Stopping Ransomware and Lateral Movement with Segmentation

If there’s something that we all learned during the last decade it’s that ransomware attacks are a thing – and they are here to stay.

While ransomware attacks started as drive-by attacks not targeting a person or an organization specifically, today, it has evolved into a lucrative business requiring planning, income management and hands-on hacking knowledge.

How did Ransomware get started?

If we look back to just a few years ago, most ransomware attacks were using malvertising as their initial penetration vector targeting pretty much anyone who would load these malicious ads, be it ‘Bob from accounting’ in a large corporation or someone’s grandmother trying to read her emails. Ransomware did not really distinguish between who it was targeting – it targeted everyone and if these victims paid – great –  and if they didn’t it was fine because there were plenty of other fish in the sea.

However, this all changed in 2012 with Shamoon, a targeted Iranian Cyberattack against the Saudi Aramco corporation. Shamoon allowed the attackers to exfiltrate large quantities of information out of Aramco and once the exfiltration was done, the attackers used Shamoon to overwrite the Master Boot Record in the attacked machines,  rendering them useless until they are reinstalled. This caused a substantial amount of downtime for the company.

How did Ransomware evolve?

Fast forward to 2017. WannaCry and NotPetya, two devastating ransomware attacks, wreaked havoc on large corporations and government entities- the most notable were the British NHS and shipping conglomerate MAERSK, both being completely knocked offline by WannaCry and NotPetya respectively. The unique thing about these attacks, other than showing how fragile the internet is, was that these attacks used 0-day vulnerabilities to move laterally between computers on the network in a virulent way, infecting and rendering every machine it encountered completely useless. A lot was written about NotPetya and WannaCry, but we know today that the motives behind these attacks were related to cyberattacks initiated by a nation-state adversary.

These ransomware attacks then started being used by crimeware groups, which until that point were mostly focused on using malware like Zeus (and all of its variants) to breach people’s bank accounts to syphon money. This was often a long, complicated, and risky operation – especially when it came to actually receiving the money. Until now, the prevailing belief was just that it could be easier to target only large corporations and blackmail them into sending large amounts of money in bitcoin- which made ransomware more of a corporate threat that needs to worry CISOs, but not necessarily unsuspecting private citizens.

Now jump to 2020. While the COVID-19 pandemic rages on around the world and most people are forced into working from home, completely changing threat models, risk factors and network architectures on very short notice, the world started seeing ransomware attack operators change their modus operandi. They were now targeting large companies by conducting a double extortion attack, where the attackers not only breach the organization, encrypt the files and hold them as hostage- but they also started exfiltrating that precious and highly valuable data back to the attackers, threatening to make this data publicly available if the ransom is not paid.

So how do we combat the ransomware threat?

This new age of ransomware attacks shines a light on a problem that has been long overdue from solving: lateral movement.

In order for the attackers to exfiltrate all of that data, they have to know where it is on the network- and in order to know that, they have to map the network and know it just as good (if not better) than the people who had originally built it. This requires the attackers to “move laterally” from one machine/server to another, often using different credentials by stealing them from various machines across the network.

Many security vendors tried to solve this problem, and some succeeded more than others. The security market has seen new types of products emerge over the years to prevent this very problem – from DLP solutions to EDRs and EPPs – they all have tried but had very partial success in solving the problem of lateral movement.

Solving lateral movement is hard – attackers are using the features of a network against itself.

They will use administrator credentials and various legitimate administrative tools (such as Microsoft’s own Psexec or Remote Desktop, or even WMI) moving from machine to machine, executing malicious commands and payloads in order to steal data and later encrypt the network and start the extortion operation. Many organizations are investing resources in trying to put a bandaid on this problem by overly monitoring various resources using EDR/EPP products that weren’t meant to be used for that purpose, thus resulting in partial success of mitigating or even lowering the risk of a ransomware attack.

Halting lateral movement with segmentation

However, there is a solution and it’s much simpler to implement than you may think – network segmentation. Segmentation is something that’s often forgotten or even ignored altogether since it’s believed to be hard to implement, and requires careful attention to network engineering and asset management. Because of this, network segmentation is often disregarded, which leaves networks “flat,” meaning every endpoint or server can talk to each other without any restriction.

Up until recently, segmenting a network meant putting different assets in different subnets with a firewall in the middle. This didn’t allow any granularity, made managing the network significantly harder, and required administrators to manage complex firewall configurations along with managing IP address allocations on different subnets, which then made designing and scaling the network much harder for the IT staff, while incorrect configurations could lead to either a security risk or a network failure (and in some cases, even to both!). This, again, caused IT staff to not put an emphasis on segmentation and put much more trust on execution prevention products while leaving the network completely flat and unsegmented.

Executive Order promotes segmentation for slowing ransomware

In a recent U.S. White House memo discussing the growth of ransomware attacks, the topic of the often overlooked importance of network segmentation was highlighted, alongside the more traditional precautions and recommendations such as patching, 2FA and updated security products.

Network segmentation helps not only to mitigate the risk in some cases, but also to significantly lower the risk of a double extortion attack if implemented properly, by containing and minimizing the “blast radius” of a ransomware attack. Even if the antiviruses and EDRs failed to prevent the ransomware from executing, proper segmentation will keep that damage contained and won’t allow the attackers to move laterally across the network, stealing more data and encrypting more machines.

The granularity of segmenting a network with Guardicore’s unique software approach allows you to create “network silos” between servers, applications, different operating systems, cloud instances and so on. The strength of lowering ransomware risk by using a proper segmentation policy comes from its simplicity – a bit can either travel on the wire (or a Vswitch) to a different machine (or a VM/container) or it can be blocked,  rendering the attackers’ attempt to reach more resources on the network useless, giving the blue team more time to respond to the attack and update the key stakeholders in the organization so they can make informed decisions about the damage of said attack.

Network segmentation is not an alternative to an Antivirus or an EDR platform, it is a supplemental approach that has proven to significantly reduce, if not to completely eliminate the risk of large scale lateral movement based attacks across organizations.

activereach is an authorised Guardicore partner. Sign up for a free trial of Guardicore Attack Surface Reduction Analysis and discover what your network could look like with micro-segmentation or contact us on 0845 625 9025 to speak to the team.

This Blog was shared by Guardicore and written by Amit Serper.