CNA Financial, a prominent American insurance company, found itself the target of a sophisticated ransomware attack. How can a company that reduces the risk for other organizations fail to protect itself from the same risk they insulate their clients from?
The answer may be found in the nature of the attack, which, according to CNA cybersecurity analysts, was executed using Phoenix Ladder—a variant of the Hades ransomware.
How Phoenix Ladder Spreads
The Hades family of ransomware, including Phoenix Ladder, can be easily spread through a variety of methods, including:
- A malicious Google Chrome update that victims install on their computers, not knowing it can introduce ransomware
- Remote Desktop Protocol (RDP) or a virtual private network (VPN) in which the attacker gains access using legitimate credentials
All of these methods have something in common: They can get a ransomware attacker past a firewall. By using RDP or a VPN with legit credentials, the hacker doesn’t even have to worry about the firewall because the system will see them as a legitimate user, “verified” by their credentials.
A malicious Chrome update or another Trojan, which is a malevolent program disguised as a harmless application, can bypass a firewall likely because their file signature, particularly in the case of the former, wouldn’t be on the list of malicious programs the firewall looks for.
The Phoenix/Hades ransomware is obviously bad news for organizations that depend on firewalls or signature-based threat intelligence systems to identify threats. Ransomware attackers can easily evade these protections. The good news is there are other ways to protect your digital ecosystem from ransomware attacks.
Ransomware and Ransomware Protection
To understand the best way to defend against ransomware, it’s important to first know what ransomware is and how it works. Ransomware is a kind of malware that starts encrypting your computer’s files once it gets into your system. After your files have been encrypted, you get a message telling you how to pay the hacker and get the decryptor key. Then you can regain control of your files.
In many cases, the ransomware attack comes in two digital phases:
- Before the ransomware starts encrypting your files, malware infects your system and starts exfiltrating data, sending them to the hacker orchestrating the attack. This gives the attacker leverage over you, particularly if the files they get contain sensitive information.
- They can then pressure you into paying the ransom by threatening to publish your content.
While it’s possible that the hacker could be lying about the sensitive information they claim to have, the files being encrypted is certainly real.
How to Protect Yourself Against Ransomware
There are a few different types of malware:
- Known malware: Malware floating around the internet that’s already been identified by some threat protection systems
- Unknown malware: Zero-day malware is very recently created and launched
Protecting yourself against ransomware begins with preventing it from getting on your computer or server in the first place. Here are some of the ways you can do that:
Defend Against Known Ransomware Using Firewalls and Antiviruses
The easiest ransomware to catch comes from known, preexisting threats that threat intelligence systems have already logged. The information gleaned from these is then used to tell antivirus programs and firewalls which threats to look out for. So by keeping your antivirus solution and firewall up-to-date, you can stop these threats.
Defend Against All Types of Ransomware Using Behavioral Analysis
Suppose a thief wants to steal purses and phones during a wedding. If they dress up in a nice suit, they can look like anyone else on the guest list. But a security crew keeping an eye on everyone using a video surveillance system may notice the criminal grabbing purses and devices while partiers are doing the Cha-Cha Slide.
It’s the behavior that flags the threat, not the identity of the thief.
It’s the same with a behavioral analysis system. It can spot malware based on what it does before and after it enters your network. Antimalware solutions powered by artificial intelligence/machine learning (AI/ML) do the following to analyze the behavior of malware, including ransomware:
- Examination of what’s inside the file, such as IP addresses, header data, domains, and hashes: This can indicate where the malware is coming from, as well as what it may do once inside your computer. A next-generation firewall (NGFW) uses ML and regular data packet analysis to do this.
- Dynamic analysis using a sandbox: To the malware, a sandbox looks like a real part of your system but is actually fake. Once isolated inside the sandbox, you can then watch what it does, noting the systems it tries to attack and how it moves.
- Interactive behavioral analysis: With this type of analysis, security professionals observe a malware sample inside a lab environment, checking for the kind of behavior the malware exhibits.
Detect and Stop Ransomware Using Network Behavioral Analysis
Sometimes, the best way to identify ransomware is to analyze its behavior during an attack. You can then take immediate steps to safeguard your system. Let’s say you’re hit by ransomware that begins its attack by exfiltrating data. Once a network behavioral analysis system detects that a lot of data is leaving your network, far more than usual, it can either send an alert or trigger an automated response designed to protect your digital assets.
Ransomware Traps and Tips
Whether or not you have one of the above defense systems in place, it’s best to be aware of the following ransomware traps and how to avoid them:
Trap: Phishing
To avoid phishing traps:
- Educate employees regarding what a modern phishing email looks like
- Teach them how to identify fake email addresses that hide a malicious sender’s real domain
- Educate employees about what suspicious links or attachments look like
- Create and enforce company policies that prevent employees from sharing sensitive information via email
Trap: Insecure RDP and VPNs that hackers log in to using stolen credentials
To prevent hackers from taking advantage of RDP or VPNs:
- Require employees to use secure passwords that are hard to guess
- Create policies that prevent employees from sharing passwords with anyone
- Instantly cut off the access privileges of anyone whose employment terminates for any reason
- Use multi-factor authentication to require more than a username and password for users to connect to VPNs or RDP
Trap: Holes in your cybersecurity that existing ransomware can sneak through
To prevent known ransomware threats:
- Regularly update your antivirus software
- Install the latest patches for your firewalls
- Use a threat detection system that leverages real-time threat information from a global cyber intelligence program
Dealing with Ransomware: Do’s and Don’ts
Ransomware attacks are growing in frequency and severity—and organizations would do well to adopt the “not if, but when” mentality when dealing with these types of threats. Here are some do’s and don’ts to help guide your ransomware defense strategy:
Do:
- Make a plan regarding what to do in the event of an attack
- Follow business continuity and disaster recovery (BCDR) best practices, such as having secure backups both in the cloud and offsite
- Train your employees on essential cybersecurity practices, such as what to do to avoid ransomware, how to bolster cyber hygiene, and what to do if your organization suffers an attack
Don’t:
- Wait too long to activate your crisis communication program, which should involve informing customers, employees, and other stakeholders about the incident
- Avoid notifying vendors you do business with, regardless of the way their networks intersect with yours
- Pay the ransom or negotiate until you’ve tried everything else, including contacting law enforcement
Cyber Insurance and Its Benefits
Cyber insurance is designed to take care of any expenses you incur in connection with any cyber attack, including a ransomware incident. It covers many of the financial repercussions of a ransomware attack, including:
- The ransom amount paid to attackers
- Liabilities stemming from stolen customer data
- Repairing your network
Because both ransomware attacks and ransomware settlements are on the rise, cyber insurance can be an effective way to insulate your organization from the potentially crippling cost of a breach.
You Have the Power to Safeguard Your Systems Against Ransomware
By defending your network against the various ways ransomware can penetrate your system, you can prevent an attack from severely impacting your business. But in the event you do get hit, cyber insurance can help you bounce back from the financial fallout.
