Blog

Here's to Defending Against Ransomware as a Service

Written by Lauren Bell | Aug 30, 2021 6:13:00 PM

You can have the top of the line security in place, a staff well-trained on cybersecurity, but still become a victim of a back door supply chain attack. You can lessen the blow of ransomware and stop it early on with the right tools. 

All victims in the recent Kaseya attack had something in common: their networks had a key piece of network management and remote control software developed by technology firm Kaseya. The software, used by managed service providers, is used to manage the networks of their customers, often smaller companies.

In short, tbl networks Security Practice Lead Wayne Miao says, “Instead of targeting end-users directly, the attackers exploited a backdoor, or a trusted tunnel Kaseya used to reach the end-users.” 

Kaseya's monitoring software runs in the background which allows managed service providers to monitor, push updates, and remote into their customers' systems. Because it is a remote access application, it performs certain functions that would trigger antivirus programs.

To prevent the triggering of false alarms, Kaseya's monitoring software is exempt from scanning. This exemption is what hackers exploited to reach the monitored end-users of the managed service providers. While the ransomware was being downloaded, executing, and spreading, no alarms were sounded because the trusted backdoors used for monitoring were not under surveillance. 

Why Ransomware as a service is a growing concern  

“Ransomware as a service makes hacking more accessible to even more people. They don’t have to build the software, they don’t have to build the infrastructure. It all can just be rented from a larger hacker group," Wayne explains.

With more accessibility to ransomware, less skill is needed to stage an attack. Less skill means wider adoption and use. 

Relying on signature-based antivirus is no longer enough.  

"Back in the day, becoming a victim of a zero-day attack was rare. Now, hackers can launch a zero-day attack with a lot of reach as we saw with Kaseya, " says Wayne.

Because antivirus relies on knowledge of a particular virus before it can be detected,  antivirus cannot protect against something it has never seen before (zero-day).

Traditionally, after a virus was deployed, in much smaller numbers than we're seeing now, antivirus companies would learn of the infection and add the virus' signature to a database of known malicious programs.  Your machines were then protected because if a program matched what was in antivirus the database, the virus would be detected and stopped from deploying in your network. Now, with ransomware as a service, when new ransomware is launched and has a much larger pool of immediate victims, organizations of all different sizes and industries have a higher likelihood of being hit without detection.

Other tools, outside of antivirus, are needed to prevent the spread of ransomware. 

The best protection for end-users is a behavioral monitoring tool and offsite backups  

Of course you want to stop the ransomware from being downloaded in the first place, then prevent it from being executed and spreading in your network. But if all efforts fail, your offsite backups are crucial for restoration. Ransomware gets continually smarter and advanced. It can be purposely designed to go after and destroy backup folders. For this reason, protecting your backups with products like Pure SafeMode can prevent the deletion of backup data so you can fully restore without paying exorbitant ransoms. 

For the end-users, behavioral monitoring tools can be most effective in preventing the spread. When the ransomware gets executed, a behavioral detection tool will see an abnormality in the system and stop it from further executing. Where antivirus fails, behavioral monitoring tools pick up the slack. The tools will sound alarm when the large amounts of data are being sent from the customer's servers to the thieve's servers. The monitoring tools will see this is not typical behavior and stop the ransomware process in its tracks.