Industry Trends

Offensive Defense: Using Deception Against Ransomware Attacks

By Moshe Ben Simon | May 10, 2021

Cyber adversaries of all kinds have worked during the last year to maximize their ability to exploit the COVID-19 pandemic in unprecedented ways and at scale. In particular, the rapid shift to remote work for many organizations was an immediate opportunity for cybercriminals to target employees connecting to corporate resources from often poorly secured home networks and devices in a ransomware attack. These adversaries have worked to target and exploit these workers throughout 2020, and unfortunately, this continues through 2021. In fact, recent ransomware attacks have focused on extortion or stopping critical operations.

The most common ransomware attacks so far during this pandemic have all begun with social engineering. In his book, "The Art of Deception," famous hacker Kevin Mitnick explained the power of social engineering techniques. Essentially, properly conducted social engineering strategies, usually in the form of phishing or spear phishing strategies, can trick users into divulging critical information, from passwords to financial accounts to PII. Today, social engineering is being combined with hacking techniques and malware distribution to power increasingly insidious attacks.

One outcome of using social engineering techniques against a disrupted and often naïve remote workforce has been an increase in ransomware attacks, which saw a sevenfold increase in the second half of 2020. Enterprises around the world have been reporting on cyberattacks involving ransomware, and this is a trend that is expected to continue across all organization types. 

Cybercriminals have increasingly been targeting remote workers to launch their attacks. The attack sequence starts by exploiting the concerns of individuals about the pandemic, as well as other social events such as elections and tax season other computer systems once it connects back into the network. 

In a typical ransomware attack, hackers use phishing or other means to introduce malware onto a victim's computer system that then spreads across the network. Once enough systems have been compromised, the hacker triggers the malware to encrypt all infected systems, rendering the files and data on those devices inaccessible to the organization. The hacker then attempts to extract a monetary payment from the organization in exchange for the key needed to decrypt the compromised files.

When a threat actor uses ransomware to withhold your data, the assumption is that you will pay virtually any price to regain control. And if you do not, the hacker will then put it up for sale on the darknet. However, we are also seeing a growing number of cases where a victim pays a ransom but never gets the decryption keys needed to restore their network. Or in even more brutal cases, the ransomware went ahead and destroyed the network by wiping the disks of desktops and servers in spite of their having paid a ransom. 

Addressing Ransomware Attacks with Deception

Protecting your organization from a ransomware attack should involve things like keeping up-to-date backups of critical files off-network and scanning devices seeking network access for malware infection. But this is just the start. We should also understand how ransomware works, because once we understand what is happening there are effective ways to use its own techniques and tactics against itself.

Ransomware often uses sophisticated techniques and tactics to penetrate an organization and compromise an endpoint. But, at the end of the day, its primary goal is to encrypt your files. Rather than fighting against this process, what would happen if, instead, you surreptitiously redirected the ransomware to only encrypt fake files—files you intentionally created and placed on the network to entice would-be attackers? By trying to encrypt these fake files, those hackers would expose themselves and their intentions, as well as reveal the existence of their malware, before they could do any damage. In other words, an extremely powerful counterattack strategy is to deceive ransomware into running against a benign target of our choosing to trigger an alert and reveal its criminal intentions. We can achieve this using Cyber Deception technology.

Cyber deception allows organizations to rapidly create a fabricated (fake) network that automatically deploys attractive decoys and lures that are indistinguishable from the traffic and resources used in the legitimate network. This pseudo network is then seamlessly integrated with the existing IT/OT infrastructure to lure attackers into revealing themselves.

Deception technology doesn't install any agent on the endpoint, doesn't require any network change, and doesn't rely on any signature or anomaly engine. Of course, the question is, how does cyber deception technology find and mitigate ransomware? The answer is, we use the ransomware’s encryption activity against itself.

Cyber Deception Against Ransomware Attacks:

  1. Deception solutions start by setting up and deploying a fake network shared drive across every endpoint/server in your network. This pseudo network is hidden from legitimate users to avoid their clicking on decoy systems and generating false alerts.
  2. This fake network drive also contains fake files and workflows that exist to expose an attacker and/or malicious ransomware.
  3. This fake network drive mapped using a network decoy that acts as a fake file server, complete with fake traffic and files.
  4. Any worthwhile cyber deception tool should also be able to be fully integrated into your third-party security tools, such as your Firewall, Network Access Control, and Next-Gen AV so that all identified malicious activity can be quickly mitigated.
  5. Once ransomware compromises an endpoint and starts to encrypt local and network drives, the decoy (fake network file server) can immediately detect its malicious activity and slow down the encryption process while leveraging one of your existing security tools to automatically limit or prevent damage, and simultaneously isolate the infected endpoint to immediately protect the rest of the network.

Not only does cyber deception technology use ransomware’s own techniques and tactics against itself to trigger detection, but more importantly, it uncovers the attacker’s tactics, tools, and procedures (TTP) that led to its successful foothold in the network so those vulnerabilities can be mitigated at a security architecture level. Effective deception should provide contextual threat intelligence that can be used to trace how an attacker compromised the organization—such as through weak or stolen credentials or a vulnerable endpoint or server that allowed ransomworm to spread—so those gaps in protection can be closed.

Deception Must Be Part of a Comprehensive Security Fabric to Defeat Ransomware Attacks

Deception technology should be fully integrated with NGFW, NAC, SIEM, Sandbox, SOAR, and EDR solutions to automate the mitigation response based on ransomware detection. By combining deception technology with a comprehensive security platform, organizations will be able to detect and respond to attacks, such as ransomware, long before they can achieve their malicious goals.

Find out how Fortinet integrates AI and machine learning capabilities across our Security Fabric to detect, identify, and respond to threats at machine speed.