Ransomware attacks have become an easy approach for cybercriminals
Ransomware attacks have become an easy approach for cybercriminals to target businesses of all sizes – transcending industry types and geographies. There has been a marked transition in ransomware targets, moving away from consumers to full-throttle attacks on businesses, for much higher returns. Given the continuous advancements in the techniques, stealth, and maturity in the new variants of ransomware, all types of organizations are at risk.
Ransomware attacks on enterprises seem to have become a daily feature in the news. In late July, Garmin had a severe WastedLocker ransomware attack and reportedly paid millions to resolve the attack. A few days later, Canon confirmed that they were subject to a ransomware attack that impacted numerous internal services such as email servers, Microsoft Teams, other applications, and public-facing services, including their US website, reportedly spanning 24 of their domains. Malicious actors behind the Maze ransomware claimed responsibility for the attack and subsequently leaked several terabytes of Canon’s image data. Maze is malicious ransomware that exfiltrates data to the servers of the malicious actors, encrypts data on infected systems and services, and on the backups. The group behind the attack played the double-extortion game with Canon by publishing a part of the stolen data open on the internet.
Ransomware incidents are plenty, but the question is – how do these ransomware variants bypass existing defense systems at these enterprises to cause such damage? Surely such global enterprises must-have AV/EPP/EDR type solutions to protect their organizations?
Let’s look at what detection approaches in place today at enterprises to detect ransomware:
- Signature-based approaches, as used by traditional Antivirus and Endpoint Protection solutions. These are primarily meant to catch only known or seen ransomware
- Behavior Analysis approach from EDR/EPP vendors intend to detect new variants of ransomware
Unfortunately, the ransomware attackers are evolving fast, using innovative techniques that easily bypass these existing defenses. Behavioral analysis-based solutions look for anomalies in file I/O operations, crypto operations, and the exact sequence of operations. For instance, a large number of I/O activities are considered anomalous and hence, indicative of ransomware. Such behavior-based approaches not only lead to false positives but also false negatives!
State-of-the-art ransomware such as WastedLocker and Maze are often memory-resident malware, and more interestingly, leverage memory-mapped files to encrypt files completely in memory. These two innovative techniques defeat the behavior analysis approach by effectively removing the ability to observe file I/O or crypto activities directly. Maze ransomware has successfully adopted deception techniques, making it extremely difficult to detect the ransomware before it is too late.
Similarly, ransomware, like Ragnar Locker, uses other evolved techniques such as using virtual machines to map and encrypt the files. Again, such steps evade detection by existing anti-ransomware solutions, by hiding file I/O and crypto activities from getting observed.