Skip to main content
HashnodeFPT IS SecurityFPT IS Security

Command Palette

Search for a command to run...

Enhance defense capabilities against Ransomware attacks

Updated
5 min read
Enhance defense capabilities against Ransomware attacks
M
Mai Đức Nam Anh
Part of seriesNewsletters-eng

Originating from attacks aimed at encrypting floppy disks in the 1980s, ransomware has evolved from a niche security issue to a significant threat in the form of Ransomware-as-a-Service (RaaS), posing a major problem for corporate finance.

Ransomware-as-a-Service (RaaS) refers to a business model in the world of cybercrime. Hacker groups provide malware to those in need (even those without IT knowledge) for targeted attacks. With the development of the 4.0 era, accessing these illegal services has become easier than ever. This has led to a rapid increase in ransomware attacks targeting large organizations, corporations, small companies, and regular users.

Figure 1: The development of ransomware - Source: Pentera

Ransomware has come a long way in its evolution. From scaring users by locking computers with locker ransomware, it has now become a billion-dollar criminal industry. Today's ransomware not only encrypts victims' data but also exploits critical data and uses this sensitive information to extort victims. This can happen in waves, with the extortion amounts potentially doubling or tripling after each notification the victim receives, causing severe damage. More dangerously, hacker groups can use RaaS to collaborate with each other in widespread attack campaigns, threatening global cybersecurity.

Three Stages of a Ransomware Attack

Although operated by different hacker groups and existing under various names and features, ransomware attacks share a common method, deployment, and execution stages. No encryption attack occurs immediately after hackers successfully infiltrate a victim's system. These stages can be listed as follows:

  1. Pre-Encryption: This is the groundwork stage. Before launching an attack, hackers need to perform essential actions to maximize potential damage while minimizing detection by system defenses. Some necessary actions in this stage include:

    • Preventing system backups: Backups and shadow copies are deleted to prevent system recovery.

    • Establishing persistence: Injecting malware into legitimate programs and processes to hide its presence and establish persistence in the infected system.

    • Initializing Mutex: Short for Mutual Exclusion Object, it is a synchronization mechanism in programming used to control access by multiple threads to a shared resource in a program, preventing conflicts or inconsistent states when multiple threads try to access the resource simultaneously. Setting up Mutex on the infected system ensures the ransomware can run without any issues or interruptions.

  2. Encryption: Once the setups in the Pre-Encryption stage are complete, the ransomware attack officially begins. These ransomware programs can act aggressively, encrypting all data on the system in just a few minutes, or they can quietly encrypt data and notify the victim only after the process is complete.

  3. Post-Encryption: This is the final stage of the attack, where all the victim's data has been encrypted. Hackers leave a ransom message in notes displayed on the system's screen or attached in the folder with the encrypted data. At this point, the victim must choose to pay (usually through cryptocurrency wallets) or incur a high cost to hire a cybersecurity team to decrypt the data. During this stage, hackers also monitor the victim's activities and reactions through C2 (Command & Control) servers to personalize the ransom message for each victim.

From a security perspective, ransomware attacks can be completely prevented by actively monitoring IOCs (Indicators of Compromise). This is a powerful solution in the current climate of increasing number and complexity of cyberattacks, helping defense solutions detect and stop attacks early through the signs collected.

IOCs: Early Warning Signs

IOC - Indicators of Compromise, are the most important factors in preventing cyberattacks using ransomware. Through the collected IOC indicators, defense measures can detect early signs and dangerous behaviors in the system, such as:

  1. Shadow copy deletion: Actions that prevent the system's ability to recover, such as deleting backups or shadow copies, can be detected through IOCs with distinct indicators. Typically, ransomware will execute commands in PowerShell (for Windows operating systems) like vssadmin.exe delete shadows, ensuring that all data is locked and increasing pressure on the victim to recover the encrypted data.

  2. Mutex creation: This setup prevents multiple malware from running simultaneously on the victim's system, ensuring the data encryption process goes smoothly. Taking advantage of this characteristic, some defense measures can rely on known IOCs and create fake mutexes to deceive the malware during its operation and stop the encryption process.

  3. Process injection: Helps malware avoid detection on the system. Some common injection techniques used by malware include: DLL Injection - injecting malicious code into a legitimate program, Reflective DLL Loading - bypassing protection by inserting a DLL without storing or writing it on the system, APC Injection - injecting malicious code into the memory space of a legitimate process.

  4. Service termination: To ensure encryption is not interrupted and to prevent data recovery efforts during an attack, ransomware disables security services such as antivirus software, EDR, backup agents, and system databases. This is done through administrative commands or APIs to disable these services, for example: taskkill /F /IM MsMpEng.exe # Terminates Windows Defender to disable Windows Defender.

Proactive Measures Against Ransomware Attacks

In reality, many organizations, corporations, and large businesses often conduct internal security assessments very infrequently, sometimes only once a year. This creates a significant opportunity for attackers to access and cause substantial damage to the system. Ransomware is constantly evolving, and if the protection system is not regularly assessed and updated with IOCs, it will become ineffective, easily bypassed, and unable to prevent attacks on the system, which is its primary responsibility.

Figure 2: Steps to maintain protection against ransomware attacks - Source: Pentera

It must be recognized that systems are always at risk of ransomware attacks. No security solution is completely safe. Organizations, corporations, and businesses need to conduct regular assessments or have an automated process to evaluate the security level of their systems against ransomware attacks.

Building a team ready to respond to ransomware attacks is essential for organizations, corporations, and businesses. A SOC - Security Operations Center is responsible for ensuring 24/7 security monitoring, detecting suspicious signs and behaviors, and providing timely solutions to prevent any activities that could lead to ransomware attacks on the system. Additionally, organizing regular simulation exercises also helps improve the incident response capability of the SOC center in particular and the organization in general, helping this defense unit to be more proactive and confident in controlling potential future issues.

References

  1. PENTERA: Continuous Ransomware Validation: Why Annual Testing Isn’t Enough

  2. The Hacker News: Becoming Ransomware Ready: Why Continuous Validation Is Your Best Defense

#repost#threat-intelligence#fiscybersec

Comments

Join the discussion

No comments yet. Be the first to comment.

Newsletters-eng

Part 1 of 50

More from this blog

F

FPT IS Security

761 posts

Dedicated to providing insightful articles on cybersecurity threat intelligence, aimed at empowering individuals and organizations to navigate the digital landscape safely.