As a firm, eSentire is dedicated to delivering 24x7 managed detection and response services to mid-sized enterprises. There isn’t much the team at eSentire doesn’t see in any given week. For the vast majority of our clients, the main threats they face are opportunistic, and driven by threat actors with criminal motivations. In other words, threat actors’ motivations look like this: if I can break into the network, how can I monetize this position?
eSentire has developed a comprehensive apparatus of technology, people and process that is optimized for detection of threats, at both the network and endpoint level, as well as a set of countermeasures necessary to contain those threats from completing their objectives. When we notify our clients, it is to tell them what didn’t happen. Ransomware, now with its own evolutionary tree, with names like Teslacrypt, Zepto and Locky, is consuming more and more of our resources as it continues to morph and adapt.
We recently acquired a client in the legal sector after they were victimized by a ransomware infection. Fortunately, they chose not to pay ransom (we fully endorse this position) as they were able to fully recover their data. In the attack, the firm’s entire shared network drive was encrypted and as a result, dozens of attorneys were affected.
In a business driven by document creation, this kind of attack (a business critical denial of service) is akin to cutting off the oxygen to their attorneys. In this firm’s case they had a mature DR process and were able to resume business in about a day and a half. That might not seem like a lot of downtime, but when you consider that attorney rates might start at $2500, with 90%+ charge-out rates, the potential losses resulting from an attack like this add up quickly. This story is a best case scenario; unfortunately, many others experience a vastly different outcome.
The consequences of a successfully deployed encryption threat are disruptive and escalate. The initial, minimal disruption prevents users from working on their PCs. Next, unavailable folders shared amongst departments impacts a greater number of users. The worst case, (one demonstrated by the well documented Hollywood Presbyterian Hospital) is one in which the organization loses access to a wide range of files, essentially shutting down the business. In these circumstances, organizations need to lean on their IT team’s recovery capabilities and DR procedures. Even so, it can take more than a few days to put “humpty dumpty back together”. That’s a big cost.
The Rise of Ransomware
Over the years, eSentire has adapted to an ever-evolving threat landscape, enhancing detection capabilities to deal with all of the nuanced threats that emerge regularly. Generally, each new threat category is detected by a subset of these capabilities.
The set of eSentire’s Managed Detection and Response™ capabilities was developed largely before ransomware became the scourge that it is. It provides a defense in depth approach to detecting and containing and is engineered where possible, to not have dependency on any one capability. If, for whatever reason, it's missed (not detected) at one stage, there are several subsequent services or stages of weaponization that offer another kick at the can. Every day of every week, our large development organization is enhancing these capabilities and developing new ones. An example of these capabilities, and a detailed account of an intricate ransomware attack, was recently documented by one of our solutions engineers.
Ransomware, as we know it today, really exploded approximately 18 months ago. In essence, ransomware is a denial of service attack; in this case, denying workstation and server access and usability. The victim organization is denied service until the threat actor’s demands are met, which for the most part include a fee payment (usually bitcoin) to recover systems use. It is a simple concept with wide-reaching implications.
As security professionals we see ransomware as one of the most challenging threats to mitigate because of its evolutionary speed, and the fact that it exercises nearly every muscle in our detection and response capabilities. For this discussion, we can consider the ransomware variants that encrypt file systems on workstations or servers and demand a ransom to get the key to unlock them.
Let’s first look at how the ransomware gets in. In order to encrypt a file system, the actors need to get executable code on the target system. Today’s list of usual suspects includes:
- Via phishing or other means, inducing the victim to click on a link to a “watering hole”, which will cause the browser to auto-download or side-load the executable code, or redirect to a URL or IP that does this;
- Embedding the executable code in a PDF or MS-Office document distributed in email or downloadable from a website;
- An infected thumb drive (yes, incredibly this still happens);
- Embedding a macro inside of an MS-Office file that connects to either a URL or an IP address that then triggers the download;
- Brute force firewall attacks;
- Exploiting a weakness in a web application to gain access; and
- A new variant, which could be a combination of any of the above.
When a threat is inbound, there are nine techniques (of which we could use several) to detect the exploit. We can begin with a scenario where the employee is attempting to click on a link sent to them in an email or served up by a Google search. We test the reputation of the URL, the owner of the URL or the IP address, and whether it’s on a no-fly or black list. If so, we disrupt the connection. In order to support these automated decisions, we use a crawler service that searches the dark web and third-party feeds of known “bads”. Next, our managed detection and response research team curates this threat intelligence. The threat intelligence itself changes so rapidly that we use a combination of a global cloud services and up-to-the-minute on-site updates to keep it current. This is one of the important ways that eSentire keeps clients safe from themselves.
