Connect with us

Cyber Security

How Ransomware Works and How to Prevent It



Ransomware can strike any industry, from logistics and media companies to non-profit organizations and governments. Even hospitals are targets for ransomware, holding data and lives hostage.

Ransomware can cause irreparable damage. Understanding how it works and how to detect it can help prevent attacks.

How Does Ransomware Work?

Ransomware is a type of malware that locks files on a victim machine, making data inaccessible. A ransom note appears on the victim’s computer with instructions for paying the attacker (usually in a cryptocurrency such as Bitcoin) to unlock the files.

A ransomware attack can originate from a malicious link, email attachment, exploited vulnerability, attack campaign, or worm. After ransomware malware is installed on the victim’s machine, the malware often spreads to other devices on a network and connects to a command-and-control (C&C) server controlled by the attacker. The ransomware then waits for a command (such as “encrypt files”) from the attacker.

Typically, ransomware locks files with asymmetric encryption, which is a strong cryptographic method that requires two keys (a private key and public key) to encrypt and decrypt data. The attacker controls a private key and sends a public key to the victim’s computer. The ransomware begins encrypting data based on information in the public key. Ransomware usually encrypts non-critical data based on file extensions (such as .txt, .jpg, .xls, or .doc) to make sure that the victim computer functions well enough for the victim to pay the ransom.

After data encryption begins, the encryption process can quickly spread throughout the network and across file shares. The only way to decrypt the data is to receive the private key from the attacker, after paying a ransom.

ExtraHop ExtraHop

A general workflow for most types of ransomware.

Examples of Ransomware Variants

Encrypting malware and the extortion activities associated with it have been around for decades. But the type of malware known as ransomware first appeared in 2012. Many variations of ransomware have since emerged, helping attackers evade anti-virus software and network defenses. Let’s compare notable ransomware variants to learn how ransomware generally infects computers and encrypts files.


CryptoLocker appeared in September 2013, making it one of the earliest examples of ransomware. CryptoLocker was a trojan virus that spread through a botnet and malicious email attachments claiming to be FedEx and UPS tracking notifications. Files on the local hard drive and mounted file shares were encrypted with RSA algorithms. CryptoLocker was stopped in 2014 when the private keys were captured by law enforcement and a decryption tool was released.


CryptoWall emerged in 2014 and is still seen today. Attackers distribute CryptoWall malware to victims through exploit kits, phishing emails, or malicious links within ads. CryptoWall injects code into explorer.exe, infecting system processes on Windows machines. After the code is run, user information is encrypted and sent to the C&C server to generate a unique public key. Files on the local hard drive and mounted file shares are encrypted with the public key and an algorithm (such as RSA-2048 or AES-256). CryptoWall 3.0 from 2015 has been the most lucrative version for attackers.


Locky emerged in 2016 and is mainly distributed to victims through an emailed malicious Microsoft Word attachment. The Word document includes a malicious macro that, once enabled, downloads a trojan virus with the encryption malware. Keys are generated on the C&C server, and files on the local hard drive and mounted file shares are encrypted with RSA-2048 and AES-128 algorithms.


WannaCry ransomware variants appeared in May 2017 during an infamous global attack. WannaCry spread as a worm (meaning no user interaction was required to install and spread malware to other devices) by leveraging EternalBlue. EternalBlue is an exploit of a vulnerability in legacy versions of the SMB file-sharing protocol (MS17-010). WannaCry leveraged the DoublePulsar tool to install a backdoor on the victim’s computer to manage communication with a C&C server. WannaCry was stopped after the discovery of a “kill switch” in the malware.

Petya and NotPetya

Petya (also referred to as GoldenEye) malware appeared in 2016 and was distributed as email attachments. Unlike most ransomware, Petya often encrypted local system files that prevented victims from accessing their machines. Another variant, referred to as NotPetya, appeared shortly after WannaCry in June 2017. This variant spread as a worm through the same EternalBlue exploit seen in the WannaCry attack and encrypted the master boot record on Windows machines. NotPetya did not provide an option for decrypting files and caused billions of dollars in damage across the globe.


