How to stay ahead of Ransomware


Ransomware remains a favorite among cybercriminals, who use it to block victims’ access to data and threaten to publish it if demands are not met. Nowadays, ransomware threat actors operate almost exclusively as-a-service, sharing duties and profits across hierarchical tiers. Sadly, as seen with the recent attack on a US fuel pipeline operator who paid a five million USD ransom, “business” is booming. Organized ransomware targeting US entities produced record damages last year, according to a recent analysis by the FBI’s IC3 Center. Worldwide, ransomware costs are easily in the hundreds of millions and likely billions.

The Bitdefender Labs team is active in ransomware research and has helped law enforcement take down major cybercrime groups with estimated worth in the hundreds of millions, such as GandGrab, Hansa, Sipulimarket, Wall Street Market and Silkkitie. Bitdefender’s GandCrab ransomware decryptor alone has saved victims more than 76 million dollars in ransom fees.

Double extortion, double damage

Ransomware comes in many varieties – each regularly offered as-a-service by competing criminal and nation-state groups – and ransomware gangs tend to feed off each other whenever one group makes an innovative breakthrough. The now-defunct Maze Team pioneered a double-extortion technique that coerced victims to pay by stealing their data before encrypting it, then threatened to publish it if ransom demands were not met. It worked so well that, throughout 2020, ransomware aggressors using strains like Sodinokibi, Ryuk, DopplePaymer and Egregor all started using this novel coercion scheme to extort their victims.

But the Maze authors did even more to ensure their success. In Bitdefender’s recent report, we explain how Maze destroyed Windows-created backups, such as the Volume Shadow Copies. By querying the Win32_ShadowCopy WMI class, Maze found the shadows and deleted them. (The technique is listed in the MITRE ATT&CK framework labeled as T1490 – aka Inhibit System Recovery.)

With so much money at stake, organizations are scrambling to make sure they don’t become the next victim and many are turning to cyber insurance as a means of protection against some of the effects of an incident. But such cyber insurance typically only covers direct damages and does not address business and reputational impact from data loss and the real staff costs to recover.

This approach is not advisable. According to Lindy Cameron, the UK National Cyber Security Centre’s new chief executive, “[cybersecurity] insurance can really help to cover costs, but it cannot be a substitute for better basic cybersecurity, making ransomware attacks as hard as possible.” At least one prominent cybersecurity insurer, has recently said they will stop paying benefits for ransomware victims only to find part of their operations attacked by ransomware in an apparent retaliation.

Prevention is the best medicine

Implementing regular security risk assessments and following a continuous patching approach supported by technology controls is the best strategy to prevent, or least reduce the impact of, ransomware in the first place.

Ransomware is highly adaptable. Its creators carefully design the malware’s individual modules to avoid detection by cybersecurity technology. But, as history has shown, even small delays in detection can provide enough time for potentially irreversible file encryption to take place. Therefore, defending against ransomware requires a multi-layered approach based on preemptive protection.

Bitdefender GravityZone for ransomware protection

With ransomware attacks almost always involving a variety of attack vectors, a good anti-ransomware strategy requires vigilance on multiple fronts.

GravityZone is designed to ensure an effective anti-ransomware posture, built on understanding the full cyber kill-chain and mapping defenses to match each attack stage:

1. Control risk and reduce attack surface

GravityZone employs multiple risk mitigation layers, at the system, device and user level. 

Patch Management helps organizations keep operating systems and applications up to date across the entire Windows install base including desktop and laptop workstations, physical servers and virtual servers.

As far as misconfigurations go, improperly configured systems leave doors wide open to ransomware attacks including browser security settings,

network and credential settings, operating system security settings like open ports, nonessential services and administrative scripting tools (e.g. PowerShell) enabled. GravityZone scans for system misconfigurations and can automatically update many settings of misconfigured machines remotely while notifying admins to reset the rest.

Risk Management and Analytics continuously scans your endpoints for application vulnerabilities and makes recommendations for prioritization and remediation. Outdated applications with known vulnerabilities (CVEs) can be exploited by ransomware authors to misuse program functionality or to download harmful content from the internet. GravityZone scans for CVEs and ranks application vulnerabilities by severity so administrators can take prompt corrective action.

Human Risk Analytics looks at where users browse, what files they open, what file locations they access, how and where they login to risky websites and monitors password hygiene and reuse so risky behavior can be corrected.

2. Prevention is next

Ransomware is commonly deployed through social engineering vectors, like phishing or spam email links and malicious file attachments. But many attacks also employ fileless vectors, meaning the attack occurs in memory space. Bitdefender automatically blocks fileless attacks at the pre-execution stage, preventing file encryption and preserving full system access. GravityZone also leverages highly-tuned machine learning models to spot new and unknown malware (i.e. malware that exploits Zero Day flaws) across multiple stages of the attack kill chain. Additionally, advanced anti-exploit technologies can automatically identify and terminate malicious processes.

At a network level, Bitdefender uses behavioral heuristics to analyze host network activity in real-time and harden controls against exploit techniques that can exfiltrate personal information from your network. It uses machine learning to block ransomware exploits that arrive via network ingress points and halts malicious activity in the initial access, credential access, discovery and lateral movement attack stages.

GravityZone automatically and continuously trains to improve malware recognition using one of the industry’s largest sample repositories, collected in the wild from our network of millions of global sensors. As ransomware continues to evolve, Bitdefender will regularly and accurately detect new patterns in pre-execution and at runtime.

3. When time is of the essence – early detection counts

Continuous monitoring helps with early attack detection. GravityZone monitors running processes in real time—registry key modifications, file reads/writes, encryption action—to identify suspicious or malicious processes for automatic or manual termination by security teams.

4. Prevention is not 100% bullet-proof

Not all attacks can be blocked or prevented and some attack stages manifest slowly over time. Endpoint detection and response (EDR) plays an important rule in ransomware mitigation.   automatically correlates multiple indicators of attack and compromise with malicious activity observed on the system and on the network, facilitating fast and accurate incident response that reduces attacker dwell time and facilitates fast file recovery from ransomware.

5. The power of tamperproof backups

Whenever a possible new ransomware strain attempts to encrypt files, GravityZone’s ransomware mitigation automatically creates a tamperproof backup of targeted files that will be restored after the malware is blocked. Bitdefender automatically blocks processes involved in the attack and starts remediation, while also notifying IT administrators.

By combining these complementary technologies and methods into an integrated approach, GravityZone protects organizations more effectively against known and unknown ransomware.

The fight against ransomware is a 24×7 job and includes the use of tooling but also assessment of resources to quickly and effectively identify breaches and rapidly respond. Many organizations aren’t able to provide around-the-clock coverage, either due to limited budgets, skilled personnel or time. For these companies, a Managed Detection and Response service can help to prevent ransomware attacks from executing and spreading. The service is delivered by combining industry-leading Bitdefender security technologies trusted by organizations and security vendors around the world. Bitdefender MDR services combine GravityZone with 24×7 security operations and threat hunting by veteran security analysts.

Learn more information about how Bitdefender can help you become cyber resilient against ransomware.