With numerous recent high-profile attacks, ransomware has been everpresent in the news and discourse around the nation’s cybersecurity. The threat landscape has evolved rapidly, with credit card hackers quickly turning the scheme into million-dollar ransoms in less than a decade.
Experts from Zscaler shared both how the ransomware landscape has evolved and how organizations can protect themselves at a Zenith Live session June 15. Brett Stone-Gross, Zscaler’s director of Threat Intelligence, noted that a ransomware attack on the city of Baltimore in 2019 led to a shift towards the ransomware model seen today.
The city was attacked by a ransomware group that had also stolen files before encryption and threatened to leak them on Twitter. While Baltimore did not pay the ransom, other groups in the ransomware arena noticed.
“This has now become the industry standard for ransomware groups of stealing sensitive information prior to encrypting a business’s files, encrypting, … and demanding a large ransom payment,” Stone-Gross said. “There’s been other techniques that groups have tried, in addition to just stealing information, and that includes things like DDoS (distributed denial of service) attacks, attacking third parties of your business.”
The actual process of ransomware intrusion takes place in around six steps with ransomware groups now often opting for a double extortion method. After getting into the system through spam, brute force, other vulnerabilities, the groups move laterally and do recon. After that the groups do data exfiltration, which is typically the first extortion attempt, then deploy the ransomware and encrypt data. Some groups will also do a DDoS attack during negotiations and may publish the stolen data on a leak site if the ransom is not paid.
“They can steal financial data that they can then either sell to traders or … say prior to a large earnings release,” Stone-Gross said. “Or they could potentially sell information and provide information during a business dealing, so the other party has information that they probably shouldn’t have. And all this information is being used to really pressure victims into paying ransoms.”
Surprisingly, Stone-Gross said that some of the companies that have been the victims of ransomware and paid the ransom have later received a list of mitigations from the threat actors to avoid another such attack in the future. One group that has done this is the Darkside ransomware group responsible for the Colonial Pipeline attack and disruption.
The list of mitigations includes things like multifactor authentication, preventing administrators from saving passwords in browsers, and setting up firewalls so administrators’ computers cannot directly access critical servers.
To prevent businesses from becoming victims of ransomware attacks, Zscaler uses a zero trust exchange architecture that looks to disrupt the process at each step, Nirmal Singh, director of Zscaler’s Malware Labs said at the webinar.
The architecture looks to keep systems isolated to prevent widespread compromise and make private applications invisible from the internet. While these are steps that look to prevent initial compromise, Singh said even if threat actors make their way onto the network, by adopting zero trust, the organization should still be protected from lateral movement on the network.
“If the organization has adopted zero trust network [exchange] architecture and [is] using user-to-app segmentation, it will mean that the user will not have a process on the network in the [sic] environment,” Singh said.
“The user will only be allowed to access applications that you have authorized the user to … There will be no IP addresses assigned to the user,” Singh said. “There will be … [an] outbound connection, both from [the] application side and from [the] user side … so it will be very difficult for the attackers to identify other assets in the network environment and it will help [with] preventing the lateral movement.”
Singh then said that even in a worst-case scenario, where an attacker is able to gain access to a critical server, Zscaler’s zero trust exchange should be able to prevent data exfiltration with the quarantine feature in its cloud sandboxes.
“If there is any patient zero payload … you can configure sandbox to quarantine a sample, while the Sandbox is in fact .. inspecting that file for malicious behavior,” Singh explained. “Essentially, so it will help you know, breaking the infection chains.”