Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

1/16/2017
07:30 AM
Gur Shatz
Gur Shatz
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Ransomware: How A Security Inconvenience Became The Industry's Most-Feared Vulnerability

There are all sorts of ways to curb ransomware, so why has it spread so successfully?

The word "ransomware" conjures up images of dark cloaks and even darker alleys, and not surprisingly, the level of media attention has been unprecedented. The fact that news stories measure the affect of ransomware in terms of cash helps grab the public's attention. (One analysis estimates more than $1 billion in ransoms were paid out in 2016).

The most frightening thing about ransomware is that its success is built on trust. Ransomware often gains access by way of a clever email designed with the sole intention of winning the victim's confidence. "My skill is in my ability to get a bunch of people to click on the attachment," explains a malicious actor in a YouTube primer.

Ransomware perpetrators have even started copying incentive tactics from legal industries. There's the Christmas discount for victims who pay up, and a pyramid scheme offer, described in the press as "innovative": "If you pass this link and two or more people pay, we will decrypt your files for free!"

This sophistication and business savvy speaks to ransomware's growth as an industry, and IT has had to take notice. A recent survey of IT professionals from around the globe found that more than 50% of IT staff and more than 70% of CIOs see defending against ransomware as their #1 priority for 2017.

What made ransomware into such a strong threat? Is it really a greater malice than traditional security threats or data theft? Or is it just more buzzworthy because the consequences are more dramatic? What's enabling the epidemic, and what produced the conditions for ransomware to flourish?

The Patching Conundrum
In a way, the rise of ransomware in 2016 was in the works for a long time. Vulnerability patching has been a significant IT challenge for several years — among industrial control systems, 516 of 1,552 vulnerabilities discovered between 2010 and 2015 didn't have a vendor fix at the time of disclosure. A full third of known "ways in" had to wait for a patch to be developed, providing ample time for criminals to do their worst.

Reliance on distributed security appliances has only exacerbated the problem. Even after patches become available, there's still a significant lag. A combination of staff shortages, the volume of devices deployed across today's business networks, and distance has dramatically lengthened patch rollout times. Varying reports put the gap between 100 days to 18 months.

Before ransomware even became a trend, the stage had been set for adversaries to gain access.

It Should Be Easy to Stop
From an IT perspective, one of the most aggravating things about ransomware is that even after the attack gains a foothold, it should be relatively easy to stop. The file encryption which actually does the damage is the final stage of a multistep process. In fact, there are several opportunities to block the attack before it affects valuable data. First, if the attack is caught by URL filters or secure Web gateways, it will be averted.

The second step is where the initial malware "drop" downloads the ransomware program. To do this, it must connect back to the attacker's server from within the compromised network. It's only after the ransomware program itself deploys inside the victim's environment that it encrypts local and network server files. And still, before the process can launch, most ransomware must connect to a command-and-control server, to create the public-private key pair that encrypts the data.

At any point in the process, a network security stack has ample chance to block the malicious program from making these connections, and data lockdowns would never happen.

With all these opportunities to stop the attack, how has ransomware been so successful?

Complexity upon Complexity
In November, security researchers discovered a mutation to exploit Scalable Vector Graphics (SVG), and this may provide a clue. SVG is an XML-based vector image format supported by Web-based browsers and applications. Attackers were able to embed SVG files sent on Facebook Messenger with malicious JavaScript, ostensibly to take advantage of users' inclination to view interactive images.

The way these files were manipulated is of much greater concern than either the app that was targeted, or the breach of users' trust: The SVG file had been loaded with obfuscated JavaScript code (see Figure 1). These files automatically redirect users to malicious websites and open the door to eventual endpoint infection. The obfuscation tricks detection engines, and signature-based detection will always fall behind as code morphs to new signatures for the same threat.

The above attack spotlights an urgent need to simplify. Modern networks see their vulnerability go up thanks to a patchwork of point solutions. It's not sustainable to expect IT pros to update each point solution, and patch every existing firewall, when each new attack vector comes about. Skilled attackers will always build new threats faster than IT can defend against them. For ransomware, the critical test is, "how fast can you roll defenses out?"

Higher Stakes
When prevention is the only true cure, it's no wonder ransomware goes to the front of CIOs' agendas for 2017. But the predominant trend toward cloud-based security and the promise of a "patch once, fix all" model are starting to correct the problem. Cloud defenses promote quicker adaptation to ransomware mutations. The idea is to consolidate all traffic from physical locations and mobile users, and integrate a single firewall service as a permanent "line of sight" between any given user, any given device, and a potential threat source. In this respect, the cloud is not just about saving work, but also about improving speed to security.

2016 was the year that IT's reluctance to use the cloud backfired, and it played right into ransomware's hands. Familiarity, comfort, and experience with using the cloud to keep networks safe may improve outcomes in 2017.

Related Content:

 

Gur is co-founder and CTO of Cato Networks. Prior to Cato Networks, he was the co-founder and CEO of Incapsula Inc., a cloud-based Web applications security and acceleration company. Before Incaspula, Gur was Director of Product Development, Vice President of Engineering and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jddaggs
50%
50%
jddaggs,
User Rank: Apprentice
1/20/2017 | 9:26:55 AM
Very informative
Very informative and helpful.  It solidifies that more attention needs to be given to the primary means of delivery and keeping end-users informed on best practices.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...
CVE-2020-15504
PUBLISHED: 2020-07-10
A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely. The fix is built into the re-release of XG Firewall v18 MR-1 (named MR-1-Build396) and the v17.5 MR13 release. All other version...
CVE-2020-8190
PUBLISHED: 2020-07-10
Incorrect file permissions in Citrix ADC and Citrix Gateway before versions 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 allows privilege escalation.
CVE-2020-8191
PUBLISHED: 2020-07-10
Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows reflected Cross Site Scripting (XSS).