Ransomware is a subset of malware which in most cases uses sophisticated evasion techniques to avoid detection and gain a foothold in the target device or network. It has multiple goals which range from encrypting the victim’s data and demanding a large payment for it’s safe return, to stealing sensitive data and insisting on a ransom in order for the information to be unpublished.
Often downloaded from a malicious link or website, ransomware is designed to spread rapidly and works discreetly in the background and tries to avoid detection for as long as possible. During this time, files are copied and exfiltrated to the threat actor. The data is then encrypted and the threat actors demand a ransom to release the mathematical key that will unencrypt them. They also threaten to publish the copied files if payment is not made. Unfortunately, paying the ransom does not guarantee a safe release of the encrypted files, prevent proprietary data from being released publicly, or stop future attacks.
Ransomware is a booming business for threat actors. In 2020 alone an estimated $350 million was made in ransom payments. The damages incurred by victims to ransomware attacks includes not only data damage and loss, but also business downtime and stained reputations. “Global ransomware damage costs will reach $20 billion by 2021 – which is 57X more than it was in 2015.” Alongside an increase in attacks, in particular on the healthcare, government, and education industries, the US government implemented new policy and laws. Ransomware is now recognized as a threat to national security, and victims falling foul of cybercrime are warned against paying attackers.
The attacks which are most difficult to prevent make use of evasive techniques. While in the past these evasive attacks were strictly related to nation-state attacks, today malware strains can be easily purchased on the Darkweb by anyone. A threat actor with even limited knowledge can launch a sophistical ransomware attack, if he has malicious intent.
One of the results of the global shift to remote working is an increase of unmanaged devices. These are especially vulnerable if they lack sufficient security solutions to adequately protect the remote connection and are used by a workforce, yet must recognize the dangers of malicious links and websites. There are multiple dangers with remote working, namely potentially-infected systems connecting remotely. On-premises endpoints are increasingly under threat as well, as insufficient ransomware protection has led to more targeted attacks from even stealthier malware, capable of bypassing the perimeter security to reach the endpoint. Conti was able to hit more than 120 networks in its first two months because of its speed of encryption and advanced evasive capabilities.
1. Planning - Ransomware can be purchased on the darkweb as Ransomware As A Service (RaaS). Not only that, but anyone with a minimal level of skills can develop it, using legitimate tools to create it. A subscription model that provides an attacker with a ready made ransomware kit, RaaS is leased with bitcoin and does not require the technical developer skill level. Anyone with basic technical skills is able to launch highly sophisticated attacks.
2. Setting up a beachhead - After establishing a beachhead, for example using the endpoint as a point of entry to the network, the malware can spread through the network laterally. Malware aims to compromise data through exfiltration and encryption, while remaining undetected.
3. Bypassing perimeter security - Evasive techniques are the key to ransomware success. Techniques employed include tweaking malware so antivirus and EDR tools cannot identify the new malicious pattern, avoiding slowing the endpoint and residing in the endpoint memory. The detect and destroy approach doesn’t work, especially with evasive malware. Only familiar malware can be flagged by most ransomware protection or remote user protection options, leaving systems vulnerable to all new malware.
4. Exfiltrating data - Sensitive data, such as login credentials, PIN numbers or intellectual property are stolen, often as part of a targeted attack. Data is first copied from the system, then later used to extort the victim.
5. Encrypting data and demanding a ransom - After the data is copied and sent to the threat actors, the local data is encrypted on the system, causing significant business disruption. The ransom will then be demanded while the attacker holds the decryption key. The copied data is used to threaten release or sale to competitors if the ransom is not paid.
Targeting the end-user - Employs psychological manipulation (AKA social engineering) techniques to breach a user’s device.
Phishing attacks appear in the form of fake emails, which may seem to legitimately come from the bank, a charity or any other business. They ask for sensitive information such as bank details to be entered or verified and often contain a link to fake websites in an attempt to steal personal details, to trick you into sending money or install malware.