Ryuk ransomware appeared in 2018 and initially targeted large enterprises. In 2020, Ryuk ransomware was linked to hundreds of U.S. hospital and healthcare targets. Ryuk is typically delivered through a Trojan virus called Trickbot, which is known to install a backdoor (anchor_dns) on the victim machine. This backdoor manages encrypted communication with a C&C server through DNS tunneling. To spread across the network, the malware leverages a variety of tools and protocols, including Mimikatz, PowerShell, and Remote Desktop Protocol (RDP). Ryuk encrypts files with a combination of symmetric (AES) and asymmetric (RSA) encryption. Files are encrypted with AES-256 and the AES key is encrypted with an RSA public key. The encrypted key is embedded into the executable file sent to the victim. To evade detection, malware components—the executable file and C&C server domains—are unique to each victim.

How to Detect Ransomware

Detection methods can include log, process, and network traffic monitoring. One approach is to monitor logs and processes for binary files involved in data destruction, such as vssadmin, wbadmin, and bcdedit. Ransomware typically destroys shadow copies of data to prevent data recovery efforts that don’t involve paying the ransom.

ExtraHop Reveal(x) automatically detects unusually large volumes of file modifications performed over file-sharing protocols such as SMB, as well as the presence of abnormal file extensions and ransom notes.

ExtraHop ExtraHop

Ransomware malware typically scans files and then encrypts them.

This behavior appears as distinct file reads and writes.

Specific variants can also be identified by file names or extensions appended to encrypted files. For example, the Brrr variant of Dharma ransomware adds the file extension .brrr to encrypted files. These ransomware extensions identify which files are encrypted and no longer accessible, persuading the victim to pay the ransom.

ExtraHop ExtraHop

Encrypted files with a ransomware file extension.

Network defenders can also leverage threat intelligence, which identifies suspicious IP addresses, hostnames, and URIs associated with threat groups. Threat intelligence data can be found in free and commercial sources provided by the security community. ExtraHop Reveal(x) includes curated threat collections, which are continuously updated to cover new ransomware variants. C&C domains associated with ransomware can be automatically detected by Reveal(x) in HTTP and DNS traffic.

How to Prevent Ransomware Attacks

One way to avoid the damage inflicted by ransomware is to maintain off-site backup files that can restore critical systems. Periodically test these backup files to make sure they are working and updated.

To reduce the number of ransomware attack vectors, disable internet access for internal services, especially services that run over file-sharing or remote access protocols such as RDP. For services that must connect to the internet, monitor incoming connections with a firewall or gateway that scans traffic for malicious content.

Another strategy for preventing the spread of ransomware is to segment networks and create policies that limit the device interactions to a sub-network.

Finally, make sure that servers are routinely updated and patched to reduce the number of vulnerabilities that an attacker can exploit.

To learn more, visit us here.

Copyright © 2022 IDG Communications, Inc.

Source link

Cyber Security

Threat Notification Isn’t the Solution – It’s a Starting Point



Most organizations have the tools in place to receive notification of attacks or suspicious events. But taking the information gleaned from cybersecurity tools is only step one in handling a security threat.

“The goal of a security practitioner is to link those data sets together and do something with the information,” says Mat Gangwer, VP of managed detection and response at Sophos. “The threat notification is just the beginning.”

It’s a common misconception that a tool has effectively blocked or remediated an issue simply because the IT or security team have received a notification of malicious activity.

“Practitioners often think notification also means prevention, but it doesn’t,” Gangwer says. “It doesn’t mean the threat has been neutralized. That’s the start of your investigation.”

Gangwer offers these 3 essential steps for moving beyond threat detection.

1 – Minimize the damage

To prevent widespread damage, organizations, or a managed security services provider (MSSP) acting on their behalf, should take certain targeted actions to neutralize threats after detection, including:

  • Triaging and validating the threat or incident
  • Determining the scope and severity of the threat
  • Seeking information on the threat’s context and potential impact
  • Acting to remotely disrupt, contain, and neutralize the threat
  • Determining the root cause of the incident to prevent future breaches or attacks

2 – Incorporate new learnings

Once a threat has been neutralized and remediated, organizations should seek to incorporate any new learnings back into incident preparedness and ongoing monitoring and threat hunting efforts. It’s critical to leverage these new learnings so processes and procedures can be quickly adapted. Updating documented policies and your incident response plan allows teams to know what is necessary to do in the future, the next time a threat is detected.

