Detecting Ransomware Before It Hurts Your Business

Ransomware is far from a new phenomenon, but lately has escalated in how wide-reaching it is (yes, Mac users, it can even impact you); how it is being leveraged by cyber attackers as part of broader coordinated activities; how it is readily available “As-a-Service”; and worst of all, how severe its consequences can be. These nasty attacks used to typically target individuals, but in a worrying trend, they are increasingly focused on holding whole businesses hostage. Therefore, knowing how to detect ransomware proactively is increasingly important.

Status quo ain’t cutting it

Employee education, diligent patch management and host-based security controls are common first lines of defense and are absolutely recommended. But it only takes one weakness or blind spot to allow these threats to gain a foothold. This challenge is compounded by the difficulty security operations teams have in getting a clear, live view into what is actually going on within their increasingly complex, dynamic, and open corporate networks. Just a few of the common complicators: porous perimeters, temporal virtual machines, east-to-west traffic flow, cloud-powered internal apps, employees connected over smart devices, IoT enabled equipment, and that’s just the start.

If you have Corvil appliances monitoring your network, here’s the good news: You already have a very powerful defensive weapon primed to aid your fight against the ransomware scourge.

So, how can Corvil help?

A ransomware attack chain must involve communication over the network at some point, like most malware, and as it happens, real time, granular, packet data visibility is our speciality here at Corvil. Through automatic discovery of endpoints as they communicate over the network (whether they be Windows based, Android devices, Mac laptops, etc; without the need for any agent software), application level metadata decode and full packet capture, Corvil helps put you on the front foot when tackling ransomware. Let’s explore the mechanics of a recently discovered ransomware strain, Samas, and how to detect this ransomware strain using Corvil's live network visibility across the ransomware attack chain:

Samas Attack Chain	Corvil Visibility and Detection
1. Reconnaissance Scans networks with pen-testing tools in order to detect hosts with exposures to known vulnerabilities.	Inbound scanning activity discovered, categorised and decoded as HTTP, even if non-standard ports are used. Real-time analysis of the HTTP traffic leads to detection based on the origin being a known malicious scanning server and the increase in the volume of inbound scanning.
2. Gaining a foothold Use tunneling tools to establish a persistent command and control channel with an internal host.	Tunnelling detected based on the origin being a known malicious server and the pattern of activity associated with the tunnelling traffic (including the likes of encoded payload).
3. Lateral spread Malware used to retrieve login credentials from the internal host, then psexec.exe is utilised with the stolen login credentials to deliver malware to target hosts.	As the user accounts for which credentials were stolen and are used for remote authentication, Corvil real-time decodes the authentication and records the involved user name, domain name and host name. Remote execution activity is recorded and linked back to the Windows user and internal compromised host(s).
4. Illicit file encryption Malware runs locally on target hosts to encrypt files on the file system then leaves a note providing instruction on how a ransom can be paid to decrypt.	As encrypted files with the file extension “.encrypted.RSA” are written over existing mapped drives (SMB), this activity is recorded and flagged. Username, Hostname, Domainname, Filename are captured and available for analysis.
5. Offered decryption A specific Tor site is utilised in order to offer an anonymised web-based service which impacted businesses can use to pay the ransom and retrieve the decryption key.	General access via Tor exit nodes can be flagged and more specifically, web traffic to this specific site is detected and linked back to the internal compromised host(s).

Sounds good, but how can ransomware detection be operationalised?

Corvil appliances can provide at-a-glance operational dashboards which facilitate detection of ransomware activity on the network for Security and IT Operations teams. Corvil also provides a number of SIEM connectors such as for HP Arcsight and Splunk, and other connectors for big data platforms, such as Hadoop / Flume, Kafka and MongoDB. These connectors can be utilised to send detected ransomware indicators, in real-time, for upstream further correlation and analysis.

Accelerating post-hoc forensics, as part of incident investigation

As well as performing streaming analytics in machine-time, Corvil appliances also in parallel, store and index packet data (up to several terabytes an hour), making it available for high speed, precision search and packet capture export, so a forensically verifiable network activity trail (with precise time and sequence of all machine events) is always available to aid incident investigators who need to deep dive into historic activity or extract files that were transferred across the network.

Let's now bring this to life...

With the scene now set, it's time to give you a more immersive sense of what using Corvil to tackle ransomware is truly like. Here is a short video in which I explore these discussed capabilities directly within the Corvil dashboards:

This is just one focused example of how Corvil’s Security Analytics can be utilised to dramatically improve visibility, detection and investigation speed and efficiency. To learn more about Corvil’s powerful analytics platform, check out these short videos.