Recently, ransomware has turned from hitting unsuspecting individual users to assailing corporations, as usually companies can be wormed out of bigger ransoms in return for encrypted data. Ransomware did become a buzzword after the reported $200+ million losses that US businesses suffered in the first quarter of 2016. This number is 9 times higher compared to the entire 2015, as the FBI told CNN. Also, the Bureau predicted this number to reach $1 bn per year.
As demanding a ransom for unblocking users’ access to their personal data has become a prosperous cybercriminal business, hackers tirelessly hammer away at developing a gazillion of encrypting techniques. Locky, CryptoWall, CTB-Locker, Crypt0L0cker, Cerber, and TeslaCrypt are in the top 10. Cybersecurity specialists have concurred that ransomware is a number-one cyberthreat nowadays.
APTs hit businesses through ransomware
Recently, a number of ransomware attacks stroke US medical centers, and new similar incidents are quite likely. Since such attacks are getting more and more frequent, apparently they don’t exploit just occasional gaps in insecure systems. The affected healthcare organizations definitely had security measures in place. Yet, despite using various tools to ensure safety (antiviruses, firewalls, IPS, IDS), corporate security may have several holes the attackers can penetrate through.
Besides the financial reasons, businesses and public institutions are especially vulnerable to ransomware attacks as typically many of them lack proper defensive techniques against them. Also, they may just prefer to pay a ransom rather than leak out that they have suffered an attack to avoid reputation damage and penalties.
Targeting businesses or public agencies, intruders employ an advanced persistent threat (APT) and finalize it by blocking a victim’s data with ransomware, which doesn't give away its presence in the network until encrypting starts. Usually, spear phishing assists in locating ransomware in users’ assets. This way, malicious documents with enabled macros, software or links are distributed in bulk mail-outs, and end users do what they are told to do out of their ignorance. Also, enabled AutoPlay, untrusted devices and connections, as well as some browser plug-ins may be used as gaps to install ransomware. In addition to that, Cerber cryptovirus developers launched a recent ransomware campaign by injecting malicious scripts into corporate websites to be followed by redirecting traffic to the Cerber gateway.
Ransomware injection usually becomes the final stage of an APT, when it’s too late to do anything except to pay ransom or to say goodbye to the encrypted data. This makes it vital for a company to detect an APT in progress at its early stages.
Ransomware detection with a SIEM system
With an updated antivirus or firewall configured with a proper consideration of a company’s rules of network traffic control, it is still impossible to guarantee that a security system can resist a ransomware attack. Since no security solution provides iron-clad protection against ransomware, the more security layers an IT network has, the higher its potential to catch ransomware infection before it starts running. A comprehensive SIEM-based approach to detecting ransomware in a network is recommended, as such an approach ensures a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events.
The SIEM-based methods to detect ransomware in an IT environment will be illustrated with IBM® Security QRadar SIEM, which is one of Gartner's Magic Quadrant for SIEM 2016 leaders. The essence of QRadar’s performance is the processing of events that are sent to it from all log sources in an IT environment, based on correlation rules, in order to reveal potential offenses.
As SIEM consultants develop correlation rules in QRadar manually, this allows taking into consideration all possible signs of an APT for timely pulling the plug on it. Below, there are recommendations on tuning the system to detect such an attack with QRadar based on common signs of an APT:
- Monitoring of traffic parameters deviation from their baseline characteristics. Communication with malicious IP addresses, URLs, domains (‘maliciousness’ can be determined using the IBM X-Force Threat Intelligence list), and suspicious geographic destinations, as well as a traffic volume surge may indicate ransomware presence in a network. Therefore, setting the network traffic baseline in QRadar is a vital part of developing the correlation rules so that its QFlow Collector could monitor the traffic and QRadar could detect offenses in case of abnormalities.
- Behavioral analysis for detecting user privilege escalation and a rocketed number of administrator’s logins. QRadar can perform behavioral analysis of both successful and unsuccessful attempts to log with administrative privileges from non-admin computers as well as the increased number of administrator’s logins.
- Operating system audit log monitoring of unauthorized software setup (a corporate security policy should stipulate the rules of software distribution), as all software installations are usually recorded in the log, both for legit software and malware.
- Operating system audit log monitoring of a soaring number of endemic modifications in the file system (file names and contents changes, files deletion).
Negligence will cost more in the end
Prevention is the best way to combat ransomware, and duly precautions may help to early detect its presence in the system. Although industries with multi-billion revenues are particularly vulnerable, every company should stay alert and take actions to prevent APTs that may feature ransomware. Also, except for paying ransom to intruders (the issue may reach millions of dollars), an affected company can also be penalized by the government as its security system failed to comply with statutory requirements.
When intruders target corporations, ransomware is often a part of an APT. A properly tuned SIEM solution can give companies much better chances to detect ransomware in an IT system compared to traditional tools, as it provides a holistic network overview and automated analysis of security events based on professionally configured parameters. Such a multilayered defense is what can help to keep IT networks healthy by identifying ransomware infection by its key symptoms.