How to Design a Prevention Stack to Stop Ransomware

Today, any random Google search for “ransomware attack” will result in a new story of an organization impacted by ransomware, and usually not for the first time. Ransomware attacks are an efficient and effective weapon for criminals who want to harm any business through crucial data loss, damaged productivity, and injured brand reputation.  These attacks often have a big price tag attached to them, a combination of the business paying the ransom and the actual downtime the business suffers because of the attack.

At Cybereason, we have seen the number of ransomware attacks increasing, especially with modern day events. We even released the results of a honeypot recently, where we delved into multistage ransomware being used to steal credentials and establish persistence on the network. Both of these activities are fairly common, but it is interesting to see the bigger picture, especially considering this attack was targeted at critical infrastructure providers.

These attacks start with an infection. Attackers use different techniques to introduce malware into the organization, whether it is social engineering to get a user to open a malicious file or click on a malicious URL. In some cases, it is even a stray USB device with malicious code that has been plugged into the target machine.

Assuming the attacker was not prevented in the infection phase, once the victim opens the file, the ransomware starts to encrypt sensitive data immediately. The only way to access these files once they have been encrypted is to pay the ransom for the encryption key. Ransomware can also be run without being stored on disk, which is more evasive. These are known as fileless attacks, where code only runs in memory with familiar and signed tools like PowerShell or .NET.

Layers of Prevention

To protect your organization from a ransomware attack, it’s important to leverage multiple layers of prevention. At Cybereason, we use a multi-layered approach to get the maximum protection. The multi-layered approach gives you the ability to block ransomware across levels, which reduces the attack surface and the attackers options when it comes to ransomware.

  • Device Control: Device control and personal firewall capabilities prevent unfamiliar USB devices from accessing the machine and unsafe websites from being visited.
  • Phishing Protection: A strong phishing protection mechanism will be able to detect suspicious document behavior and prevent any malicious macros from running.
  • Fileless Protection: If a threat is able to gain initial access and start to run, a layer of fileless protection can recognize and analyze that activity, as well as the malicious use of PowerShell or .NET.
  • Exploit Protection: Exploit protection identifies when an attack is trying to exploit a vulnerability in the OS or to execute a zero-day and block it.
  • Anti-malware: Anti-malware capabilities detect known and unknown malware and block them once executed.

In 99% of cases, these prevention layers are enough. But as we know from red teaming, the attacker will always find a way to get into the organization with enough resources and effort. To defend against that, we created an additional layer into our solution: deception techniques. Deception techniques are designed to identify ransomware behavior and trick the attacker. Once identified, these techniques are able to stop encryption before legitimate sensitive data is harmed.

By combining all of these layers, we can create a stronger and more complete prevention stack that covers as many aspects of the attack as possible.

For a glimpse of what modern ransomware looks like and how they're evading legacy prevention solutions, check out our ransomware decoded whitepaper.

Download »

Noa Katsovich
About the Author

Noa Katsovich