How Threat Intelligence can Help to Thwart Ransomware Attacks

you-got-ransomware

Threat intelligence is a great guide to responding to the continuous evolution we see attackers undergoing today as part of their criminal schemes. Simply put, by understanding the types of attacks your peers and partners are experiencing, you can learn about what you should be looking for on your network and in your information systems.

Most ransomware only requires one thing to take action on your network—end-user interaction. An attacker can craft a single email with a malicious link or attachment and send out 100,000 emails in hopes that they get a 1% click-through rate.

Since the primary means for spreading these is via email, digital criminals will use the names and logos of well-known organizations when creating their scam emails. This will increase a user’s likelihood of trusting the email and clicking the link. You should be suspicious of emails from shipping companies, postal services, and the like that require you to download a file to confirm receipt of an item or to follow a link to track the item. Especially this is a period where income earners in Singapore need to file their income tax returns, malicious actors will usually use common logos and personal information to make people think they’re getting a refund or are being audited.

Know your enemies

By properly researching all of the delivery methods of ransomware, many of, about the major families of ransomware, you can get a baseline understanding of the network indicators you should begin looking for in your threat intelligence arsenal. Understanding the nature of the communications between the various ransomware families and their command-and-control channel will help you better understand what infection you have and if there are counter measures you can deploy. Additionally, by taking advantage of these indicators, you can potentially stop the spread of the infection to other systems. I will elaborate more in the details below.

Another source of indicators could be a list of IPs and URLs associated with the command-and-control channels. You could get this information either from 3rd party premium or open source C&C command feeds.  The choice is yours whether you choose to subscribe to 3rd party premium or open source feed as there is price to pay for accurate and up-to-date threat intelligence. For critical enterprise, I would highly recommend subscribing to a reputable 3rd party feed provider. This data is incredibly useful because you can use this information to block communication to and from the IPs and domains when you are attempting to interrupt the key exchanges. Keep in mind that data is in constant flux and hence stale data usually from open source could lead you to miss out malicious activities in your environment.

Below is a list of associated ip addresses and URL of command & controls channels used by CyptoWall campaign.

Command & Control IP and URL

Command & Control IP and URL

Using the above information and creating proactive measures on your DNS servers, firewalls, and proxies and by preventing communications to, or resolution for, the IP addresses and URLs, you can lock down the communication channels and interrupt the kill chain associated with the ransomware. The cons of the above is that there will be a of administrative works for change request and time delay to implement the changes on the rules of our DNS, Firewalls and proxies etc.

Another next place to interrupt the communications is in the outbound command-and-control communications by leveraging the channels used for redirection to malspam websites and known command-and-control channels.

There is Threat Intelligence Gateway (TIG) in the market now that infuses up-to- date threat intelligence data that perform near real time mitigation by interrupting inbound & outbound command-and-control communications, alleviating the administrative nightmare for the security operation team and provide near real time protection from malicious cyber attacks.

Summary

As you can imagine compiling, maintaining, and updating the lists of known C2 channels in your various technologies is a gruesome task, as there is not a single repository for all network communications with every known ransomware command-and-control channel, email subject line, SHA256 hash, and attachment filename.

This means you need to develop practices that leverage multiple sources of intelligence and extract it into a system by which you can visualize the indicators in a meaningful manner.  Hence, if budget permits, you should be investing in a reputable and open architecture TIP (Threat Intelligence Platform) that greatly help in your analysis, investigative and mitigation approach to the impending threats in your organization.

Love to hear any comments that you may have.

Cheers!

Ken