A SASE Approach to Enterprise Ransomware Protection

Listen to post: Getting your Trinity Audio player ready...

Ransomware continues to be a prime cyber threat to organizations of all sizes. One thesis for this is that these attacks are easier and less expensive to execute than ever before, while offering very high rates of return for cybercriminals. Since the 2017 WannaCry epidemic, the ransomware industry has evolved through several stages, including:

• Large-Scale Campaigns: Ransomware attacks like WannaCry were designed to infect as many systems as possible. Each infection would demand a relatively small ransom, trying to make a profit via quantity over quality.
• Targeted Attacks: Over time, ransomware campaigns have evolved to be extremely targeted attacks against particular organizations. In-depth research allows cybercriminals to identify how to maximize their profits for each infection.
• Ransomware as a Service (RaaS): RaaS gangs distribute copies of their malware to affiliates for a cut of the profits of successful infections. This model increased the number of companies infected with high-quality ransomware.
• Double Extortion: Double extortion ransomware both steals and encrypts sensitive and valuable data on an infected system. The threat of a data leak is used to increase the probability of a ransom payment.
• Triple Extortion: Triple extortion expanded the impact of a ransomware attack from the infected organization to its customers. The ransomware operators demand payments from multiple organizations whose data is affected by the attack.

Ransomware has proven to be a highly effective and profitable cyber threat. Cybercriminals will continue to innovate and build on their success to improve attack profitability and the probability of ransom payments.

Common Attack Methods for Ransomware Attacks

Cybercriminals use various methods to deploy and execute ransomware, and the following are a small sample of the most common:

• Vulnerability Exploits: Unpatched vulnerabilities are a very common method for delivering ransomware. By exploiting these vulnerabilities, cybercriminals can plant and execute the malware on a vulnerable system.
• Phishing: Phishing attacks use social engineering to trick users into downloading and executing malware on their devices. The ransomware can be attached to the message or located on a phishing site indicated by a malicious link.
• Compromised Credentials: User credentials can be guessed, compromised by phishing, or breached in other ways. Cybercriminals can use these credentials with the remote desktop protocol (RDP) or virtual private networks (VPNs) to access and deploy malware on systems.
• Malicious Downloads: Phishing sites may offer ransomware files for download. These files could masquerade as legitimate software or exploit vulnerabilities in the user’s browser to download and execute themselves.

Stages of a Ransomware Attack

Ransomware follows many of the same steps as other types of malware. The main stages in an attack include the following:

1. Initial Infection: A ransomware attack starts with the malware gaining access to a target system. This can be accomplished via a variety of methods, such as phishing or the use of compromised credentials.
2. Command and Control: Once the ransomware achieves execution, it establishes a command and control (C2) channel with its operator. This allows the ransomware to send data to and receive instructions from its operator.
3. Lateral Movement: Ransomware rarely immediately lands on a device containing the high-value data that it plans to encrypt. After gaining a foothold on a corporate network, the malware will perform discovery and move laterally to gain the access and privileges needed to encrypt valuable and sensitive data.
4. Data Theft and Encryption: Once it gains the required access, the malware will begin encrypting data and deleting backups. It may also exfiltrate copies of the data to its operator via its C2 channel.
5. Ransom Note: Once data encryption has been completed, the malware will reveal its presence on the system by publishing a ransom note. If the ransom is then paid and the decryption key is provided, the ransomware would decrypt all of the files that were encrypted.

Ransomware is on the Rise – Cato’s Security as a Service can help | Download the eBook

Ransomware Prevention Strategies

Once data theft and encryption have begun, an organization’s ransomware remediation options are limited. However, companies can take steps to reduce the probability of a ransomware infection, including the following:

• Vulnerability Management: Regular vulnerability scanning and patching can help to close the security gaps exploited to deliver ransomware. Additionally, Web Application and API Protection (WAAP) solutions can block the attempted exploitation of unpatched vulnerabilities.
• Email Security: Another common method of delivering ransomware and other malware is phishing. Email security solutions can identify and block messages containing malicious attachments or links to phishing pages.
• Multi-Factor Authentication (MFA): Compromised credentials can be used to access corporate systems and deliver malware via remote access solutions. Deploying strong MFA increases the difficulty of using compromised credentials.
• Web Security: Ransomware can be downloaded intentionally or unintentionally from malicious sites. A secure web gateway (SWG) can block browsing to dangerous sites and malicious downloads.
• Endpoint Security: Ransomware is malware that runs and encrypts files on an infected endpoint. Endpoint security solutions can identify and remediate ransomware infections.

Cato’s Approach to Enterprise Ransomware Protection

Using machine learning algorithms and the deep network insight of the Cato SASE Cloud, we’re able to detect and prevent the spread of ransomware across networks without having to deploy endpoint agents. Infected machines are identified and immediately isolated for remediation. 

Cato has a rich multilayered malware mitigation strategy of disrupting attacks across the MITRE ATT&CK framework. Cato’s antimalware engine prevents the distribution of malware in general. Cato IPS detects anomalous behaviors used throughout the cyber kill chain. Cato also uses IPS and NextGen Anti-Malware to detect and prevent MITRE ATT&CK techniques used by common ransomware groups, which spot the attack before the impact phase. And, as part of this strategy, Cato security researchers follow the techniques used by ransomware groups, updating Cato’s defenses, and protecting enterprises against exploitation of known vulnerabilities in record time.

We use heuristic algorithms specifically designed to detect and interrupt ransomware. The machine-learning heuristic algorithms inspect live SMB traffic flows for a combination of network attributes including:

• Blocking the delivery of known malware files.
• Detecting command and control traffic and attempts at lateral movement.
• Identifying access attempts for remote drives and folders.
• Monitoring time intervals, such as encrypting drives in seconds.

Cato Networks provides detection and mitigation of ransomware attacks without deploying agents on endpoints. Learn more about Cato’s network-based ransomware protection.