Ransomware Kill Chain

Part 2: How to use the Ransomware Kill Chain model to devise countermeasures

In the first part of our Ransomware Kill Chain series we looked at the anatomy and the associated risks of a ransomware attack. As a business you have gained insight into a form of attack that significantly deviates from a conventional cyberattack and caused quite a stir in the past, especially in the global media. Wanna Cry, NotPetya, and Jaff are notable examples of recent ransomware attacks.

When it comes to Wanna Cry, the damage was severe. Even the ‘Deutsche Bahn’ was affected by Wanna Cry´s ransomware attack. The exploit External Blue SMB served as a gateway for the attack. Even though the vulnerability was closed by a patch (Microsoft) and made available for download, there are still many businesses that have not yet implemented the vulnerability patch.

If companies fail to close these security gaps they will continue to be a potential victim of cybercrime. Below, we’ll show you how to use the Ransomware Kill Chain to take countermeasures against this type of attack.

The Ransomware Kill Chain using the example of Wanna Cry

Stage 1: Disguise and transmission

Attack strategy:

The malicious software is usually cleverly disguised by the cybercriminals and the key pair for the encryption process is also embedded. The attacker focusses on a weak point to start an attack. While conventional ransomware attacks use phishing emails to attach infected links, fake web pages and faulty advertising can also serve as a transmission path. Once the victim has opened the file attachment and taken the bait of the attacker the initiation of the attack begins.

Defense countermeasures:

Companies should increasingly seek to understand the dangers of ransomware. To do so, those in charge need a certain visionwhich combines practical experience and knowledge.

The training of employees is especially important. This is particularly true if the aim is to establish an effective defense against ransomware in the company.

The ongoing threat of ransomware attacks on businesses make this the appropriate time to raise employee awareness of the issue.

A Spam filter for email traffic can especially help to prevent the receipt of any defective content. This is the only way you can ensure long-term access to your company system.

It is also advisable to use a sandbox engine as a preventative measure. Such an engine is available with Hornetsecurity Advanced Threat Protection.

This tool examines the behavior of email attachments as soon as they are opened and filters them out if they found to be hazardous and employees can understand the attacks in detail.

Stage 2: Download and Execution

Attack strategy:

Wanna Cry-independent ransomware roots only require one click in order to exploit. In addition, the malware’s payload is downloaded via the TOR network and installed on the target system. By using the EternalBlue exploit in the SMB protocol it’s possible to infiltrate the malware unnoticed. At the same time, the affected computer tries to reach up to 10 more systems via the SMB port. This behavior is not uncommon for many clients, therefore traditional antivirus programs do not initially detect the infection.

Defense countermeasures:

When executing malware, processes are performed that deviate from conventional procedures. As soon as users of a system or network detect such deviations, they must act immediately by powering down your computer and getting off the network. Raising employee awareness of changes in the system is fundamental to sustainable reporting. In this case, the appropriate emergency measures can be immediately initiated. This also includes updating security patches. The same applies to being up-to-date regarding new threats which allows companies to react much earlier to a worst-case scenario.

Stage 3: Encryption

Attack strategy:

The encryption process at Wanna Cry is also not significantly different from that of another ransomware. The goal here is the encryption of the system so the victim can no longer access their files and rendered useless. Each file is encrypted with a separate symmetric AES key. In addition, each AES key is encrypted separately with a 2048bit RSA public-key encryption making data recovery impossible for the user

Defense countermeasures:

The main problem with the respective different types of ransomware is that no adequate Decryptors exist for a large number of attacks, as was the case with Wanna Cry for quite some time. Only an early-warning system offers businesses the possibility of at least limiting the process of various systems in the network. With the help of Hornetsecurity ATP you can detect polymorphic viruses in emails in a timely manner, and as a result, a worst-case scenario can be significantly restricted to a greatextent. Advanced Threat Protection. With the help of Hornetsecurity ATP you can detect polymorphic viruses in emails in a timely manner, and as a result, a worst-case scenario can be significantly restricted to a greatextent.

Stage 4: The spread of Wanna Cry

Attack strategy:

Compared to other forms, Wanna Cry uses unpatched systems as an incident vector which spreads the ransomware at the network level via the EternalBlue exploit in the SMB protocol. This is an additional distribution method. Normally, ransomware also spreads locally over the individual, shared network disks.

Defense countermeasures:

Controlling network traffic – especially data exchange – can effectively help limiting attacks of this nature. The main attention is on the restriction of access rights.

This is a key defense strategy against Wanna Cry. The access of workstations to sensitive corporate data in the network can be specifically restricted by suitable access management.

The access rights should always be configured in such a way that only those file shares essential to the daily tasks of the employees are carried out.

Considering these capabilities that security officers or network administrators have, ransomware attacks, such as those caused by Wanna Cry, can be limited.

Stage 5: The ransom payment

Attack strategy:

As we already know, an affected company needs a unique key for decryption to get back their data or regain access to their system/network. This key is only given to the victims if a payment of a certain amount of ransom in online currency (for example by Bitcoin) takes place.

Defense countermeasures:

As an affected companyit’s important to understand that paying a ransom does not necessarily mean regaining access to your data or network. A ransomware attack is an aggressive form of blackmail. For this reason, Hornetsecurity and other IT security experts advise against paying a ransom. After all, each payment ensures that the perpetrators continue to establish ransomware as a form of attack due to its lucrative nature.

An emergency plan for the worst-case scenario is particularly important. In such a situation it may certainly be relevantand recommended to know in detail how a Bitcoin payment could be made by an employee through an online payment system. After all, this could ideally mean regaining access to the data. More importantly is the implementation of business backup solutions that ultimately prevent the loss of files to a certain degree. The timing of the backup and the backup process are very important in this case. For example, if the backup is done on magnetic tapes, Wanna Cry cannot access it.

Visit Our Knowledge Base

Did you like our contribution from the knowledge database on the subject of Ransomware Kill Chain ? Then you get to the overview page of our knowledge database here. There you will learn more about topics such as EmotetIT SecurityCryptolocker virusphishingGoBDcyber kill chain and computer virus.