Ransomware has made headlines for many years, because of its notorious reputation for business disruption, shutting down critical infrastructure (Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom), and even death (Ransomware attack might have caused another death). From Ransomware for Dummies: Ransomware is malicious software (malware) used in a cyberattack to encrypt the victim’s data with an encryption key that is known only to the attacker, thereby rendering the data unusable until a ransom payment (usually a cryptocurrency, such as Bitcoin) is made by the victim.
Ransomware is commonly delivered through exploit kits, waterhole attacks (in which one or more websites that an organization frequently visits are infected with malware), malvertising (malicious advertising), or email phishing campaigns (see Figure 1).
Unfortunately, there are no signs of bad actors slowing down(Ransomware Attacks Are Spiking. Is Your Company Prepared?) and why would they, when the payouts are only increasing:
Most organizations have invested in the right security technology and put into place many controls to minimize risk, but is it enough? One of the best examples, of the devastating effect of ransomware, is NotPetya. In minutes, NotPetya:
It doesn't matter how fast you type or what your incident response plan contains, ransomware is just as fast or faster at destruction.
Completely preventing ransomware infection is almost impossible. However, organizations can minimize their attack surface and limit the blast radius, in effect, limiting their ability to find the path of least resistance and quickly move across a compromised network. While there’s no panacea to stopping a ransomware attack from occurring, implementing a zero trust architecture enables organizations to contain the damage of an attack, limiting the extent to which an incident can cause damage and the impact of refusing to pay the ransom. Reducing the scope and impact of a ransomware attack is where zero trust excels. In order to understand how zero trust architecture is critical in a ransomware defense strategy, you must go a little deeper into the attack kill chain of ransomware. Microsoft describes the lateral movement and the attack chain in an article:
Attackers move laterally to escalate privileges or to steal information from specific machines in a compromised network. Lateral movement typically involves adversaries attempting to co-opt legitimate management and business operation capabilities, including applications such as Server Message Block (SMB), Windows Management Instrumentation (WMI), Windows Remote Management (WinRM), and Remote Desktop Protocol (RDP). Attackers targeft these technologies that have legitimate uses in maintaining functionality of a network because they provide ample opportunities to blend in with large volumes of expected telemetry and provide paths to their objectives. More recently, we have observed attackers performing lateral movement, and then using the aforementioned WMI or SMB to deploy ransomware or data-wiping malware to multiple target machines in the network.
A recent attack from the PARINACOTA group, known for human-operated attacks that deploy the Wadhrama ransomware, is notable for its use of multiple methods for lateral movement. After gaining initial access to an internet-facing server via RDP brute force, the attackers searched for additional vulnerable machines in the network by scanning on ports 3389 (RDP), 445 (SMB), and 22 (SSH).
The adversaries downloaded and used Hydra to brute force targets via SMB and SSH. In addition, they used credentials that they stole through credential dumping using Mimikatz to sign into multiple other server machines via Remote Desktop. On all additional machines they were able to access, the attackers performed mainly the same activities, dumping credentials and searching for valuable information.
Figure 2: PARINACOTA attack with multiple lateral movement methods
Most ransomware kill chains include some form of credential dumping or password attacks and lateral movement. Cisco Talos explores other examples, including the nefarious WannaCry, in their useful blog post: Back to Basics: Worm Defense in the Ransomware Age. Many of the recommendations align directly with ModernCyber's Zero Trust Principals:
In the example of WannaCry, along with limiting the lateral movement, an organization would've highly benefited from blocking connections to TOR nodes and TOR traffic on their networks. No matter what your college intern tells you, TOR is not something typically utilized across any industry (Manufacturing, Healthcare, Financial, Education, Government, etc.). If the organization were enforcing risk-based least privilege, Tor, a high-risk, low-business-relevant application, would be denied. Even if your organization has a researcher or research group that needs tor for their mission or goals, in a least privileged model, the policy would only allow the limited usage of the application. In May of 2021, President Biden signed an executive order, in response to the number of incidents and damage caused by ransomware. The order calls on the Federal Government to take decisive steps to modernize its approach to cybersecurity including how they must advance toward Zero Trust Architecture:
In essence, a Zero Trust Architecture allows users full access but only to the bare minimum they need to perform their jobs. If a device is compromised, zero trust can ensure that the damage is contained. The Zero Trust Architecture security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust Architecture embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources based on the combination of sever.