Should a threat pass these initial gate checks, we next test the ingressing traffic through a combination of our own custom IPS and anomaly detection services. Sure, clients may have a NGFW that should have caught the threat, but maybe it requires a newer signature (these can change hourly) that hasn’t been applied to the perimeter device, or maybe the sensitivity has been deprecated to reduce false positives. In any case, if it is a known bad we augment the perimeter controls automatically and will use this opportunity if available.
At this stage, we are getting into the last lines of defense. Remember: in order to encrypt a file system executable code must be loaded onto the target.
Our next service is testing for the presence of Win32, Win64, DLLs, OBJs, JavaScript etc., that could execute on the target system. If we detect this pattern, we then correlate to the trusted list of known safe domains. As a firm delivering detection and response capabilities, we are trying to manage in the "grey". So you block what is known as bad, and when considering what can modify your system, you only allow what is known to be good. Most mid-market clients have fewer than 100 URLs on the “white” list. It is quite manageable.
So, you might ask, what if the actors are using SSL? Good question. In this case we have to have visibility to the unencrypted traffic and rely integration with our partners (Palo Alto Networks, Blue Coat) that specialize in man in the middle proxy servers to give us this vantage point.
Between the URL, IP, IPS and executable detection and response capabilities, we have reduced the risk of the ransomware threat quite substantially. But nothing in security is perfect, so there are other detections and mitigations we can use. Beyond the executable detection, there is the anomaly or atypical behavior detection.
For ransomware, this can manifest itself as a callback to a command and control server, or to a URL or IP that is in a country on the no fly list, PLUS all of the other egressing connection tests described above. It could also be using a protocol that is new in the context of that network/user. Why does the ransomware need to call back? There are numerous reasons: one is to establish the communications with the victim and payment settlement mechanism. After all, once a victim pays, they need a method to receive the decryption keys.
Another trend is telemetry recon, allowing the actors greater visibility to gauge and adjust the size of the ransom demand based on how much pain it looks like they have inflicted.
But it can get worse.
The Evolution of Ransomware
We have observed autonomous ransomware that works like the Stuxnet attack on the Iranian centrifuges purported to have been crafted by nation states. These threats get the executable installed, the encryption run and the ransom demanded all without connecting to a command and control server. It’s the equivalent of a drone on autopilot. There are a couple of detection and containment techniques we use for this (including the executable detection), but there is also endpoint detection and response.
In all circumstances, if the payload manages to evade the network detection capabilities, you still have a chance to contain the threat with endpoint tools. These tools can detect new processes or hooked processes - often as a result of unpatched systems – and generate a signal that will get a human threat analyst to investigate and intervene. Bear in mind, the endpoint tools are dealing with already detonated ransomware which could be encrypting drives before any human can respond. But minimizing dwell time is the name of the game so catching it at victim zero is an inconvenience. Letting it fester for hours or days can become business altering.
The above set of ransomware detection and intervention scenarios are by no means comprehensive and even today, it’s likely already out of date. Doing nothing about this threat is irresponsible and large enterprises are taking it very seriously and have reasonable mitigations. Mid-sized firms are the new hunting ground and every time the actors have success, it’s that much more funding available to their criminal enterprise.
According to the FBI, ransomware threat made $209M in the first quarter of 2016 and they predict that it will exceed $1B for the year. This kind of publicity will only draw more actors into the technique with tools and teams being brokered at the speed of the internet. With this kind of success rate, we can only anticipate ever more sophisticated ransomware scenarios.
The single drive encryption scenario, demanding hundreds of dollars in ransom is giving way to ransoms in the tens of thousands, calculated by other “value based” measures such as the number of files on a server encrypted, criticality of the data or even the market cap of the victim firm. This problem will get far worse in the coming quarters. This is DoS 2.0 and the world needs to prepare for it. Failing to do so could cost organizations their business.
We believe having continuous detection and response solutions, with the capabilities I’ve described, is table stakes for any executive of a corporation that is managing risks. One piece of critical advice (aside from continuous cybersecurity monitoring): maintain frequent backups and test them regularly. Just like viruses would check for and disable anti-virus software, we anticipate that ransomware will check for and disable backup agents, wait a couple weeks AND THEN encrypt.
The actors will quickly figure out how to optimize this timing. We’ve seen this movie before.
