NEW VIDEO: Security Weekly - How to protect AWS metadata services (used in Capital One breach). Watch now!
 
 

Combating Ransomware with Zero Trust

The scourge of ransomware attacks continues to plague nearly every kind of organization. Cybercriminals have recently mounted successful attacks against school systems such as Wood County Schools in West Virginia and Lincoln County Schools in Mississippi, as well as against enormous companies such as Cadena SER, Spain’s largest radio network, and Pitney Bowes, an e-commerce, shipping and logistics giant. 

No one is immune. There have been more than 140 ransomware attacks against governmental and health care organizations so far this year, and one in five small- to medium-sized businesses have fallen victim to one. So it’s critical for every IT pro, no matter what kind of organization they serve, to ensure that they can defend against them. 

Ransomware is not a new threat

The first example appeared as early as 1989, but cybercriminals didn’t start launching widespread attacks until about 2012. Typically, ransomware takes one of two vectors to infect a network: a phishing attack or by exploiting security loopholes. 

In the case of a phishing attack, the target receives an email with a document that, once opened, launches the ransomware. In some cases, the attack may use social engineering tools to trick the user into providing the malware with credentials that facilitate the attack. 

Other types of ransomware don’t require clicking on an infected document. Instead, they take advantage of security holes to compromise systems. NotPetya provides a particularly nasty example of this variant. In one case, it exploited a backdoor in an accounting package popular in Ukraine and then spread to other systems through security flaws (now patched), known as EternalBlue and EternalRomance, in the Windows implementation of the SMB (server message block) protocol. What makes NotPetya so destructive is that there’s no ransom demand. Instead, NotPetya generates a random number to encrypt all data it encounters, permanently destroying it. There’s no way to recover the key to decrypt the data.

In recent years, ransomware has become much more sophisticated. Many no longer encrypt the first machine they encounter. Instead, the malware first surveils the environment to determine how it can move laterally across the network to infect additional resources, often taking advantage of legitimate tools, such as Security Account Manager Remote (SAMR) protocol reconnaissance and domain name server (DNS) reconnaissance using NsLookup. With this information, the malware can quietly move across the network to deposit ransomware in additional systems. Once a critical mass has been achieved, the ransomware encrypts all of these resources at once, delivering a crippling blow to the organization.


Stay on the cutting edge. Subscribe to our blog.


Defending against ransomware

We often hear that the best defense against a ransomware attack is robust data protection. After all, if you have backups, you don’t need to pay the ransom and can simply restore all files. Even if the malware does successfully encrypt an organization’s data, so long as the backup and disaster recovery (DR) files are intact, they can avoid paying the ransom and IT can restore everything to a point before the attack.

But backups are best kept as a last-ditch defense, not the front line. After all, if the attack is devastating enough, IT may face restoring petabytes of data, a process that can take days, even weeks to complete, leaving the business crippled for an extended period of time. Even worse, if backups are connected to the network, it’s possible for ransomware to digitally shred them as well, leaving no other option but to pay the ransom, which is a terrible position to be in, and not just because of the monetary loss. After officials in Lake City, Florida paid a ransom to decrypt their affected data — about a couple hundred terabytes — the decryption process took more than eight days to complete. For larger organizations with petabytes of data, the process could take more than a month. 

Likewise, we often hear a lot about the importance of training employees how to avoid clicking on documents used in phishing attacks, but again, this is nowhere near sufficient.

Cybercriminals are constantly developing novel ways to trick employees, and, in a sufficiently large organization, someone will eventually make the mistake of clicking on an infected file. What’s more, this does nothing to defend against attacks that exploit security holes — no one has to click on anything for these to succeed.

A zero trust approach to thwarting ransomware

In a zero trust environment, all internal communications are treated as potentially hostile. Each communication between workloads must be authorized before it is allowed. In this way, zero trust can stop ransomware from moving laterally across the network, which can mean the difference between the malware encrypting a single laptop and encrypting hundreds of servers and datastores around the globe.

Zero trust is enabled by microsegmentation, but traditional methods of microsegmenting a network depend on “trusted” IP address. That poses significant operational and security concerns. Operationally, policies break when the underlying network changes — and modern networks are constantly changing. It’s even more difficult to manage policies in autoscaling environments such as the cloud or containers, where IP addresses are ephemeral. IT would have to constantly update policies as IP addresses change, which is labor-intensive and error prone. What’s more, ransomware can evade address-based controls by piggybacking on approved firewall policies because firewalls are not designed to distinguish good software from bad software.

There is a new model for microsegmentation, however, that relies on the identity of communicating software, hosts and devices, separating the control plane from the network for better security and easier operations. With an identity-based approach, each workload is assigned an immutable, unique identity (or fingerprint) based on dozens of properties of the asset itself, such as the UUID of the bios, serial numbers of processors or a SHA-256 hash of a binary, which is then verified before the workloads are allowed to communicate. This identity verification prevents malicious software, or devices and hosts from communicating.

For example, let’s say that someone clicks an infected file, which launches ransomware on their desktop machine. If it tries to use the SAMR protocol or NsLookup to conduct network reconnaissance, identity-based zero trust policies would block that communication, because the ransomware is not authorized. Likewise, attempts to move to other assets would also be denied. In this way, even if ransomware gains an initial foothold in the network, the damage that it can do is limited to an annoyance and not a global business catastrophe.

Want to learn more about how Edgewise’s zero trust platform can help your organization defend against ransomware? Sign up for a demo today.

Dan Perkins, Director of Products & Solutions

Written by Dan Perkins, Director of Products & Solutions

Dan Perkins is Director of Products and Solutions for Edgewise Networks, where he oversees the direction and development of Edgewise’s zero trust platform. Prior to Edgewise, Dan was Director of Product Management at Infinio, where he was responsible for product vision and the ongoing quality and applicability of Infinio’s solution. He also previously served in several software engineering and quality assurance roles for Citrix. Dan holds a B.S. in computer engineering from Northeastern University.