2018 is quickly moving by us, and while we have yet to see an attack on the scale of 2017’s WannaCry or NotPetya, it’s clear that the adversaries are not letting up on their mission to line their pockets at our expense. Ransomware has dominated the headlines for the last two years, while 2018 shows a trend towards diversity in attacker methods.
The growing cryptocurrency market is opening up new and tempting opportunities for hackers to compromise systems for their gain. Cryptomining attacks leverage ransomware-like tactics to gain access to machines, but with a payload focused on the machine itself, not its data.
Recently, our security researchers observed hackers utilizing WannaMine, a cryptomining worm, to steal system resources and mine cryptocurrency. WannaMine exploits remote systems with the EternalBlue exploit, the same exploit used in the WannaCry and NotPetya ransomware attacks.
WannaMine and other cryptocurrency mining malware pose a unique threat to enterprises because the malware is particularly stealthy, enabling hackers to mooch off of the organization’s power and available resources to fund illegal activities.
While there is no magic bullet solution for preventing and protecting organizations from all ransomware attacks, there are a few key tactics that security teams can take that will boost their organization’s immunity.
Practice good hygiene - patch!
The critical EternalBlue vulnerability was disclosed to the world in March 2017, yet is still being used with good success by adversaries now almost a year later. Deploying patches are table-stakes in the battle to stop modern attacks.
Legacy vulnerability scanning may not be enough to get accurate assessment of your security posture. Many scanners rely on data extracted from the registry or other repositories, where minor inconsistencies in the patch installation process may cause the scan to report incorrect patch status. This leaves organizations with major blind spots that can turn into massive vulnerabilities.
In the case of WannaCry and EternalBlue, some organizations deployed the patch and reported success.However, a failed reboot after the patch was installed resulted in systems that remained dangerously exposed.
To combat this and similar gaps, organizations should ensure their vulnerability assessment tools leverage deep real-time assessments of the running system environment, not just a review of meta-data. This visibility provides a clear and accurate view of the status of patches, and enables properly prioritization when a threat emerges.
Apply behavioral analytics for better protection
It’s crucial for organizations to shift to proactive cybersecurity techniques focused on identifying malicious behavior relating to ransomware even when no signatures or known exploits are present.
Instead of being reactive and tracking Indicators of Compromise (IoCs), a “known bad,” organizations should track Indicators of Attack (IoAs). IoAs identify adversary behavior related to ransomware, rather than using signatures. Behaviors such as deletion of backups or a high volume of file system activity can be clear indicators of ransomware in the right context. Behavioral detection enables organizations to prevent, detect and respond to both known and unknown ransomware.
Augment analytics with artificial intelligence (AI) and machine learning
AI and machine learning are critical capabilities for detecting modern threats that might otherwise be missed by traditional anti-virus solutions. Signature-less machine learning that’s combined with behavioral analytics is able to learn what files and behaviors are malicious without having to be fed new datasets every day.
This approach is proving far superior when detecting today’s threats, much of which is unknown variants and ultimately, leads to better classification of what is malicious or not.
Bolster your defense with proactive hunting
Rather than waiting for ransomware to appear and take hold in your organization, it is better to spot the problem at inception, before a breach occurs, and shut down the adversary’s attempt immediately. This is where proactive threat hunting plays a crucial role.
Skilled threat hunting teams that actively monitor system behavior can help defenders take control. Threat hunters look for evidence of potential malicious behavior that might exist in a broad pool of behavioral data, but may be too subtle to warrant an immediate blocking response by traditional detection technologies.
Threat hunters leverage experience and intuition to follow faint suggestions of possible threat activity to put together a picture of whether an attack is in progress, or if the behavior is irregular but does not represent malicious cyber activity. Threat hunters ultimately find damaging attacks in the network faster than automated security tools alone.
It’s never a question of if another crippling cyber-attack will take place, only a matter of when. As security teams prepare for the next ransomware epidemic, it’s critical for preventive measures beyond traditional security to be implemented.
Tactics such as patching, behavioral-based detection, machine learning, and threat hunting shift the advantage away from the attacker, toward the defender.