Using Behavioral Analytics to Fight Ransomware

The recent attacks on the City of Baltimore and the Norsk Hydro energy facility in Norway are among the latest incidents that show that ransomware, a part of a larger range of criminal extortion, continues to be a significant threat to organizations.

Since WannaCry in 2017, Ransomware has evolved rapidly with newer iterations such as SimpleLocker, NotPetya, SamSam and LockerGoga, which was used in the attack on Norsk Hydro. Still, at its heart, ransomware remains the same: It gets into an endpoint system through a phishing email or similar tactic and installs the malware, fetches the encryption code and uses it to encrypt data on systems throughout the network, and then demands the ransom to decrypt the captured data.

It’s costly—the damages from the attack on Baltimore will cost the city at least $18 million. There may have been a dip in the number of incidences between 2017 and 2018, but attacks on businesses are trending up. If it’s making money for people, they’re going to keep on pushing it.

They know that not every organization is patching vulnerabilities the way they should, so even older ransomware is still going to be effective in some scenarios, often used by smaller cybercriminal organizations that don’t have the time or money to invest in developing new threats. But most of the malware out now is either being run by a nation-state with specific reasons for what they’re doing or by organized crime, which is going after companies that rely heavily on the data they have and have the money to pay to get it back.

Ransomware is something companies will always have to guard against, but the challenge is that it continues to morph rapidly, making it increasingly difficult for traditional techniques such as signatures and pattern matching to detect it. Instead of being a recognizable piece of malware that signatures can pick up, we’re seeing more of the polymorphic type of malware that tries to evade defensive techniques.

That’s not new for cybersecurity, but it’s newer for ransomware, making firewalls unable to catch it. It might not be detected until after it’s triggered, at least on that first system. However, there are tell-tale signs of a ransomware attack taking place that can be picked up by behavior analytics capabilities on the network, shutting it down before it spreads from an infected system to the rest of the network. Ransomware has evolved and the defense of it must evolve accordingly.

From an analytics standpoint, we’re looking for unusual behavior. The bad guys now are very good at hiding their malware. Once inside the network, they look like a legitimate user with credentials. They’re not carrying out exploits or easily exposing themselves, so behavioral analytics is a key way to fight back. Ransomware will reach out to file servers, do a read, apply encryption, do a write-back to it and then delete the original copy.

If you see that, then something is off. If an administrator can then correlate that with a “click-here” link that someone accessed in response to a phishing email, that adds to the idea that something isn’t right.

Analytics also becomes important when data is encrypted. More applications—such as web browsing—are moving to TLS encryption. However, malware is doing the same thing. People once could say they could fingerprint malware because it looked different than normal traffic. However, the bad actors have adapted, creating malware that looks—from a network perspective—just like Windows 10 running Chrome, for example. Given that, behavioral analytics and looking at such areas as encrypted network traffic becomes a last line of action, detecting the presence of the malware and limiting the damage it can do.

When malware hits, the endpoint is the logical first place to start looking for it. The endpoint comes with basic antivirus capabilities, but the malware may see the antivirus protection and will take steps to evade or disable it. It’s a cat-and-mouse game.

One reason the network works so well dealing with ransomware is that the bad guys can’t shut it down. If they do something over the network, it will be seen quickly. Their actions might be encrypted and administrators might not be able to see exactly what’s inside, but on the network administrators can observe different types of behavior in a way that the malware can’t stop them from doing.

Machine learning can play a role in detecting unusual behavior on the network. With any machine learning scenario, the more data you can feed into it the better, so the system looks at both network packets and the logs from different systems to get a fuller picture of what’s happening. Ninety-nine percent of what the system sees might just be noise, but what machine learning is really good at is picking out small or weak signals from a lot of data—something human analysts can’t always do.

There are always different places where ransomware can be interrupted. Preventing infection in the first place is the best way if it can be done, with defensive systems identifying malicious code as malware. That’s easiest with known malware samples. More challenging are zero-day attacks, with malware that has never been seen in the wild.

But with how rapidly ransomware is evolving, it’s unlikely that all malware will be caught, and that’s where behavioral analytics on the network comes in. The technology can detect the malware and identify the infected system, enabling administrators to stop the infection mechanism from getting through the network to other devices and systems. Many times, it’s the best tool for stopping ransomware from crippling a company.

Jon Green

Avatar photo

Jon Green

Jon Green is VP and Chief Technologist for Security at Aruba, a Hewlett Packard Enterprise company. He is responsible for providing technology guidance and leadership for all security solutions including authentication and network access control, UEBA, encryption, firewall and VPN. He also manages Aruba’s Product Security Incident Response Team (PSIRT) and Aruba Threat Labs, an internal security research group. Jon joined Aruba in 2003 and helped it grow from a small startup to today’s position as a leading provider of network mobility solutions. Prior to Aruba, Jon held product management, marketing, and sales positions with Foundry Networks, Atrica, Nortel Networks and Bay Networks. Jon holds a B.S. in Information Security from Western Governor’s University and a M.S. in Computer Science/Information Security from James Madison University.

jon-green has 1 posts and counting.See all posts by jon-green

One thought on “Using Behavioral Analytics to Fight Ransomware

Comments are closed.