This is the third entry of a four-part blog series that discusses the different techniques on how ransomware affects users and organizations. This blog series shows that the best way to mitigate the risks of ransomware is to implement multiple layers of protection in the different components of an enterprise network—the gateways, endpoints, networks, and servers.
Read our previous posts here:
- Know the different ransomware arrival tactics, and how to stop them in the gateway
- How Endpoint Solutions Can Protect Businesses Against Ransomware
Ransomware has grown into a serious problem that has affected millions of users and netted millions of dollars in profit. The earlier entries in this series discussed the entry vectors of ransomware and their encryption behavior. In this post, we examine ransomware’s use of network communication and the possible solutions to address its effects.
It is particularly useful to examine the use of network communication as network activity could be the initial indication of malicious activity within an organization. Conversely, without proper visibility to their networks, organizations can get infected by ransomware through unmanaged devices that may not necessarily fall under the protection of an enterprise’s gateway solutions, or through unauthorized access from trusted parties.
An infected enterprise network can play two roles for ransomware:
- as a communication relay
- as a means to spread itself to other systems and servers
Role #1: Command and control
Ransomware’s most important use of networks is to communicate with the command-and-control (C&C) servers of the attackers, as this connection is generally used to send encryption keys that are used to lock the user’s files.
A key is usually sent from the C&C server to the affected machine to be used for encrypting target files. If a connection can be established, most ransomware families get the public key from the C&C server and use it to encrypt the target files. The corresponding private key stays with the attacker the entire time. The public key can be changed at any time, without any key found in the malware code.
What happens when a connection to the C&C server cannot be established? Most ransomware families like CryptoWall simply do not encrypt any files. However, others can proceed with their encryption routines without any issues. One example is CrypXXX, which has a “default” key embedded in its code. Cerber variants typically generate their keys locally, making it easier for security researchers to do reverse engineering on the codes, and for users to recover encrypted files using a relevant decryption tool. Newer ransomware variants prefer to use keys sent from a C&C server, to defeat decryption tools that use static keys.
Role #2: Propagation
Ransomware can also spread within an organization through network shares. When running on a infected system, most ransomware families encrypt files in local hard drives and mapped network drives. This makes infection spread much more quickly within an organization, turning what could simply be an annoyance for a local system into a wave of infection that can disable an entire organization.
As previously mentioned, ransomware can also infiltrate networks through unauthorized access. For example, Crysis ransomware uses Remote Desktop Protocol (RDP) brute-force attacks. In March 2016, the Surprise ransomware reportedly used stolen TeamViewer login credentials to infect systems.
Given how ransomware tries to infiltrate and spread within enterprise networks, organizations should have network visibility so they can do proactive measures to limit the impact of these threats and reduce the risk of reinfection. Solutions like Trend Micro™ Deep Discovery™ Inspector (DDI) can help organizations gain a complete picture of existing threat actions and determine the correct solution accordingly.
DDI detects traffic going out to C&C servers, significantly reducing the capability of ransomware families to encrypt files. Placed within the internal network, DDI also detects attempts of ransomware in spreading to other systems beyond an initially infected machine.
This is all on top of DDI’s other capabilities—it detects encryption behaviors, modifications to backup restore processes, and mass file modifications. It can also detect script emulation, zero-day exploits, and targeted and password-protected malicious files commonly associated with ransomware.
Beyond visibility and network defense, whether it is an enterprise, small business, or a consumer, a multi-layered approach is necessary to prevent ransomware attacks. Trend Micro offers solutions that protect users and organizations in all aspects –at the gateway, endpoints, networks, and even servers.
Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.Network Traffic ScanningMalware SandboxLateral Movement Prevention
Trend Micro Deep Security™ detects and stops suspicious network activity and shields servers and applications from exploits.Webserver ProtectionVulnerability ShieldingLateral Movement Prevention
PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS
Protection for Small-Medium Businesses
Trend Micro Worry-Free™ Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.Ransomware behavior monitoringIP/Web Reputation
Protection for Home Users
Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.IP/Web ReputationRansomware Protection