Ransomware continues to frustrate enterprise security teams. These advanced attacks use adaptive and evasive tactics to bypass traditional security tools, infiltrate endpoints, spread through the network, and deliver their harmful payloads. More people are using the browser to access the internet and work on web apps and Software as a Service (SaaS) platforms.
Insufficient browser security is the main reason today’s ransomware attacks are so successful. In order to stop these attacks, enterprise security teams need to refocus their efforts on the browser, gaining visibility and control over web-based workloads.
Anatomy of a ransomware attack
Today’s ransomware attacks have evolved from a single ransomware request to a more pervasive and destructive attack that hits victims multiple times throughout the attack chain. Called double extortion, these tactics pressure victims to pay exorbitant payouts in exchange for not publicly announcing a breach or releasing proprietary data to the public or other interested parties.
Stage 1: Initial access
Every ransomware attack starts with gaining initial access on an end point and infecting it with malware. Attackers will start by performing reconnaissance on their intended targets and look for vulnerabilities to exploit such as phishing opportunities, stolen credentials or unpatched software. They will then employ these evasive techniques to gain initial access on the endpoint.
Stage 2: Infection
Once an initial access point has been established, attackers will use various malware and download tools to search for data, steal credentials and monitor communication channels across the network. The goal is to compromise as many machines as possible so as to improve the odds of executing a successful ransomware mission.
Stage 3: Staging
A command and control (C&C) server can then be set up by the attacker to send encryption keys to the targeted system. The attacker can also install additional malware that they can use in the future to help facilitate other stages of the ransomware attack chain.
Stage 4: Scanning & Encryption
Next, the attacker scans for useful information about the organization’s network while spreading the infection laterally across additional endpoints. The goal is to elevate their access privileges to seek out more valuable data. Attackers can also exfiltrate data to the C&C server, setting themselves up for double extortion when the time is right. Attackers can then encrypt data and systems using the keys sent from the C&C server.
Stage 5: Ransom
Now that everything has been keyed up, the attacker can send the victim a ransom note demanding a payout. It’s here where attackers lay all their cards on the table, revealing what systems have been compromised, the data that has been stolen and the potential fallout.
Attackers want to show victims how much is at sake so they can instill fear and force a hasty action. Organizations must decide whether to pay the ransom and return to normalcy quickly or reject payment and start the long, arduous process of rebuilding systems from the ground up.
Reasons for ransomware success
Over the past five years, digital transformation has transferred work from the data center to the browser. According to Forrester, business users spend more than 75% of their working day inside the web browser. Malicious actors know this, of course, and have crafted new attacks that specifically target the browser as a way to make that initial access on the end point. They’ve employed social engineering techniques to target browser-based applications and they’ve crafted highly evasive techniques that have been designed to bypass commonly deployed security solutions.
These include:
Recent ransomware attacks
Menlo Labs has recently uncovered the re-emergence of a highly active attack framework called ‘SocGholish’ – a ransomware threat that uses social engineering tools and evasive techniques to gain access to enterprise networks. The phishing attacks typically masquerade as popular software updates – such as Chrome and Adobe – and, once a user clicks on the link, the malware uploads a ZIP file hosted on a trusted location through iFrames. An embedded Javascript file downloads additional malware and deploys Dridex Banking Trojan or Wasted Locker Ransomware variants.
Another ransomware attack – this one targeting two of the largest casinos in Las Vegas – has made headlines recently. Unknown threat actors used social engineering techniques and gained privileged access to critical applications through compromised Okta credentials. The casinos have lost millions of dollars in the attacks that have impacted thousands of users.
Menlo Security Secure Cloud Browser
The best way to stop ransomware is to prevent initial access on the end point. This requires more advanced browser security solutions that execute all web sessions and active content in a secure web browser in the cloud. Isolating this activity away from the end point ensures that no ransomware or evasive malware can ever gain that initial access – rendering the attack useless.
The Menlo Secure Cloud Browser gives security teams the visibility and control they need to fully protect the web browser – ultimately reducing the attack surface and effectively eliminating ransomware. Menlo is the only solution that is able to identify and dynamically stop evasive malware, zero-day exploits and ransomware attacks.
Learn more about Menlo Security here.
