How Ransomware Attacks Succeed

Generally companies use a 2 prong approach to ransomware.

• an endpoint security tool such as Anti-Virus (AV) or Endpoint Detect & Response (EDR), to prevent ransomware from executing.

• data backup process to provide the ability to restore data after a successful ransomware attack. 

When a ransomware attack succeeds, and you have to rebuild your systems and restore data, your business is impacted until you can recover the affected systems.  On average it takes over 3 weeks for a company to fully recover from a ransomware attack. During this time, business operations are often impacted, hindering your ability to carry out your day to day business activities.

Endpoint security tools are pretty good about detecting and stopping known ransomware files, which has led to an arms race with attackers.  Attackers often change the ransomware files just enough so that they look brand new for each attack. Attackers have also figured out that the best way to execute ransomware attacks, is to evade the endpoint security tools in the first place. If the endpoint security tools never see the ransomware, they can’t detect or stop it from executing, leading to a successful ransomware attack.

These evasion techniques generally fall into a few different categories.

• Disable the endpoint security tool. This can be done by turning it off, or preventing the information about running files from getting to the endpoint security tool, effectively blinding it. There are a number of tools out there that attackers can use, such as:

  • EDRSilencer

  • EDRSandblast

  • EDRKillShifter

• Find an unprotected endpoint.  Most organizations think they protect all of their endpoints with endpoint security tools.  Yet not all devices can easily be protected with these products:  

  • Hypervisors like VMWare ESX and Hyper-V.

  • Containerized apps like you find in kubernetes.

  • Hardware appliances like Network Attached Storage (NAS) are usually not supported by endpoint security tools.

  • Personal devices brought into corporate environments (BYOD).

  • Shadow IT where someone spins up a server without the security team knowing, that doesn’t get protected by the normal organization’s security tools. This leaves them fully unprotected from a direct ransomware attack.

• Using or exploiting trusted applications that look like normal day to day activity.  This includes: 

  • Living off the land (LOTL) attacks, where ransomware is executed by built in Windows applications like PowerShell.

  • Browser-native ransomware, because endpoint security tools have limited or no visibility into the specific actions a browser is taking.

  • Remote encryption, where the ransomware is run on a separate endpoint and encryption happens over the network via a network share.

  • Injection attacks, where ransomware is copied into memory of a normal application that is already running. There are multiple ways to do this including process hollowing and herpaderping.

Most of these attacks and evasion techniques have been around for years, if not a decade or more. The issue is that these security tools are focusing on the attack surface and not the attack target. So if you deploy endpoint security to protect execution on the endpoint, you will also need to deploy a browser security product for browser-based attacks, HIDS for remote encryption attacks, and Application Control for LoTL attacks.  As you can see, it is very hard to protect against every type of attack vector that ransomware attackers use. But if you focus on the data, which is the target of a ransomware attack, that becomes the single choke point for malicious activity.  No matter what attack vector is used in a ransomware attack, the data has to be encrypted.

We also see new emerging tactics like cloud storage ransomware attacks that leverage credential compromise and built in cloud encryption services to encrypt data and extort organizations. We expect these types of attacks to continue to grow as more companies move data to the cloud.

In short, attackers have figured out dozens of ways to evade endpoint security tools, that are very difficult, if not impossible, to protect against using traditional tools, based on the architecture of endpoint security tools. Therefore, ransomware attacks continue to be successful for the foreseeable future.

RansomStop was designed with these types of attacks in mind. By monitoring data integrity instead of applications, RansomStop is able to detect, and stop, malicious encryption activity in 1-2 seconds, without any human intervention.  This minimizes or eliminates the business disruption that comes from successful ransomware attacks.