The scourge of ransomware attacks continues to plague nearly every public-sector institution and private organization. No one is immune. In 2019, there were more than 140 ransomware attacks against governmental and health care organizations, and in 2020, hospitals, in particular, were relentlessly targeted. It’s critical for every IT pro, in every industry, to defend against ransomware.
Read the white paper Defending Against Ransomware with Zscaler Workload Segmentation.
Ransomware is not a new threat
The first example appeared as early as 1989, but cybercriminals didn’t start launching widespread attacks until about 2012. Typically, ransomware takes one of two vectors to infect a network: a phishing attack or by exploiting security loopholes.
In the case of a phishing attack, the target receives an email with a document that, once opened, launches the ransomware. In some cases, the attack may use social engineering tools to trick the user into providing the malware with credentials that facilitate the attack.
Other types of ransomware don’t require clicking on an infected document. Instead, they take advantage of security holes to compromise systems. NotPetya provides a particularly nasty example of this variant. In one case, it exploited a backdoor in an accounting package popular in Ukraine and then spread to other systems through security flaws (now patched), known as EternalBlue and EternalRomance, in the Windows implementation of the SMB (server message block) protocol. What makes NotPetya so destructive is that there’s no ransom demand. Instead, NotPetya generates a random number to encrypt all data it encounters, permanently destroying it. There’s no way to recover the key to decrypt the data.
In recent years, ransomware has become much more sophisticated. Many strains no longer encrypt the first machine they encounter. Instead, the malware first surveils the environment to determine how it can move laterally across the network to infect additional resources, often taking advantage of legitimate tools, such as Security Account Manager Remote (SAMR) protocol reconnaissance and domain name server (DNS) reconnaissance using nslookup. With this information, the malware can quietly move across the network to deposit ransomware into additional systems. Once a critical mass has been achieved, the ransomware encrypts all of these resources at once, delivering a crippling blow to the organization.
Defending against ransomware
We often hear that the best defense against a ransomware attack is robust data protection. After all, if you have backups, you don’t need to pay the ransom and can simply restore all files. Even if the malware does successfully encrypt an organization’s data, so long as the backup and disaster recovery (DR) files are intact, the organization can avoid paying the ransom and IT can restore everything to a point before the attack.
But backups are best kept as a last-ditch defense, not the front line. After all, if the attack is devastating enough, IT may face restoring petabytes of data, a process that can take days or even weeks to complete, impeding business operations for an extended period of time. Even worse, if backups are connected to the network, it’s possible for ransomware to digitally shred them as well, leaving no other option but to pay the ransom, which is a terrible position to be in, and not just due to the cost. After officials in Lake City, Florida, paid a ransom to decrypt their affected data—roughly a couple hundred terabytes—the decryption process took more than eight days to complete. For larger organizations with petabytes of data, the process could take more than a month.
Likewise, we often hear a lot about the importance of training employees how to avoid clicking on documents used in phishing attacks, but this, too, is nowhere near sufficient.
Cybercriminals are constantly developing novel ways to trick employees, and, in a sufficiently large organization, someone will eventually make the mistake of clicking on an infected file. What’s more, employee training does nothing to defend against attacks that exploit security holes—no one has to click on anything for these to succeed.
A zero trust approach to thwarting ransomware
In a zero trust environment, all internal communications are treated as potentially hostile. Each communication between workloads must be authorized before it is allowed. In this way, zero trust can stop ransomware from moving laterally across the network, which can mean the difference between the malware encrypting a single laptop and encrypting hundreds of servers and datastores around the globe.
Zero trust is enabled by microsegmentation, but traditional methods of microsegmenting a network depend on “trusted” IP address. That poses significant operational and security concerns. Operationally, policies break when the underlying network changes—and modern networks are constantly changing. It’s even more difficult to manage policies in autoscaling environments, such as the cloud or containers in which IP addresses are ephemeral. IT would have to constantly update policies as IP addresses change, which is labor-intensive and prone to errors. What’s more, ransomware can evade address-based controls by piggybacking on approved firewall policies because firewalls are not designed to distinguish good software from bad software.
There is a new model for microsegmentation, however, that relies on the identity of communicating software, hosts, and devices, separating the control plane from the network for better security and easier operations. With an identity-based approach, each workload is assigned an immutable, unique identity (or fingerprint) based on dozens of properties of the asset itself, such as the UUID of the bios, serial numbers of processors, or an SHA-256 hash of a binary, which is then verified before the workloads are allowed to communicate. This identity verification prevents malicious software, or devices and hosts, from communicating.
For example, let’s say that someone clicks an infected file, which launches ransomware on that user’s desktop machine. If the ransomware tries to use the SAMR protocol or nslookup to conduct network reconnaissance, identity-based zero trust policies would block that communication, because the ransomware is not authorized. Likewise, attempts to move to other assets would also be denied. In this way, even if ransomware gains an initial foothold in the network, the damage that it can do is limited to an annoyance as opposed to a global business catastrophe.
Learn more by reading the white paper Defending Against Ransomware with Zscaler Workload Segmentation.