Defeating Ransomware
Ransomware is a billion-dollar industry that incorporates double and even triple extortion. It was initially targeted at lucrative industry sectors but with the introduction of ‘ransomware as a service’, the bar has been lowered and any business or individual is now a target. The mainstream approach to preventing ransomware is to use tools that identify then block malware, and then employ technologies such as full disk encryption to avert data theft. But with endless new reports of successful ransomware attacks, this is not working.
Cybercriminals know that information is at the heart of any business, so the whole ransomware attack is designed to extract the maximum leverage and profit from your data. Once data has been compromised and your access has been denied, the ransom demand is issued alongside a threat to publish your data or to use it for on‑going cybercriminal activities
Broadly speaking there are three ways in which a cybercriminal can steal data and prevent you from accessing it. One or more of these attack vectors is employed in any individual ransomware strike.
An employee can be duped into running a malicious executable or script to open a backdoor to the network; or a cybercriminal can access a user account by stealing, purchasing or guessing the credentials. Alternatively, a system or infrastructure vulnerability will be exploited in your network or that of another organisation in a connected supply chain.
The traditional way to prevent ransomware has been to try to identify and then block malicious activities. This started with anti-virus software, but security systems have evolved to combine multiple techniques and services such as threat intelligence centres, endpoint telemetry, user behaviour analysis, etc.
But cybercriminals have a habit of being one step ahead. They continually use new techniques to prevent their malware from being identified, by using obscure programming languages to thwart signature-based detection and malware analysis, for example. While anti-malware vendors continually try to keep up and cybersecurity experts watch out for the next malware innovation, mainstream security is always one step behind.
Time for a new approach
Why bother trying to identify everything which is malicious? In a business environment, there is generally no reason for a previously unknown executable or script to run. The software for a typical business PC is built to a standard design that includes all the tools that its user will require.
For example, the recent ransomware attack and data breach on the Irish Health Service Executive was the result of a single user opening a malicious Microsoft Excel file attached to a phishing email. Clearly, the malware released by the rogue file was not an authorised process, so it should automatically have been blocked from executing.
There should be no shame associated with falling for these scams – they are usually very believable, and no business IT system user should be expected to be a security expert. The reality is that despite all the IT security training, people will always make mistakes; especially since cybercriminals are experts in making their downloads, documents and social engineering seem convincingly real.
A better way is to block all unauthorised processes from executing. If an executable or script attempts to run, but it is not on your list of authorised processes then it is simply blocked. A bit like the bouncer on the door. If you’re not on the list, you won’t get in.
The mainstream approach to preventing data theft is a combination of tools and techniques including access control, zero trust networks, database encryption and full disk encryption, such as BitLocker. But a compromised user account will pass all these tests, granting easy access to data, which can be extracted to the endpoint then stolen by copying it externally.
Full disk encryption is frequently used to mitigate this problem because it encrypts your device. This is fine if you lose your laptop, but on a running system it will hand over decrypted data to every process that asks for it – legitimate or malicious. As cybercriminals can only steal data from running systems, full disk encryption cannot prevent this theft.
The chemical distributor Brenntag paid a $4.4 million ransom to the DarkSide because cybercriminals gained access to their network through a compromised user account. Data was stolen, then systems were subjected to ransomware that locked data and made their systems unusable. The data was subsequently unlocked after the ransom was paid, with assurances that their data would not be made public by the cybercriminals.
Beating ransomware criminals at their own game
You can’t demand a ransom for data that is already encrypted. So, the answer is to encrypt all of your data, all of the time. But to work, full data encryption must be just as transparent and as easy to use as full disk encryption and data needs to be encrypted at rest, in transit and in use and no matter where it gets copied – including when it is stolen.
If Brenntag’s data had been protected in this way then the cybercriminals would have stolen data that was useless to them, as they would have been unable to decrypt it – reverse ransomware you might say. And by preventing malicious ransomware applications from executing, the company would have retained access to all of its data and systems.
Protecting the inevitable
Clearly, keeping all systems up to date and properly patched is vitally important, but there will always be vulnerabilities, and sometimes incompatibilities will mean that a patch cannot be applied immediately.
Travelex used a VPN without keeping security patches up to date. This enabled cybercriminals to access the network without credentials. They stole data and eventually deployed ransomware. The ensuing troubles, combined with the coronavirus pandemic caused the firm to go into administration.
Access controls and privileged access management cannot prevent data loss through vulnerabilities. And Data Loss Prevention is only as good as the way it is set up, which relies on knowledge of previous data loss activities and on speculation about how data could be exfiltrated.
We must stop believing that it’s possible to block all data exfiltration and accept that at some time, someone will gain access to the network with the aim of stealing data and that they will succeed.
Only by encrypting data at source, and by maintaining data encryption throughout its lifecycle can data theft be truly defeated. File-level encryption works silently in the background so that neither the user nor the administrator needs to make any decisions about what should or should not be encrypted. Only individuals with the correct authentication and decryption agent can decrypt the data. Stolen data cannot be decrypted. It’s time to take a fresh look at infosecurity. Data-centric security goes to the heart of the whole ransomware attack problem by securing data against both theft and crypto attack.