Ransomware is among the most feared of the myriad cyber threats out there today, putting critical data at risk and costing some organizations tens of millions of dollars in damages and ransoms paid. However, according to security startup Lumu Technologies, ransomware doesn’t appear in a vacuum.
A ransomware infection is usually preceded by what Lumu Founder and CEO Ricardo Villadiego calls “precursor malware,” essentially malicious code that has been around for some time and lays the foundation for the upcoming full ransomware campaign . Find and fix this precursor malware and a company can stop the ransomware attack, the theory goes.
“The moment you see your network — and by network I mean the network that defined modern times, whatever you have on-site, whatever’s out there in the clouds, whatever you’re with your Remote users – if you see any assets from your network contacting an adversary infrastructure, eliminate that contact because that puts you in your zone of maximum resistance to attack,” Villadiego said The registry.
If an organization finds that its network is making contact with what appear to be command-and-control servers of malware such as Emotet, Phorpiex, SmokeLoader, Dridex, and TrickBot, closing those contacts immediately will “eliminate the catastrophic effect that is called the ransomware attack “, he said.
Lumu outlined the idea of the warning signs of an imminent ransomware attack in a short report – what the company calls an “index card.” – this month. In it, the startup outlines a vicious circle of ransomware.
Citing statistics from cybersecurity consultancy CyberEdge, Lumu said victims who pay the ransom are increasingly recovering their data, from 19.4 percent in 2018 to 71.6 percent last year. This has resulted in companies willing to pay the ransom — 38.7 percent in 2018, 57 percent now — despite recommendations and pleas from government and cybersecurity experts not to pay.
As more companies pay, threat groups are encouraged to launch ransomware attacks and invest more money in their efforts, the Lumu researchers wrote, adding that the result is more infections. Several US agencies – the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the NSA – joined their counterparts in the UK and Australia in February Issuing a joint opinion which indicated that ransomware threats will increase around the world this year.
Combating the precursor malware when it occurs can reduce the incidence of ransomware, they say. Of the more than 2,000 companies Lumu monitors, every ransomware attack has been preceded and paved by other malware.
“When we look at the affected companies, there were many signs that occurred months — and in some cases more than three months — before the ransomware attack,” Villadiego said. “If you see a network contacting these precursors to ransomware, there are other malware that do less damage.”
The precursor malware will spread laterally across an organization’s network and devices, escalating access before a ransomware package is deployed, he said. Enterprise security professionals may see some type of activity and assume that their firewalls or Endpoint Detection and Response (EDR) software intercepted and protected it, even though only the precursor was caught. At the same time, an organization’s security operations could be swamped with unrelated alerts that they pay more attention to than those of the precursor malware, he said.
Meanwhile, the bad actors have months to launch a ransomware outbreak, the CEO said.
“What we are making clear to the organizations we protect is that your point of maximum resilience to attack is your point of lesser contact,” he said. “Whatever that infrastructure is, it will have maximum resilience to attack… My advice to security operators is to deal with small issues so you don’t have to deal with a catastrophic event of a ransomware attack. And what is a small problem? A small security concern is when your network starts making contact with these adversary infrastructures, which usually goes unnoticed and typically does not generate an event that compels operators to take action.”
The company identified the malware backend that was most frequently detected as a contact. Topping the list is Emotet, a banking Trojan that was first discovered in 2014 and later evolved into spamming and malware delivery services. Among the other malware were Phorpiex (a botnet first discovered in 2016 that later involved cryptojacking and ransomware distribution), SmokeLoader (a backdoor for malware delivery), Dridex (known for stealing banking credentials), and TrickBot (a banking Trojan).
Villadiego founded Lumu in 2018, based in Doral, Florida. The company, which raised $7.5 million in Series A funding a year ago and employs approximately 80 people, offers the Continuous Compromise Assessment model, which allows organizations to identify compromises in their systems in real time measure and automate countermeasures. The technology integrates with security tools that organizations are already using, providing insight into compromises and enabling organizations to target compromise searches.
Lumu evaluates and collects information on aspects such as DNS queries, network flows, access logs, firewalls and proxies, and correlates the data to determine if an asset is attempting to contact adversary infrastructure. With this information, organizations can end such contacts.
Enterprises spend millions of dollars on security products and Managed Security Services Providers (MSSPs), but often their security teams do not compromise.
“It’s hard to find something that we’re not looking for,” he said, adding that many assume their organization is safe. “That’s the wrong mindset, and the breaches that have occurred show that. A better course of action is to assume you’re compromised and let your network prove otherwise. Let the network prove it’s not you.” ®