"Give me all your data, and nobody gets hurt." You don’t want to be on the wrong side of ransomware. Graham Ahearne shows you how to detect ransomware threats proactively with Corvil.
By Graham Ahearne April 7, 2016 Product
Ransomware is far from a new phenomenon, but lately has escalated in how wide-reaching it is (yes, Mac users, it can even impact you); how it is being leveraged by cyber attackers as part of broader coordinated activities; how it is readily available “As-a-Service”; and worst of all, how severe its consequences can be. These nasty attacks used to typically target individuals, but in a worrying trend, they are increasingly focused on holding whole businesses hostage. Therefore, knowing how to detect ransomware proactively is increasingly important.
Status quo ain’t cutting it
Employee education, diligent patch management and host-based security controls are common first lines of defense and are absolutely recommended. But it only takes one weakness or blind spot to allow these threats to gain a foothold. This challenge is compounded by the difficulty security operations teams have in getting a clear, live view into what is actually going on within their increasingly complex, dynamic, and open corporate networks. Just a few of the common complicators: porous perimeters, temporal virtual machines, east-to-west traffic flow, cloud-powered internal apps, employees connected over smart devices, IoT enabled equipment, and that’s just the start.
If you have Corvil appliances monitoring your network, here’s the good news: You already have a very powerful defensive weapon primed to aid your fight against the ransomware scourge.
So, how can Corvil help?
A ransomware attack chain must involve communication over the network at some point, like most malware, and as it happens, real time, granular, packet data visibility is our speciality here at Corvil. Through automatic discovery of endpoints as they communicate over the network (whether they be Windows based, Android devices, Mac laptops, etc; without the need for any agent software), application level metadata decode and full packet capture, Corvil helps put you on the front foot when tackling ransomware. Let’s explore the mechanics of a recently discovered ransomware strain, Samas, and how to detect this ransomware strain using Corvil's live network visibility across the ransomware attack chain:
Samas Attack Chain | Corvil Visibility and Detection |
---|---|
1. Reconnaissance Scans networks with pen-testing tools in order to detect hosts with exposures to known vulnerabilities. |
|
2. Gaining a foothold Use tunneling tools to establish a persistent command and control channel with an internal host. |
|
3. Lateral spread Malware used to retrieve login credentials from the internal host, then psexec.exe is utilised with the stolen login credentials to deliver malware to target hosts. |
|
4. Illicit file encryption Malware runs locally on target hosts to encrypt files on the file system then leaves a note providing instruction on how a ransom can be paid to decrypt. |
|
5. Offered decryption A specific Tor site is utilised in order to offer an anonymised web-based service which impacted businesses can use to pay the ransom and retrieve the decryption key. |
|
Sounds good, but how can ransomware detection be operationalised?
Corvil appliances can provide at-a-glance operational dashboards which facilitate detection of ransomware activity on the network for Security and IT Operations teams. Corvil also provides a number of SIEM connectors such as for HP Arcsight and Splunk, and other connectors for big data platforms, such as Hadoop / Flume, Kafka and MongoDB. These connectors can be utilised to send detected ransomware indicators, in real-time, for upstream further correlation and analysis.
Accelerating post-hoc forensics, as part of incident investigation
As well as performing streaming analytics in machine-time, Corvil appliances also in parallel, store and index packet data (up to several terabytes an hour), making it available for high speed, precision search and packet capture export, so a forensically verifiable network activity trail (with precise time and sequence of all machine events) is always available to aid incident investigators who need to deep dive into historic activity or extract files that were transferred across the network.
Let's now bring this to life...
With the scene now set, it's time to give you a more immersive sense of what using Corvil to tackle ransomware is truly like. Here is a short video in which I explore these discussed capabilities directly within the Corvil dashboards:
This is just one focused example of how Corvil’s Security Analytics can be utilised to dramatically improve visibility, detection and investigation speed and efficiency. To learn more about Corvil’s powerful analytics platform, check out these short videos.