“It’s better to make sure everybody’s on the same page and aware of expectations going into an event rather than trying to figure it out when it happens and scrambling around trying to remedy and fix what’s going on,” he says.

3 – Enlist additional resources

But what if you lack the in-house tools, people, and processes to defend against cyber threats once they are uncovered? An ongoing skills gap in security has made it difficult for many companies to fill their security ranks and support a robust security program.

The good news: An MSSP can assist with managed detection and response. Most MSSPs and MDR providers offer the necessary skills and expertise to fill the gaps.

What’s more, an MSSP can bring in outside experts while still allowing practitioners to control how potential incidents are handled and what response to take.

Click here to learn more.

Copyright © 2022 IDG Communications, Inc.

Source link

Continue Reading

Cyber Security

Financial services increasingly targeted for API-based cyberattacks



A report published Monday by cloud services and CDN (content delivery network) platform Akamai said that the financial services industry is an increasingly popular target for a wide range of cyberattacks, with application and API attacks against the vertical more than tripling in the past year.

APIs are a core part of how financial services firms are changing their operations in the modern era, Akamai said, given the growing desire for more and more app-based services among the consumer base. The pandemic merely accelerated a growing trend toward remote banking services, which led to a corresponding growth in the use of APIs.

With every application and every standardization of how various app functions talk to one another, which creates APIs, the potential target surface for an attacker increases, however. Only high-tech firms and e-commerce companies were more heavily targeted via API exploits than the financial services industry.

“Once attackers launch web applications attacks successfully, they could steal confidential data, and in more severe cases, gain initial access to a network and obtain more credentials that could allow them to move laterally,” the report said. “Aside from the implications of a breach, stolen information could be peddled in the underground or used for other attacks. This is highly concerning given the troves of data, such as personal identifiable information and account details, held by the financial services vertical.”

Beyond attacking financial services firms themselves, the report said, cybercriminals have customer accounts in their sights as well. More than 80% of attacks against companies in the industry target customers, instead of institutions, via phishing or direct attack.

Attackers have been quick to leverage zero-day vulnerabilities discovered in systems used by financial services companies, noted Akamai. One example from this year is the remote code execution vulnerability found in Atlassian’s Confluence Server and Data Center products—less than a week after the flaw was publicly disclosed, Akamai recorded nearly 80,000 Confluence-based attacks per hour during one period in the evening of June 7.

The company said the speed with which Confluence and other flaws of its type can be exploited by bad actors underlines the need for businesses to remain up-to-date with patching.

While application and API attacks against financial services companies have risen most sharply, Akamai said that other techniques are also becoming more and more common, with botnet activity up 81% year-on-year, and DDoS attacks up by 22%.

Copyright © 2022 IDG Communications, Inc.

Source link

Continue Reading

Cyber Security

5 Reasons to Protect the Performance and Security of Your Pharmaceutical Business



One of the greatest lessons resulting from the COVID-19 pandemic is to expect the unexpected and proactively prepare for future unknowns. Like many others, the pharmaceutical industry has been revolutionized by accelerated digital transformation over the last few years. Research has shown that pharma leaders investing in the Internet of Things (IoT) are better equipped to overcome unforeseen challenges.

For these proactive pharmaceutical leaders, two major areas have become increasingly important: preventing network outages and increasing security against cyberattacks. The 2021 State of Pharmaceuticals and Cybersecurity Report from Fortinet found that in the last year, 40% of businesses experienced outages affecting productivity, safety, compliance, revenue, or brand image. These outages are no small glitches: Industry experts estimate the total downtime cost (TDC) of a production disruption ranges from $100,000 to $500,000 per hour. A few disruptions a year can have a massive effect on the bottom line. This necessitates network and application performance management to minimize downtime.