If you've read this far into the post, you probably don't already have a full zero trust architecture implemented yet and that is ok. While zero trust should be your strategic goal for cybersecurity, many don't realize that there are many practical and easy ways to start introducing zero trust principals into your organization. Figure 3 illustrates the Practical Ways to Reduce Ransomware Impact and some of the security controls and technologies to apply.
While, these are not directly aligned to zero trust they all can be implemented using zero trust principals. Honestly, there are hundreds, if not thousands of secuirty technologies and controls that help overall with ransomware, but to help focus efforts, here are ModernCyber's top 5 zero trust capabilties that can make an impact in reducing the risk of ransomware:
While enforcing risk-based least privilege is the ultimate goal, it is much easier to implement explicit deny access control lists (ACLs) to stop lateral movement. The key requirement is to ensure you are able to enforce the policy between devices that could be on the same physical or virtual network (east-west segmentation). Whether it is 2 workloads in the subnet or two laptops on the same access point (AP), the best place to start is by blocking the most common protocols and ports used for ransomware propagation. These include MS-SMB (TCP Port 445), MS-RPC and WMI (TCP Port 135), PowerShell Remote (TCP Port 5985-5986), RDP (TCP Port 3389), SSH (TCP Port 22).
A majority of breaches involved compromised credentials. MFA can be deployed rapidly and integrated with existing access methods and applications to ensure ransomware can't use that password to cause havoc. Don't forget about the machine and local accounts on devices. While not everything supports MFA, a unique strong password per device should be used to reduce the risk of credential dumping & brute force attacks.
Start by using asset discovery and visibility to inventory the protected surface and understand the security posture of each device. Establish device trust and consistently enforce posture policies before access to networks, applications, or data, i.e. up-to-date security tools, encryption-at-rest, etc. Patch vulnerabilities quickly by automating and optimizing patch management. Ensure proper controls for primary infection points: email, web & rdp. Implement a backup and recovery plan including write once read many (WORM) storage and TEST!
Stop implicitly trusting new applications or communications on devices or networks. Default deny statements in your firewalls, web security, security groups, etc., should be used for both inbound and outbound policies. Yes, that means turning off outbound ICMP traffic from all devices and quit allowing outbound email and DNS requests. Use a network analytics tool to audit traffic patterns, with the eventual goal of orchestration of least privilege policy. On endpoints & workloads, implement application whitelisting. In the cloud, use least privilege IAM policies!
Ensure when the indicators of ransomware occur, such as command and control communications or internal scanning, Security Orchestration, Automation, and Response (SOAR) can programmatically contain the source of the incident. Containment or revoking trusted access, can be done via network segmentation, Identity & Access Management (IAM) attributes, or via dynamic policies.
Irregardless of your zero trust strategy, maturity, or architecture, the top 5 tactical zero trust capabilities can be used to immediately start reducing the risk of ransomware and other threats too!
With no doubts about the benefits of zero trust in the defense against ransomware, it should be a question of ""when"" and ""how"" your organization will implement the zero trust principals that minimize the risk and blast radius. Ensuring your zero trust journey has tactical milestones to minimize the impact of incidents or breaches should be a top priority. Least privilege could take years to become ubiquitous in your organization, but blocking the common communication used for lateral movement and reducing your attack surface can be done in days or weeks. Get in touch to discuss how to accelerate the time to value in your zero trust journey.
Download a copy of our top 5 zero trust capabilities for ransomware defense infographic: