Ransomware: Critical Infrastructure Is the New Hostage
Once again, ransomware strikes with impunity at critical national infrastructure within the United States, and the forensic analysis begins post-damage to discover yet another signature to publish and monetize.
Ransomware is one of the most paralyzing attacks on information technology (IT) systems and an imminent advanced threat for operational technology (OT) systems. It is extremely difficult to prevent such coordinated and sophisticated attacks that can cause disruption of essential services and significant financial costs to restore operational integrity. The best remediation strategy would be to perform regular data backups for full system restoration.
While this may work for hundreds of tightly managed enterprise servers, it will not scale for the thousands of emerging distributed multi-access edge computing (MEC) gateways or millions of loosely managed in-field (brownfield and greenfield) devices, such as surveillance cameras, controllers, sensors, and actuators. Ransomware delivery methods have become more sophisticated, and they are now prevalent across enterprise and consumer ecosystems.
Low-and-slow cyber subterfuge
Ransomware could land as a benign egg download, and then traverse through a complete lifecycle of network surveillance, lateral propagation, command-and-control communications, malicious beacons, file system (or data) encryption, and finally to an extortion transaction. The modus operandi is a low-and-slow attack, without massive movement of data over the network that may alert SOC operators.
What is being held hostage for the ransom payment is not the data, but the private key needed to decrypt the locked file system (or data). If you have a data backup, you can restore and recover the data without paying the ransom, but it consumes IT cycles to recover the assets, including purging the servers/devices and buying new servers/devices. If you don’t have backups, you pay the ransom. Further, after you pay the ransom, you need to verify the integrity of the recovered data for “residual” tamper evidence.
Anatomy of a ransomware attack
Ransomware software generates a private-public cryptographic key pair, initiates a rendezvous with the attacker’s roaming server, encrypts the file system (data) with a protected symmetric encryption key, and beacons out the private key required to recover (release) the encrypted (hostage) data to the rendezvous server. The rendezvous server may vanish before the forensic sleuths arrive to investigate and leverage domain generation algorithms for future rendezvous. This indicates inadequate network perimeter controls, lateral movement detection, and endpoint security controls for on-device monitoring.
Traditional threat intelligence based on reputation lists, regular expressions (Snort, Suricata, NIST SCAP, STIX/TAXII, etc.), or code (file) signing will not help detect such advanced, fast-acting, and constantly morphing attacks. This requires inline protection, at run time and in real time, for early detection of landed malware post intrusion (but before damage).
CISO/IT budgets typically focus on the traditional detection-based checklist of tools and methods – such as network intrusion detection systems, intrusion prevention systems, anomaly based deviation from baseline, anti-virus signatures, endpoint scan/harvest/inspect, and post-compromise forensic sciences to harvest signatures. With this multi-layer defense comfort zone, successful intrusions (true negatives) and system breaches will prevail in IT-managed ecosystems for many more years to come without a paradigm shift to deal with motivated hackers who innovate.
Targeting fear and corporate reputation
In OT the consequences of a ransomware attack targeted on in-field devices will be catastrophic because the motive of the attacker will not only focus on financial gain, but will also be designed to trigger public panic and damage brand reputation. The motivation of the cybercrime syndicate from social activism to extortion and playing digital Robin Hood is amplified by the inability to trace the malware to the developers for proportional retribution, and by the inability to track the ransom payment to the benefactors, typically paid through crypto currencies. Ransomware is the weaponization of cryptography in an emerging wave of bitcoins along with sophisticated open-source tools and methods to develop, distribute, evade detection by grammar and sandbox-based techniques, and propagate laterally to high value assets.
Cryptography is the Achilles heel of cybersecurity. To fight ransomware, one must “nip it in the bud” with supply chain provenance for trusted content delivery, and track-and-trace through the digital trust chain to the developer, much like tracer rounds at night. Digital transformation requires digital trust in the supply chain for scalability and safety as connected (insecure) devices and (gullible) users proliferate on the Internet. On-device protection requires API firewalls and explicit trust anchors with platform level attestation of measured state.