations need to be emphasized:

• Organizations need to address all file-sharing vulnerabilities in a timely fashion and take any unsupported operating systems offline. Historically, major malware outbreaks were facilitated by the use of vulnerable file-sharing systems (e.g., Windows SMB) and obsolete platforms (e.g., Windows XP).
• Organizations need to review the chain of trust that exists among IT systems to prevent the cascading effect of a malware outbreak. Additional network and system segregations can help isolate malware outbreaks and limit the operational impact of a compromise.

How can organizations prepare for recovery after a major outbreak?

Organizations that maintain a good security in depth posture have a lower chance of experiencing a major ransomware outbreak. However, it is wise to “prepare for the worst and hope for the best.” As such organizations business continuity plans should include the provision for frequent and safe backups with effective and verified recovery procedures. It is important to note that before proceeding with restoring systems, organizations need to have determined with a reasonable level of confidence when and how the initial compromise took place. This is because victimized organizations may inadvertently restore the compromise and re-establish the infestation while performing its recovery. A cost-benefit analysis needs to be performed to choose between restoring an older, but known to be safe state, versus restoring to a more recent, but possibly infected state to minimize business disruption.

Obviously, the organizations need to have effective control over their backup files and resources (some malware are known to target backup files and resources) to ensure backup data is available when needed.

What about the cloud?

Commercial cloud providers have typically very mature security practices intended to protect the cloud resources against various security threats. It is important that cloud customers remember that ransomware attacks typically occur because the victim has allowed untrusted code to execute on the targeted environment. Whether in the cloud or in a data center, executing malicious code can lead to a compromise. Software as a Service (SaaS) environments generally do not let customers execute untrusted code, and the risks of a successful ransomware attacks is therefore quite limited. However, SaaS customers need to remain vigilant when enabling third-party integrations, plugins, or other forms of external code in association with their SaaS environments. In a typical Infrastructure as a Service (IaaS) environment, cloud customers can generally execute whatever they desire. As a result, IaaS cloud customers may unwillingly execute malicious code, and this can lead to a compromise. Such compromise will generally be limited to the affected customer instance. Note that any malware scanning prior to uploading code in an IaaS instance (either performed by the cloud provider or the customer) will offer limited protection. IaaS customers should perform due diligence to ensure that any code they execute in their IaaS instances is safe (fee of malware) and secure (free of major vulnerabilities).

In addition, customers should not blindly assume that their backups in the cloud are safe. This is because as we have seen in the previous section, while backing up to the cloud may provide additional level of assurance that the backup data will be highly available, the data contained in the cloud may still be infected (whether malware scanning took place or not). The cost-benefit analysis previously mentioned still needs to take place.