SOAR can quickly create remediations around that newly gathered intelligence: Michael Joseph, Director System Engineering, India and SAARC, Fortinet

Last year cast a bright spotlight on cybersecurity with the risks that surfaced due to the rise of remote work. The year was capped off by one of the most significant supply chain hacks in recent years. Now in 2021 we have cyber adversaries attempting to exploit Microsoft Exchange Server vulnerabilities with DearCry ransomware. Cybersecurity risk has never been greater as everything is interconnected in a larger digital environment.

Michael Joseph, Director System Engineering, India and SAARC, Fortinet offers perspective on ransomware and recent cyberthreat trends, with a goal of better understanding the level of threat and what organisations should do.

Q: What steps should organisations take to defend against ransomware such as DearCry?

If we need to pick a type of attack that keeps security professionals up at night – it is ransomware for sure and the threat shows no signs of slowing down. Our latest global Threat Landscape Report showed that ransomware activity jumped an astounding sevenfold in the second half of 2020 when compared with the first six months. 

The recent DearCry ransomware attempting to exploit Microsoft Exchange vulnerabilities shows that once a high profile vulnerability has been disclosed, cybercriminals will attempt to maximise the opportunity. While it is DearCry today, other campaigns will follow suit later. 

For now though, the first step for any organisation with a Microsoft Exchange server, is to take investigative steps to check for signs of compromise and patch. Microsoft has released patches for these vulnerabilities. 

Q: What are the best controls to address a new Zero-day vulnerability and what makes a Zero-day vulnerability and ransomware difficult to protect?

With the number of new zero-day vulnerabilities out there, and the number of water-hole attacks using these zero-day exploits, the next big hack could be a website visit away. Even with the latest security controls in place, if you have a zero-day breach you are going to have to rely on all three pillars of a robust cybersecurity program: people, processes, and technology to identify the threat as soon as it breaks out. Anti-exploit and EDR (endpoint detection and response) solutions are excellent tools for discovering malware on an endpoint device before it migrates to the network and then shares that information downstream. An ISFW (internal segmentation firewall) can then apply dynamic segmentation to quarantine the host. And SOAR (security orchestration, automation, and response) can quickly create remediations around that newly gathered intelligence. 

The reality is, ransomware is not a complex and sophisticated malware. Ransomware and many other types of malware take advantage of vulnerabilities. Zero-day vulnerabilities by their very nature are difficult to protect against that is why patching critical flaws is very important. When vulnerabilities are released, it is often only a short time before they are weaponised, and their code is leaked on the Internet. What happens next is multiple attackers trying to create malware or malware code other attackers can use to incorporate into web shells for remote exploits, ransomware, or other attacks. 

However, this actually makes it much more dangerous because the threshold of knowledge that attackers must possess is low, which means that ransomware toolkits can be downloaded from the Internet and modified with minimum programming knowledge. Volume-wise, there are other threats that may be more prevalent. But ransomware is a leading threat based on the impact it has within an organisation, as one ransomware attack can completely shut down a business.

Q: Why do cyber hygiene and the human factor continue to be primary concerns for ransomware?

Some organisations have a hard time patching devices. When out of band patches, which are sometimes the most critical patches, are released organisations have to divert resources to investigate and test the patches. Often, users have administrative rights on their system to ease the burden and costs of management and IT support staff, but that makes it difficult to automate patches and updates. And in large, mobile environments, getting users to apply patches can be difficult because of things like geographic disparity. 

For ransomware in general, the problem is not just awareness. It is rooted in human behaviour. Awareness and action are two very different things. In addition to broad brush attacks that target everyone, emails are also being cleverly written to target specific types of individuals at an organisation, either directly, or through a technique where they insert phishing emails into an active email thread to increase the likelihood of it being clicked on, called email thread hijacking. But regardless of who is being targeted, everyone is susceptible to a carefully crafted email arriving when they are just distracted enough to not be paying attention. 

However, if these problems were to be solved, most ransomware simply would not be effective. 

Q: How do you see ransomware progressing during 2021?

What has been on the rise, and what is predicted to get worse, are the more targeted ransomware attacks that cost businesses more from an operational and regulatory perspective. Attackers are constantly keeping an eye out for the weakest link in security. That could be people, technology, supply chains, or bad cyber hygiene. Cyber adversaries like to follow the path of least resistance, like the flow of water – finding any crack they can to slip through. Malware and ransomware attacks in general are a completely different game now because these attacks are being targeted and specifically crafted to certain internal systems. Another factor contributing to the growing attacks on businesses and enterprise organisations is the ready availability of Ransomware-as-a-Service (RaaS) offerings, which is something which was predicted years ago would happen as an evolution of ransomware. The targets of ransom will become higher profile. Meaning, the risk is rising moving forward – and ransom is becoming more targeted, meaning a higher reward model for cybercriminals.

We still may see yet another mass ransomware exploit, such as the one we experienced with WannaCry, simply because there are a lot more ‘wormable’ vulnerabilities out there. It’s just a matter of time. The recent DearCry ransomware attempting to exploit Microsoft Exchange Server vulnerabilities is the latest example to reach global attention.

Q: Do you see ransomware attacks targeting any particular vertical?

There are many people in IT that are working under more stress and more pressure than before. Additionally, other industries, such as healthcare and some types of manufacturing and transportation, are under more pressure than before to keep their networks up and running. Attackers understand that these industries might rather pay a ransom rather than deal with any slowdown or shutdown in their operations. If the device of a remote worker can be compromised, it can become a conduit back into the organization’s core network, enabling the spread of malware to other remote workers. 

Q: What steps can organisations take to combat ransomware like DearCry?

While each network environment is different, there are steps every organisation can begin to implement today to reduce their risk from ransomware and other advanced threats. A key takeaway is to leverage people, technology, and processes to quickly gather threat intelligence about active attacks on a network and act on it, using automation where possible. 

• Patch, out of band, emergency, patches will happen. Organisations need to have a plan in place through change control processes to ensure they can respond to emergency patches. Attackers are no longer taking days to weaponise vulnerabilities, they are taking hours. 

• Make sure that all endpoint devices have advanced security installed, such as anti-exploit and EDR solutions. 

• Also make sure that access controls, such as multifactor authentication and even Network Access Control (NAC) solutions are in place. 

• Segment the network into security zones to prevent the spread of infection and tie access controls to dynamic segmentation.

• Update network IPS signatures, as well as device antivirus and anti-malware tools.

• Back-up systems and then store those backups offline – along with any devices and software needed in the event of a network recovery. 

• Update email and web security gateways to check and filter out email attachments, websites, and files for malware. 

• Make sure that CDR (content disarm and recovery) solutions are in place to deactivate malicious attachments.

• Use a sandbox to discover, execute, and analyse new or unrecognised files, documents, or programs in a safe environment. 

• Prevent unauthorised SaaS applications with a CASB solution.

• Use forensic analysis tools to identify where an infection came from, how long it has been in an environment, etc

• Plan for one of the biggest unknowns – the people who use your devices and applications. Cybersecurity awareness training is essential.