In our last entry on the most critical safeguards of our Ransomware Stress Test, we covered the importance of limiting external exposure from the public-facing internet. Being sure to implement robust firewalls and using tools like RDP with care was and still is one of the most sure-fire prevention strategies outlined in our Ransomware Stress Test. Systems and services are under constant threat from payloads in emails, compromised hosts on the same network, and malicious actors on the public Internet.
Another common theme we see from the cases we respond to are how threat actors can deploy attacks that evade anti-malware software. There’s an important distinction to be made in the terminology here: conventionally, this software-based protection was referred to as anti-virus. Traditionally, anti-viruses work off just a long list of file names, downloads, and other things that appear to be suspicious. These days, threat actors have changed their attacks to the point that one list of suspicious activity will no longer cut it. Certain attacks can alter names, file sizes, and even function, so they can evade these lists of well-known exploits.
Many of these attacks use known techniques and simple anti-virus mechanisms can detect and stop them, others are very tricky or exploit unannounced vulnerabilities (zero-day vulnerabilities) and require more advanced monitoring and security controls to be in place. Both anti-virus and anti-malware tools must be in place, well-configured, and constantly monitored to ensure that systems remain secure.
Going Beyond Anti-Malware
While headlines draw attention exclusively to large corporations and municipalities falling victim to ransomware and other types of malware, smaller businesses should not be lulled into a false sense of security. Despite the variety of potential attacks, threat actors across the board do not discriminate. Companies, big or small, are targets of opportunity. Whether it’s an RDP attack, email attachment, or a website that was visited, attacks come in many forms. As security measures continue to evolve and become more proactive, security threats continue to evolve as well. The need for layered and responsive endpoint protection solutions, such as firewalls, anti-malware, and network monitoring becomes more important each day.
A common mistake in implementing layers of security in this light is, for example, installing two anti-virus suites on one system. This is not considered a layered approach; this is called redundancy. A layered and responsive endpoint protection solution utilizes various aspects of security measures, each protecting against a different vector of attack from outside the network.
A perspective that should be used when preparing security measures is to be realistic and not hold false expectations. Most notably, the concept of “defense in depth.” A castle fortress, for example, cannot rely only on the strength of its walls but also its tower, arches, and moat. There is no real possibility of achieving total and complete security against all threats by implementing any collection of security measures; the goal here is that these security measures, firewalls, anti-virus, and network monitoring tools act as stumbling blocks to hinder the progress of the threat actor or malware until other resources can be brought to bear.
Maintaining Layers of Security
There are anti-virus solutions that can be set up to scan email, memory, and systems. These solutions allow for a central command interface that can report alerts, from adware, blocked IP addresses or sites, to notification that malware has been quarantined. Some anti-virus solutions, such as BitDefender for example, allow the user to select a directory that it will protect against encryption, so all personal or critical files can be stored within this directory. However, without these solutions being updated in a continuous manner, it does no good to install a robust anti-virus solution.
Other products such as SentinelOne, Carbon Black, and FireEye allow the IT staff to set up rules or whitelists in which actions a user can take from a system will be limited or restricted. This comes in handy when you have a version of ransomware that uses SMB or PowerShell in which to propagate through the network. Ransomware can also be downloaded by malware from such things as Empire Exploit, which uses PowerShell to connect to rogue servers and download the payload.
Most companies’ IT departments today are understaffed or have outsourced IT functions to a third-party vendor. This makes implementing security measures that much more difficult and threat actors are hoping for just that type of scenario for a successful attack on a small business network. However, even in this situation, there are steps that can be taken and should be implemented.
Defense in Depth
- Keep the operating system patched as new updates come out. This will not protect against a zero-day attack, but will protect against older exploits.
- Take advantage of Security Information and Event Management (SIEM) tools for centralized log and event analysis, which can help keep track of user behavior and flag anomalies.
- Segment the network to ensure that if a threat actor has gained access to one area of the environment, they can’t gain access to or have availability to all data. This is particularly critical when dealing with backups and ransomware attacks.
- Utilize Multi-Factor Authentication (MFA), especially if remote employees are accessing your network and for e-mail accounts.
- Don’t allow files with macros to be accessed via e-mail. This can be incorporated through employee spam training to ensure they know what to look for.
- If you’re not an international company, block international IP addresses at your firewall to prevent access from threat actors who are using international servers for command and control. You can make exceptions if you are using TeamViewer, which reaches out to a German IP address. Application whitelisting is also something to consider. This can be difficult for large organizations, but if you know what should be running on an endpoint, it’s another piece that can help prevent a malicious .exe from running.
Tale from the Trenches
A recent case that Tetra responded to showed that a client’s IT staff had installed a robust antivirus solution on all systems but one, which only used an outdated version of Windows Defender. Analysis revealed that the robust solution was able to block the execution of Emotet, which is known to be associated with Trickbot and Ryuk ransomware as a bi-product. Although other systems were protected against Emotet, this one system allowed Trickbot to install on it, which led to the download and execution of Ryuk ransomware which hit the major servers within the environment.
We’ve also identified from various malware and supporting scripts associated with ransomware the use of Group Setting changes, where the anti-virus settings are changed from “automatic scan” to “scan on demand.” This is usually done by a script associated with the attack. Most anti-virus solutions “automatic scan” settings start once there is a change within the operating system or a device is added, whereas “scan on demand” will run by the user interaction. Trickbot, which 99% of the time involves Ryuk ransomware and its use of PowerShell, attempts to shutdown anti-virus solutions such as Malwarebytes and Windows Defender. It’s always best practice to use Windows Defender in addition to another anti-virus solution.
In our Ransomware Stress Test, the concept of “anti-malware” and automatic scanning is among the most critical concepts. As our incident response team actively resolves and investigates cyberattacks, they inform the frequency of attacks that evade anti-virus and anti-malware scanners, and how devastating the consequences can be. While ransomware is a complicated, prolific crime, the root cause of this attack can be quickly thwarted by staying aware of how anti-virus, anti-malware, and layers of security operate.