Network Solutions to Ransomware – Stopping and Containing Its Spread

This is the third entry of a four-part blog series that discusses the different techniques on how ransomware affects users and organizations. This blog series shows that the best way to mitigate the risks of ransomware is to implement multiple layers of protection in the different components of an enterprise network—the gateways, endpoints, networks, and servers.

Read our previous posts here:

Ransomware has grown into a serious problem that has affected millions of users and netted millions of dollars in profit. The earlier entries in this series discussed the entry vectors of ransomware and their encryption behavior. In this post, we examine ransomware’s use of network communication and the possible solutions to address its effects.

It is particularly useful to examine the use of network communication as network activity could be the initial indication of malicious activity within an organization. Conversely, without proper visibility to their networks, organizations can get infected by ransomware through unmanaged devices that may not necessarily fall under the protection of an enterprise’s gateway solutions, or through unauthorized access from trusted parties.

An infected enterprise network can play two roles for ransomware:

  • as a communication relay
  • as a means to spread itself to other systems and servers

Role #1: Command and control

Ransomware’s most important use of networks is to communicate with the command-and-control (C&C) servers of the attackers, as this connection is generally used to send encryption keys that are used to lock the user’s files.

A key is usually sent from the C&C server to the affected machine to be used for encrypting target files. If a connection can be established, most ransomware families get the public key from the C&C server and use it to encrypt the target files. The corresponding private key stays with the attacker the entire time. The public key can be changed at any time, without any key found in the malware code.

What happens when a connection to the C&C server cannot be established? Most ransomware families like CryptoWall simply do not encrypt any files. However, others can proceed with their encryption routines without any issues. One example is CrypXXX, which has a “default” key embedded in its code. Cerber variants typically generate their keys locally, making it easier for security researchers to do reverse engineering on the codes, and for users to recover encrypted files using a relevant decryption tool. Newer ransomware variants prefer to use keys sent from a C&C server, to defeat decryption tools that use static keys.

Role #2: Propagation

Ransomware can also spread within an organization through network shares. When running on a infected system, most ransomware families encrypt files in local hard drives and mapped network drives. This makes infection spread much more quickly within an organization, turning what could simply be an annoyance for a local system into a wave of infection that can disable an entire organization.

As previously mentioned, ransomware can also infiltrate networks through unauthorized access. For example, Crysis ransomware uses Remote Desktop Protocol (RDP) brute-force attacks. In March 2016, the Surprise ransomware reportedly used stolen TeamViewer login credentials to infect systems.

Solutions

Given how ransomware tries to infiltrate and spread within enterprise networks, organizations should have network visibility so they can do proactive measures to limit the impact of these threats and reduce the risk of reinfection. Solutions like Trend Micro™ Deep Discovery™ Inspector (DDI) can help organizations gain a complete picture of existing threat actions and determine the correct solution accordingly.

DDI detects traffic going out to C&C servers, significantly reducing the capability of ransomware families to encrypt files. Placed within the internal network, DDI also detects attempts of ransomware in spreading to other systems beyond an initially infected machine.

This is all on top of DDI’s other capabilities—it detects encryption behaviors, modifications to backup restore processes, and mass file modifications. It can also detect script emulation, zero-day exploits, and targeted and password-protected malicious files commonly associated with ransomware.

Beyond visibility and network defense, whether it is an enterprisesmall business, or a consumer, a multi-layered approach is necessary to prevent ransomware attacks. Trend Micro offers solutions that protect users and organizations in all aspects –at the gateway, endpoints, networks, and even servers.

PROTECTION FOR ENTERPRISES

  • Endpoint Protection

    Trend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.

    Ransomware Behavior Monitoring
    Application Control
    Vulnerability Shielding
    Web Security

  • Network Protection

    Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.

    Network Traffic Scanning
    Malware Sandbox
    Lateral Movement Prevention

  • Server Protection

    Trend Micro Deep Security™ detects and stops suspicious network activity and shields servers and applications from exploits.

    Webserver Protection
    Vulnerability Shielding
    Lateral Movement Prevention

PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS

  • Protection for Home Users

    Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.

    IP/Web Reputation
    Ransomware Protection

 

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Network Solutions to Ransomware – Stopping and Containing Its Spread

Read more: Network Solutions to Ransomware – Stopping and Containing Its Spread

Story added 9. September 2016, content source with full text you can find at link above.