Stellar Cyber AI. PHOTO: Cybercrime Magazine.

Large Organizations Are Not Immune To Ransomware Attacks

Backups and patching are essential but so is defense-in-depth

– David Barton, CISO at Stellar Cyber

Santa Clara, Calif. – Apr. 22, 2020

According to Bleeping Computer, Maze ransomware has hit a very large IT services company.

In the past, this malware gained entry using different techniques: exploit kits via drive-by downloads, remote desktop connections (RDP) with weak passwords, email impersonation, and email spam. In the majority of cases where the phishing email is being delivered, the user is clicking on the link, then they give the macro authorization to run, and ultimately get the malicious file installed. Once installed, the Maze ransomware begins to encrypt critical data on the infected machine. While the encryption process is running, the ransomware also ex-filtrates the data to a server on the internet. When both of those processes are complete, the user is presented with a ransom demand and a method to recover their encrypted data.

In 2011, Lockheed Martin was credited with the idea of a cybersecurity kill-chain. The cybersecurity kill-chain, as designed, organizes threats into categories as well as security controls that can be deployed in those categories to mitigate those risks. If we apply the kill-chain to the Maze ransomware, we see the following:

  1. The phishing email, in the delivery category, should have been caught by commercial email protection tools.
  2. The malware files (kepstl32.dll, memes.tmp, and maze.dll), in the delivery category, should have been caught by malware tools as well as other AV tools. Note, the end user in this case had to allow the macros to run. User awareness is still essential to defending against these types of attacks!
  3. Once the macros have been enabled, the malware reaches out to a file server and downloads additional malware. This should have been detected in the command and control as well as the delivery category. These categories are usually defended by threat intel tools, malware tools, and host-based tools.
  4. New files get created and the file encryption process begins. This file creation and subsequent encryption should be caught in the actions and exfiltration category and protected by tools such as threat intel, process anomaly detection, firewalls and malware tools.

What was not accounted for in the cyber kill-chain was the advance of machine learning and AI. Applying these tools to the data at each category of the kill-chain improves our ability to catch the anomalous behavior in each category, as well as improving the mitigation in each category by correlating the detections.

Stellar Cyber is committed to utilizing our Open XDR Platform to detect, alert, and respond to these types of behaviors. Our pervasive data collection, coupled with advanced data handling and machine learning, gives us multiple areas where we can detect these types of attacks across the cyber kill-chain. If the attack is missed in one stage of the kill chain, we will catch it in another stage. Once detected, we have the ability to take automated action against those anomalous behaviors. Applying our technology to the Maze ransomware, we would potentially detect and mitigate it in the following ways:

  1. Our phishing detection would evaluate the malicious URL and mitigate its risk.
  2. RDP connections would be evaluated, alerted, and automatically mitigated when anomalous logins occur.
  3. The malware files referenced above would have been evaluated by our malware tool and mitigated.
  4. Had those files passed the malware test, the server sensor would have caught the behavior change (i.e. new process spawned with a new connection to the internet file server).
  5. If the dropper file passed the malware and server sensor assessment, the call to the internet file server could have been mitigated at the network level. The Stellar Cyber platform would have signaled the network firewalls to implement a block to the target server.
  6. The new file downloads could have been caught and mitigated at the server sensor or malware assessment.
  7. The encryption process would be detected by the server sensor and mitigation techniques applied to prevent/stop the process from continuing.
  8. Finally, the exfiltration process would be detected by the network layer, the host sensor, and the threat intel.

Ransomware is a huge industry. Backups and patching are essential but so is defense-in-depth. If you are not protecting your environment at the various stages of the kill-chain, you should consider doing so. If you are struggling to implement these concepts because you have too many tools that don’t interoperate, give us a call. We can help!

– David Barton is the chief information security officer at Stellar Cyber

Stellar Cyber Archives

Sponsored by Stellar Cyber

Stellar Cyber makes Open XDR, the only comprehensive security platform providing maximum protection of applications and data wherever they reside.

Stellar Cyber’s industry-leading security infrastructure data collection, analysis and automated anywhere detection and response (XDR) mechanisms improve productivity and empower security analysts to kill threats in minutes instead of days or weeks. By accepting data inputs from a variety of existing cybersecurity solutions, integrating them, and analyzing them under one intuitive interface. Stellar Cyber’s Open-XDR platform helps eliminate the tool fatigue and data overload often cited by security analysts.

Founded in 2015 by industry pioneers from leading companies including Aerohive, Netscreen, Fortinet, Vectra, Juniper, Cisco, VMware, Gigamon, and A10 Networks; Stellar Cyber is based in Silicon Valley, and venture backed by Valley Capital Partners, Big Basin Partners, SIG – Susqehanna and Northern Light Venture Capital.