Fake installers downloaded from torrent sites can wreak havoc on corporate systems. It may be common knowledge that pirated software, applications and even movies could contain malware, but this doesn't seem to affect their download popularity amongst millions of seeders worldwide. For example, take the case of a rigged Windows installer with the aptitude to bypass WindowsDefender. On execution, the binary was set to release a smorgasbord of malware including adware, crypto-miner and Xtreme RAT, enabling monetization of the device. Legitimate software from known sources is always safest.
Hiding in common document types such as a PDF, Word doc or Excel files, malware like IcedID and BazarLoader, are released when a user clicks on malicious attachments. BazarLoader installs and remains dormant for a short time before downloading a backdoor to enable malicious actions such as delivering other malware. IcedID simply uses the Windows download API to drop and execute the payload.
Targeting the data - Cloud or no Cloud, all data is at risk. Many businesses prefer to keep all sensitive data on the cloud and no files on the local endpoint in an attempt to stay safe. While that could be successful in theory, in reality, most people have at least some sensitive data downloaded locally. Information that is routinely downloaded, edited locally and then re-uploaded to the cloud increases the exposure risk. Even creating a shared folder locally syncs information from the cloud on to the endpoint. If malware runs on the endpoint, it can encrypt local information and can also encrypt the information on the cloud.
Threat actors’ two biggest needs - Time and evasiveness. Exporting data takes time but evasive malware is able to remain concealed until it wants to be found. The user may notice their system has slowed down, but without a security threat alert, they most often remain unaware. Perhaps the user will try to reboot the system, or try to improve the network connectivity, but meanwhile the data encryption and file copying quietly continues. Only after a ransom request is made, would the user become aware they’ve been attacked.
Pre-Execution Threat Prevention by preventing breaches even by unknown strains of malware is what Minerva does best. The key to successful ransomware protection is really breach protection.
By simulating a hostile environment, Minerva is able to mimic the presence of security tools that evasive malware is designed to bypass, including antivirus, sandbox products, emulators and forensic toolkits. Minerva prevented a SolarWinds memory injection attack, which resulted from the attack on their system. The malicious backdoor was unable to work and the malware refrained from execution as the presence of blacklisted security processes were simulated in the operating system.
The evasive malware usually uses a decision-based logic, which allows it to be environmentally aware, checking for example if a Cyrillic keyboard is being used. Minerva’s ransomware protection is able to deceive the malware and thwart the attack, by breaking the decision-based logic of the malware. An analysis of Egregor, revealed that before the malicious procedure commences, Windows API functions are called to determine the locale, ensuring the attack is aborted in Russia and CIS countries.
Threat actors use trusted system tool applications in the operating system to compromise the endpoint by hiding in plain sight. Minerva interferes with attempts to misuse tools built into the system to cause damage, without using classic forms of malware. We prevent threats from “trampolining” off such tools to infect the endpoint or cause damage. Minerva’s living off the land protection is able to thwart these attacks by hiding the key operating system features, such as with the Rig Exploit Kit.
Fileless attacks are stealthy, hiding within legitimate processes and applications. Malicious software might hide itself in a legitimate process and inject a piece of code directly into the memory without passing through the disk to avoid detection by anti-malware and endpoint solutions. Minerva blocks these attempts by avoiding executing code from the file system. This capability interferes with injection attempts, causing such malware to exit or crash.
Browser isolation capabilities that work on three vectors. Firstly, when navigating a website and a download occurs in the background, Minerva’s ransomware protection prevents any child process that is not signed by the browser manufacturer from running. Memory injection prevention allows only legitimate access through the browser into the memory, as described above. Thirdly, this prevents a malicious piece of code within the downloaded document from running, from email, cloud, SharePoint etc,.
Better backups (that you’ll probably never need), are in place to further protect sensitive data. Minerva’s ransomware protection solution backs up every file and document that has been changed to enable easy recovery of documents, images and sensitive organization information before any changes are made to the files. If an API call for encryption is made, even if a file is deleted or saved with a password before,Minerva’s ransomware protection will catch it and save it in a secure local database on the endpoint. A simple click away from recovery.
