This entry is the second part of a four-part blog series discussing the different techniques ransomware uses to affect users and organizations. These techniques show that the best way to mitigate the risks brought about by this threat is to implement multiple layers of protection in different aspects of an enterprise network: from the gateway, to endpoints, to networks, and servers.
Read our previous post here:
By Marvin Cruz, Ryuji Fortuna, and Joselito Dela Cruz
This year alone, the FBI predicted that the total loss to ransomware will reach a whopping US$1 billion. The ransomware business is booming, encouraging cybercriminals to expand their target base—from consumers to businesses, regardless of type and size.
Small and medium-sized businesses (SMBs) usually have limited resources to afford robust security solutions. A study revealed that 65% of SMBs in the United States won’t invest much money on ransomware-related concerns, including ransom payment or security. Meanwhile, despite multiple layers of security, enterprise networks may still be put at risk if threats come from known and trusted sources, such as third-party partners, vendors, contacts, or from employees themselves. Given these predicaments, endpoint solutions with good behavior monitoring and application control features can be companies’ last line of defense against ransomware.
Figure 1. Ransomware attacks and their corresponding solutions
How behavior monitoring works
Behavior monitoring, which is present in our solutions like Trend Micro™ Smart Protection Suites and Trend Micro Worry-Free™ Services Advanced, tracks and blocks any “anomalies” or unusual system behaviors or modifications. It allows us to proactively detect and block the execution of ransomware and crypto-ransomware variants based on known and unknown tactics or capabilities, which include encryption, process manipulation, file dropping, and command-and-control (C&C) server communication, among others. It also blocks info-stealing ransomware variants such as RAA ransomware and MIRCOP.
A good behavior-monitoring tool can terminate any program that encrypts specific files stored in systems. If a running program is not part of a whitelist or is associated with ransomware, the tool should be able to immediately thwart its execution.
Figure 2. Screenshot of various file types that ransomware encrypts
Scripts designed to bypass email scanners and obfuscate malicious code such as those used to distribute Locky, TeslaCrypt 4.0 (detected as CRYPSTELA), and CryptoWall 3.0 (detected as CRYPTWALL) ransomware are also detected by a good behavior-monitoring tool. Our behavior-monitoring tool detects and blocks ransomware that use VBScript (Cerber and variants of Locky) and JScript (RAA).
Some ransomware families delete shadow copies, which could be considered normal behavior in certain OSs and so can’t be immediately blocked. A good behavior-monitoring tool, however, should be able to tag this routine as an indicator of possible ransomware infection.
Other ransomware variants may abuse legitimate programs, services, or frameworks, to avoid detection and removal from the system. One example is PowerWare , which abuses Windows PowerShell. A good behavior monitoring tool should look out for and prevent certain events from occurring, such as when normal programs/services/frameworks are behaving in a malicious manner, or when normal programs are used for encryption. It should also have a policy that indicates which files should not be executed on a system.
Figure 3. Code that lets PowerWare abuse PowerShell
Normal users may not immediately be alerted to ransomware infection, especially when the malicious code is injected into a normal process like Explorer.exe. Behavior monitoring can help in such instances though, as behaviors like injection and hooking routines, can be flagged and consequently blocked.
What is application control?
Apart from behavior monitoring, another good feature of endpoint solutions is application control (also known as application whitelisting) as it prevents ransomware from executing on the systems and possibly cause further damage to back-ups etc. It does this by allowing only nonmalicious routines/files/processes to run on systems (i.e. POS devices, kiosks, ATMs, industrial control systems as well desktops and laptops).
Figure 4. Trend Micro Application Control prevents JIGSAW from running
IT admins determine the list of programs/files/processes that can run on systems via application control. They can create lists based on an inventory of their existing endpoints, by category, vendor, app, or other dynamic reputation attributes. Once an app is allowed, its succeeding versions/updates will be permitted to run, too. IT admins can use an extensive, default list of safe apps, ranging from system files, desktop apps, and mobile apps, among others.
Besides whitelisting apps, a good application control feature can deny programs/files/processes from running on certain file paths. IT admins can create blocking rules for specific directories. Some ransomware variants normally drop copies in %Temp% and %User Temp% directories—paths that most malware use. Ransomware like JIGSAW use the file paths, %Application Data% and %AppDataLocal%. IT admins can create blocking rules for specific variants, knowing the paths they commonly use.
Figure 5. Specific locations that Trend Micro Application Control can block
No silver bullet
With so many different means by which ransomware can reach systems, organizations require a multilayered defense that can secure endpoints, networks, and servers. Behavior monitoring and application control are just additional layers of protection, in case ransomware get through the gateway level. Once threats reach the endpoint level and start encrypting files (including crucial company data), recovering them without any backup would be very difficult. Matters get worse when ransomware delete shadow copies or exhibit other routines beyond encryption, leaving businesses no other choice but to pay.
Trend Micro Smart Protection Suites has behavior-monitoring, application control, vulnerability shielding, Web reputation, and browser exploit prevention features that can prevent even ransomware distributed via exploit kits from infecting systems.
Trend Micro™ Deep Discovery™ Email Inspector can detect and block ransomware-rigged and spear phishing emails, including those with malicious attachments, from even reaching users’ inboxes. Its custom sandbox technology can also detect ransomware that use malicious macros. Enterprises can also use InterScan™ Web Security, which scans for zero days and browser exploits. The IP and Web reputation features in these solutions can mitigate ransomware infection at the email and gateway levels.
For network protection, Trend Micro Deep Discovery Inspector can discover ransomware on networks through its custom sandbox. It detects encryption behaviors, modifications to backup restore processes, and mass file modifications. It can also detect script emulation, zero-day exploits, and targeted and password-protected malicious files commonly associated with ransomware. Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual, or in the cloud. It secures systems and servers from vulnerabilities used by exploit kits that push ransomware.
For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time Web reputation in order to detect and block ransomware.
Users can also use our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware, and Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain crypto-ransomware variants.