Ransomware Distribution: How One Infection Can Go Network-Wide
How data leakage and encryting malware go hand in hand
There’s one thing we noticed about ransomware: ever since it became a mainstream, serious security threat, people have been focusing mainly on encryption. While that is certainly one of the most damaging effects of encrypting ransomware, it’s not the only one companies should be worried about.
Ransomware hits and their victims have been all over the news lately (MedStar Health, tens of US federal agencies). With attacks multiplying and new types of encrypting malware coming out (Locky, Petya), CISOs and IT administrators should look beyond the obvious to protect their networks against these powerful threads.
From one to all: how data leakage and ransomware are connected
What most people don’t know is that a ransomware attack that takes an entire network down and causes business disruption can start with a single infected computer.
Because they operate as a business, ransomware creators are focused on diversifying their “assets”, just as investors do. So when they launch an attack, they try to harvest as much data from the affected endpoint as possible, before the encryption kicks in and the countdown for the ransom payment starts.
We’ve seen this happen with every major malware strain out there:
- CryptoLocker 2: which collected email addresses from the infected PC so they could be used in later spam campaigns;
- CoreBOT: which is capable of retrieving information about the PC that fell victim and send it to C&C servers controlled by cyber criminals;
- TeslaCrypt 4.0: that leaks the infected computer’s Windows operating system key, its unique identifier (MachineGuid) and more, while also enrolling the machine into a botnet;
- CryptoWall 4.0: able to steal credentials through the Pony infostealer, which is usually the first payload dropped onto infected systems.
Now picture this: the computer used by the IT administrator or a PC you’re using to manage other endpoints in your network gets hits by ransomware. Because the latest ransomware boasts advanced data leakage capabilities, it can end up stealing usernames and passwords for open TeamViewer sessions or remote desktop connections, network server logins and Remote procedure call systems. And, mind this, the situation is not at all improbable. It actually happened last week.
And if IT admins or users themselves make the fatal mistake of reusing passwords, then cyber criminals have the perfect setup to distribute their ransomware like wildfire, infecting the entire network. After news about ransomware being delivered through the service emerged, TeamViewer put out a statement that highlights exactly that:
Careless use is at the bottom of the cases we currently looked at. This particularly includes the use of the same password across multiple user accounts with various suppliers.
At Heimdal, we would like to highlight that this can happen to any network login service or remote command execution service, not just to TeamViewer. The recent case mentioned above is not even TeamViewer’s fault, as they have set up adequate security measures. Cyber criminals can get their hands on credentials using any remote access service, gaining the ability to execute malicious code on all the computers in the network by using the admin passwords.
As TeamViewer is a widely spread software, many online criminals attempt to log on with the data of compromised accounts (which they obtained through the aforementioned sources), in order to find out whether there is a corresponding TeamViewer account with the same credentials. If this is the case, chances are they can access all assigned devices, in order to install malware or ransomware.
And this all happens before the point of no return when the data encryption starts. Consequently, a small, one-device ransomware or botnet infection leading to data leakage is not just a major privacy breach threat for companies big or small. It also becomes a gateway for company-wide infections that can cause major problems in terms of business continuity, legal issues and customer trust, to name a few aspects.
Small vulnerabilities could spell big trouble
The smaller the vulnerabilities and infections, the more time it takes for CISOs and IT admins to detect a security breach or a cyber attack. And fileless malware doesn’t make things easier for anyone (except for the cyber criminals who created it).
Security vulnerabilities considered smaller are often brought on by lack of adequate patching. An outdated browser or a plugin running an older version are often the way in for cyber criminals and their malicious tools. Here is a concrete example from the CISCO Annual Security Report 2016:
However, even with the narrowed time window for TTD, some threats remain harder to detect than others. Downloaders that target Microsoft Word users are typically the easiest to detect (<20 hours). Adware and browser injections are among the most difficult threats to detect (<200 hours).
One reason the latter threats are so challenging to detect is that they are typically designated as a lower priority by security teams, and are therefore often overlooked in the race to deflect adversaries’ onslaught of zero-day attacks.
If CISOs or IT admins would have a detailed overview of their environment, they’d be able to patch those outdated endpoints and block these vulnerabilities. But left unpatched, the security holes can be exploited by ransomware to spread its devastating effects. So automating patching can not only help save money and precious time you can spend elsewhere, but, more importantly, it can block threats before they turn into full blow attacks:
According to Homeland Security’s cyber-emergency unit, US-CERT, as many as 85 percent of all targeted attacks can be prevented by applying a security patch.
Also, keep in mind that malware keeps advancing in sophistication while detection times in companies remain very high, according to the same report by CISCO:
Since May 2015, Cisco has reduced the median time to detection (TTD) of known threats in our networks to about 17 hours—less than one day. This far outpaces the current industry estimate for TTD, which is 100 to 200 days.
How to secure your endpoints against ransomware
Following through on a few key action points can help you better mitigate the risk of a network-wide ransomware attack. Here are some aspects to take into consideration:
Constant backups are a must! It’s important to use a back-up location that is not directly connected to the local system, such as a cloud account and an external drive, as ransomware can encrypt data on these locations as well.
Teach your colleagues to never download or click on .zip or other type of attachments received in emails from unknown senders. This is the main method of distribution for ransomware threats. Only download attachments from known email addresses and scan any suspicious-looking attachment with a trusted and reputed antivirus product.
Instruct employees to never click links in emails from unknown senders. These links could redirect them to malicious websites that host ransomware. VirusTotal is a great tool to use to verify if a domain is safe or not.
Keep your endpoints’ operating systems and software up-to-date with the latest security updates. As you already know, another important ransomware distribution vector is using security exploits in vulnerable applications. To make things easier and save time and energy, use a tool that does this job for you automatically and without disturbing your colleagues’ work.
Use a reliable antivirus product that includes an automatic update module and a real-time scanner to detect any suspect behavior. While antivirus remains a proactive way to handle cyber security, it is still a necessary component for protecting any corporate or institutional network.
Since most antivirus products do not detect the latest ransomware variants, or better said, the downloaders that infiltrate the malicious content into the system, we recommend using a specialized tool against financial stealing malware and ransomware threats that has the capability to block the infected locations before they download the encryption module into your computers and encrypt the data.
Follow the common sense guidelines to improve your network’s cyber safety. Teach employees to avoid questionable websites, never click links in unrequested emails or in unknown web pages and do not disclose personal or professional information on social media sites.
Never use the administrator account on any of the computers in your environment. Instead, use guest accounts that have access only to the need to have and need to know information. This way, you can prevent escalation of privilege and other types of infiltration into your system
Do not keep the computers you use for business connected in a local network. As you saw, ransomware is capable of encrypting not only the data on the computer where the infection succeeded, but also on all the other computers that are connected to it though a local network. By keeping the computers isolated, you have a better fighting chance against this threat.
Teach your employees and anyone who has access to your computer(s) about these safety regulations and make it a requirement that they learn about the basics of cyber security. This can be an important investment in safeguarding your company’s data and ensuring business continuity.
It’s high time everyone understood that the consequences of ransomware attacks go beyond data encryption. Data leakage is a huge risk that’s always attached to these type of cyber criminal hits and we’ve all seen them disrupt business flows and cause financial and credibility loss.