Workload and Application Security Blog

Ransomware: A Thriving Business

Written by Virsec | Jun 23, 2021 3:54:20 PM

Ransomware has become an industry unto itself, crippling organizations around the world. Some ransomware attacks, such as the recent ones perpetrated against the Colonial Pipeline, JBS, and Acer, are discovered quickly. Others can go undetected for longer periods of time, allowing ransomware operators to exploit networks for days or even weeks before the breach is discovered.

John Chambers, former CEO of Cisco, and current CEO and founder of JC2 Ventures, told Yahoo Finance that he thinks cybersecurity is one of the top three issues facing corporate boardrooms. With an expected 65,000 attacks to hit US companies alone this year, experts state that companies fall victim to ransomware every 11 seconds. In the time it took to read this sentence, one of your fellow colleagues has been hit. 

Ransomware-As-A-Service (RaaS): A Lucrative Business Model

A business model should be flexible, profitable, and able to adapt to changing conditions. It must also nimbly stay ahead of competition and manage adverse conditions to continue building revenue. Few “as-a-service” models have been more successful than ransomware at accomplishing these initiatives. As evidenced by the events of the COVID-19 pandemic, it is even more imperative that enterprise organizations have the right solutions to prevent themselves from falling victim to ransomware attacks.

Living Off the Land

 

Ransomware operators have expertly developed their modus operandi to outwit security software to maneuver around organizations’ cyber defenses. They have mastered the skill of recruiting legitimate tools and applications to become part of their nefarious machinations – a practice called “living off the land.” Their knack for appearing like a normal process allows them to stay under the radar and avoid detection. 

Plentiful Resources

As the moneymaking nature of this parasitic business draws growing numbers of malware operators, malicious code offerings on the black market are also rapidly increasing. It is big business on the dark web. It is not only popular, but also inexpensive and easy to use. Though recent reports indicate some ransomware gangs may be retreating due to recent scrutiny, the ransomware economy remains strong.

As different buyers purchase malware, variants emerge, making it easier to escape detection by security products. Many of these legacy cybersecurity tools can no longer recognize malware as malware.

Outsourcing Exploits


For would-be perpetrators who don’t want to produce ransomware variants or carry out the attacks themselves, the dark web offers plenty of help for hire.
ZD Net reported that even the ransomware operators themselves outsource network access exploits to expediate their attacks.

With this last element, the business model is complete – a plethora of products that are adaptable to changing scenarios, increasing revenues, affordable operating costs, plenty of labor sources, and full-service, 24×7 support. Were it not illegal, ransomware-as-a-service (RaaS) would be an exemplary business model.

 

Prepare to Be Hacked

 

As John Chambers has been quoted saying, “There are two types of companies: those that have been hacked and those who don't know they have been hacked.”

Sometimes all it takes is one click to bring down an organization. Ransomware is so destructive because it is instantly weaponized. Once it detonates, it’s too late. The only way to avoid the devastation is prevention. But few security tools can identify or prevent ransomware.

The Only Defense Is Prevention

More than 75% of companies infected with ransomware were using current endpoint protection products. These same companies held the false belief that EPP/EDR tools will block ransomware at the entry points – it does not. EPP/EDR tools are not fully equipped to block ransomware. Tactics based on endless threat chasing and trying to seal off porous perimeters are of a security mindset that has become almost obsolete.

Whatever way it may enter a system, ransomware quickly moves from desktops to servers and applications, where it does the most damage. It reaches deep into the inner architecture of applications and targets the entire function. This includes its full data set and resources and more broadly, the entire server workloads. Once deployed, ransomware can encrypt files and block access.

Secure Environments by Protecting Runtime

There has never been a more appropriate time for organizations to aggressively revamp their security strategy. Runtime remains one of the most vulnerable attack surfaces in any organization. Legacy security tools are unable to gain visibility or control into runtime as application and software code executes. Instead, they seek to protect before and after runtime, but never during.

In their white paper, Ransomware Defense in Financial Services: Retreating from the Cloud, the Aite Group states that “Detecting and blocking rogue processes in memory is one of the most important ways to secure servers. Servers are online 24/7/365, unlike workstations, so the opportunity for devastating loss is much higher on servers than on endpoints. Whitelisting the behaviors of normal applications means threat actors won’t be successful at introducing any new commands.”

Hence, to stay a step ahead, enterprise organizations concerned about “Zero Trust” need to focus on runtime protection as application/server workloads execute.

 

Only Allow Legitimate Code to Execute

 

Organizations must ensure that attackers cannot hijack critical applications to run malicious code of their choosing. Using patented AppMap® technology, Virsec Security Platform (VSP) automatically profiles all critical application resources, including files, scripts, binaries, container images, and libraries, and only allows authorized processes to execute. Any deviation in the code is instantly detected, treated as a threat, and blocked.

“Virsec Security Platform understands what’s happening to applications at runtime, effectively making them self-defending.”- CISCO

 

If foreign code or an unknown sequence of functions attempts to execute, VSP automatically identifies the offending action and stops it within milliseconds.

 

Self-Defending Software

 

VSP is designed to provide continuous application-aware workload protection at runtime from the inside, without prior knowledge – instantly stopping deviations, threats, or attacks at runtime. By protecting the full attackable surface across the application stack as it relates to web, host, and memory, VSP ensures the integrity of code itself, providing defense from within.

VSP unique technology “guardrails” critical applications, software, and workloads in any environment, providing system integrity assurance with strict application control and memory protection in a single solution – delivering in-depth visibility across the entire workload. Ransom attacks are identified and stopped immediately, regardless of the level of sophistication or techniques used.

 

Additional Information

White Paper: Ransomware Defense for Financial Services

White Paper: Five Essential Steps for Enterprise Application Security: A Guide

Webinar: Keeping Ransomware Out of Critical Infrastructure: Colonial Pipeline Attack

Webinar: Demonstration of the Hafnium-MS Exchange Attack

Webinar: Analysis of the Hafnium / MS Exchange Cyberattack

Website: United States Government CISA Ransomware Guidance and Resources