Ransomware: Victims have small window of opportunity to stop an attack dead in its tracks
The more ransomware proliferates in healthcare the greater understanding that researchers are gaining about the malicious code. The latest: While it may appear that hospitals hit by a ransomware attack are automatically held hostage, one security specialist said that is not exactly the case.
“Recent strains understand how to move around a network, to encrypt not only files on employees’ end-points, but also on networked file shares. The impacts to healthcare organizations are therefore growing exponentially,” said Nir Polak, CEO of data security vendor Exabeam. “But this also means that encryption of larger data-sets will take more time, and therefore these firms have a window for detecting and stopping ransomware.”
In a new report titled “Threat Research Report: Anatomy of a Ransomware Attack,” Exabeam offers tips to healthcare organizations stung by the persistent pounding of ransomware. To help guide its recommendations for handling a ransomware infection, Exabeam said it detonated various strains of malware in its tech lab and recorded the effects.
[Cybersecurity special report: Ransomware to get worse, hackers target whales, medical devices and IoT trigger new vulnerabilities]
Exabeam pointed to the old adage an ounce of prevention is worth a pound of cure.
“Stopping ransomware before it gets a foothold in an organization would be ideal; this is possible to do [when] distribution is happening via an e-mail or drive-by-download,” the company said in the report. “There are vendors working hard at finding ways to reduce the viability of ransomware distribution campaigns by defending web sites from infection to prevent watering hole and drive-by-download attacks, by preventing spam messaging from reaching recipients, and by scanning executables for signs of ransomware.”
While Exabeam describes these efforts as welcome, it said infection remains a very real risk, and that if industries across the spectrum have learned anything from anti-virus technologies, it is that there is no silver bullet for security. Attackers evolve their distribution methods and find more inventive ways to infect organizations.
Ransomware often is detected after damage has been done, after malware already has reached the payday stage, when ransom is demanded, the Exabeam report stated.
“Fortunately, between the infection and encryption phases, there is an opportunity to disrupt the process,” Exabeam explained. “During these phases, ransomware needs to install itself, prepare to persist past rebooting, identify vulnerable files, and finally encrypt those files. All of these things take time, albeit in some cases not a lot of it. Depending on the type of environment a victim has, scanning and encryption may take anywhere from minutes to hours.”
That means for security analysts, it’s critical to detect and interrupt the ransomware “kill chain” during their window of opportunity.
By doing so, they can stop the spread of the infection and quarantine affected machines, removing them from a network until they can be treated.
During Exabeam’s lab analysis, the vendor noticed a consistent trend among the various ransomware specimens it dissected: frequent change.
“Each software updated itself daily, such that we didn’t observe a single piece of ransomware that remained unchanged for longer than a 24-hour period,” the report said. “This provides ransomware networks the benefit of remaining one step ahead of the anti-virus vendors, signature-based security solutions and threat intelligence solutions, since any signatures, domains or IP addresses associated with the ransomware would be obsolete within a 24-hour period.”
So when signatures are absent or ineffective, detection must rely on other approaches, Exabeam said.
“We found that ransomware can be reliably detected using behavioral modeling,” Exabeam explained. “Based on the goal of reaching the payday or ransom stage of an infection, these programs logically must first distribute themselves, infect a system, stage their environment, scan for data to encrypt, encrypt it, and then finally inform the users what it has done.”
That is where the behavioral modeling can work. But it requires training users to identify and avoid ransomware attacks in the first place. What’s more, the fact that ransomware has such a specific goal actually makes it easier to create a definable kill chain.
Sign up for the Healthcare IT News Privacy & Security Update newsletter.
Each stage in the kill chain has specific activities that must happen to complete that stage and those activities will manifest themselves in log artifacts as actions an infected user has taken, the report explained, those tasks include file activity logs, registry tracking log, end-point security system alerts, among others.
“By analyzing all log artifacts from a specific environment, both good and bad, and tying them back to specific users, the timelines of each user’s daily activity can be created,” the report said. “Behavioral modeling can then determine what is normal and abnormal behavior for these users and identify anomalies associated with ransomware in real time.”
Such behavioral modeling must make use of automated techniques to accomplish this type of analysis within a given window of opportunity in the ransomware kill chain, Exabeam said. Relying on the analysis of people to piece together signs of a ransomware infection would be error-prone and time-consuming, the company argued, and as a result detection of ransomware before the payday stage would be highly unlikely.
Exabeam explained that ransomware, while unique from other malware, still exhibits several tell-tale signs that can point out an infection that’s underway.
“By analyzing users’ day-to-day behavior in real time for anomalies, it may be possible to detect early warning signs and stop a ransomware infection dead in its tracks,” the report said.