If the impact of network outages on reputation, output, and the bottom line were not enough, pharmaceutical companies also have had to combat rampant cyberattacks. The rapid expansion of their attack surface has created visibility gaps and increased their risk. There has long been a growing desire for network operations (NetOps) and security operations (SecOps) teams to collaborate and share information. In some cases, early-stage planning, common budgets, and project-level cooperation have improved and enhanced cross-team collaboration. In fact, Enterprise Management Associates (EMA) studies have shown that 78% of enterprises have some formal collaboration between the two groups, with 47% fully converging the groups with shared tools and processes.

NETSCOUT solutions help collaboration between NetOps and SecOps as they proactively protect businesses from both a security and network and application performance management standpoint. Here are five major reasons this is important for pharmaceutical companies:

  1. Understand your attack surface. Your proprietary information, such as secret formulas, trial results, and other strictly confidential company information, are attractive targets for bad actors to gain access to and either sell on the dark web or ransom back for potentially millions of dollars. Know where that information is and protect it. NETSCOUT’s scalable packet-level network visibility with patented Adaptive Service Intelligence (ASI) technology converts packet data into a rich source of unique layer 2–7 metadata that we call Smart Data. Smart Data enables you to see the data that matters so you can assure the application performance of your critical services for authorized employees, while also protecting it from security threats.
  2. Comply with manufacturing regulations. Network uptime is essential to meet the production standards in the pharma industry. If monitoring, processing, shipping, and tracking of goods through manufacturing ecosystems were not complex enough, you also must meet strict regulations to maintain compliance. NETSCOUT network and application performance management provides advanced warning of system degradations and empowers NetOps teams to determine the scope and impact of issues via problem isolation and triage. Our solutions allow for “back in time” investigation to ensure gaps in compliance are addressed as quickly as possible. 
  3. Secure customer data. As pharma companies move toward more digitization and storing of information online, they are becoming an easier target for bad actors looking to steal customer records that can be sold on the dark web for multiple nefarious purposes. Losing your customer data can cost lives, create identity theft, impact brand reputation, and subject you to massive fines for not meeting compliance requirements. Being able to detect known and unknown threats is critical, and network visibility is fundamental. NETSCOUT’s solutions provide better network visibility in combination with continuous threat intelligence feeds, empowering you with multiple types of detection for both known and unknown threats.
  4. Maintain uptime and protect the bottom line. Reliability and maximum productivity are always top priorities for businesses. Pharmaceutical manufacturers that make smart investments in advanced technologies can benefit from improved operational efficiency, reduced downtime, and improved visibility and analytics. NETSCOUT’s solutions provide end-through-end visibility into network and application performance, leveraging Smart Data to identify the root cause of issues directly impacting the bottom line.
  5. Consider the cost of a breach. According to IBM’s Cost of a Data Breach Report, the healthcare industry ranks highest in terms of cost, with an average price tag of more than $10 million per breach and an 11-month cycle to identify and contain the breach. It is more important than ever to be able to reduce the mean time to knowledge (MTTK) and mean time to response (MTTR) to reduce the potential impacts of these breaches. NETSCOUT’s Omnis Cyber Intelligence solution is designed for seamless integration with your existing cybersecurity toolset to make your entire security stack stronger and more effective. Omnis Cyber Intelligence also integrates with your firewalls to instruct immediate blocking at the edge, and NETSCOUT’s Smart Data can be exported and combined with your other sources of data for custom analysis, filling the gaps in visibility to increase incident investigation efficiency and decreasing MTTR.

NETSCOUT believes in achieving what we call Visibility Without Borders by enabling a single source of smart packet-derived layer 2–7 metadata—NETSCOUT Smart Data—for more efficient service assurance and cybersecurity. NETSCOUT gives you the most comprehensive attack surface observability in the industry and provides continuous intelligence, with real-time detection of all network activity, so you can halt attackers in their tracks.

See how NETSCOUT network and security solutions can make a difference in your organization.

Copyright © 2022 IDG Communications, Inc.

Source link

Continue Reading