Ransomware has recently reasserted itself into the public eye in a big way. The May cyberattack carried out by the malware WannaCry was one of the worst ransomware attacks ever, affecting over 300,000 computers operating MS Windows around the world. Unfortunately, the attack has once again demonstrated that far too many organizations do not have an effective security protocol in place, or do not take it seriously until after disaster strikes. In this case, the Microsoft vulnerability exploited by WannaCry had been patched in March, but many users had not updated their machines. Even worse, when the Petya ransomworm was launched a few weeks later, using the exact same attack vectors as Wannacry, tens of thousands of organizations were still affected. These attacks, which though largely mitigated, are still active, and serve as a reminder that cybercriminals are constantly on the lookout for easy targets and coming up with new ways to infiltrate them. And far too many organizations are willing to help them by not even doing the basics like patching and updating.
As we help organizations gear up to protect themselves from ransomware, security channel partners must be aware of the updated features they are combating, such as the development security evasion techniques, and offer their customers effective and competitive solutions.
Ransomware attacks will only become more prolific as Ransomware as a Service (RaaS) gains traction on the dark web, allowing people to simply buy and execute someone else’s malware. On top of an increasing the volume of attacks, ransomware is also becoming more sophisticated. Cybercriminals are constantly updating and releasing new iterations of their code in the hopes that it will outsmart security features. With that in mind, it is important that IT professionals take a proactive approach to security to anticipate tactics that hackers might use, perform effective threat analysis, and implement proper security measures to minimize impact.
Research indicates that the next wave of malware and ransomware will be situation aware. As Derek Manky, Global Security Strategist with FortiGuard Labs, puts it, “This new generation of malware will be situation-aware, meaning that it will understand the environment it is in and make calculated decisions about what to do next. In many ways, it will begin to behave like a human attacker: performing reconnaissance, identifying targets, choosing methods of attack, and intelligently evading detection.” In other words, hackers are making their ransomware smarter by giving them the ability to detect and evade security measures.
One instance of these more intelligent attacks was recently reported within the Cerber family of ransomware, which researchers found contains anti-sandbox and anti-detection technology to increase its chances of both infection and persistence. We also recently learned that WannaCry used an anti-sandbox program, albeit one that was poorly planned, as the ransomware was mitigated by being tricked into thinking it was in a sandbox environment and thereby destroying itself.
Sandboxes are a popular security measure that execute potentially threatening code in an isolated, virtual environment. If the code is malicious, it is not allowed to proceed into the network. Now, advanced ransomware and other malware variants have evolved to detect when they is in a sandbox, and automatically disguise themselves as innocent until they are cleared to enter the network. In order to stay a step ahead of cybercriminals, security must now detect malicious code that is actively disguising itself. This is exactly what Fortinet’s Advanced Threat Protection provides.
The FortiSandbox, a core component of Fortinet’s Advanced Threat Protection, is prepared for this next generation of ransomware with its proactive signature detection and behavioral analysis. Traditional signature detection relies on encountering an exact match of a known malicious code. However, there can be thousands of variations of the same malicious code that are not detected via signature-based security. Fortinet’s Compact Pattern Recognition Language (CPRL), however, is a proactive signature detection technology that can distinguish over 50,000 code variations within a malware family, and stop them from infecting your network. In addition to detecting malicious code variations, CPRL is also able to deeply inspect and detect code that is searching to see if it is in a sandbox environment, thereby rendering its evasion technology irrelevant. Detected code is also cross-referenced with global threat intelligence from FortiGuard Labs to ensure that data is always being compared against the very latest threat findings.
If malicious code is not detected and eliminated in these preliminary steps, it is then executed in a full sandbox environment. Once malicious code is found, temporary signatures are distributed locally to the rest of the ATP infrastructure to detect and defend against it and similar attacks. At the same time, the incident is forwarded to FortiGuard labs for investigation and categorization so unknown threats can be made known to everyone.
While a sandbox is a powerful threat detection tool, it is important to note that the full execution and analysis of code in a virtual environment is resource intensive and time consuming. That is why it is combined with other ATP tools such as firewalls, secure email gateways, and endpoint security to minimize resource strain and keep network speeds high. This multi-tiered security approach enables simultaneously communication and integration with each device deployed in the ATP ecosystem, across the extended Fortinet Security Fabric, as well as with the broader FortiGuard global network.
Fortinet’s ATP solution is uniquely qualified to keep your customers’ network a step ahead of cybercriminals, and protect them from current and future iterations of ransomware for three key reasons.
First, it already provides the ultimate solution to the looming ransomware threat through the FortiSandbox and its CPRL pre-filtering, which determines if malicious code is searching for a sandbox in order to evade security measures.
Next, Advanced Threat Protection is fed by both global and local threat intelligence in real-time. Systems are updated with intelligence gathered across the entire global Fortinet network, as well as with local intelligence from the sandbox and other security devices deployed in the network. This ensures security systems are armed with the most up-to-date threat information and the protocols needed to combat them.
Lastly, each element of the Advanced Threat Protection infrastructure communicates and collaborates to ensure there are no security gaps, which can be a real challenge for security posture solutions provided and managed by multiple vendors.
Moving forward, your customers are more likely to encounter smart ransomware that has the capability to detect and evade security measures. To maintain a strong security posture and mitigate these threats as quickly and seamlessly as possible, it is important to anticipate new iterations and evasion tactics employed by ransomware, and adopt security measure that can already mitigate them.
Let’s get a conversation going on Twitter! What do you think of ransomware detection evasion tactics?