Protect against Ransomware
What is Ransomware
A ransomware attack is a malware based attack that encrypts victims files and folders and demands ransom to decrypt the files. The attack typically occurs when a user clicks a link in the email by mistake which triggers the malware to download and execute on the user’s machine. The malware starts encrypting the file and once encrypted the malware displays a message that the user machine is encrypted and it requests payment to decrypt the files. The attacker normally demands ransom in bitcoin or other crypto currencies for decryption.
Types of Ransomware
There are different types of Ransomware. Attacker choses the type of ransomware to implant based on the motive of the attack
Crypto Ransomware
This is the most common type of ransomware. Attacker encrypts the victims file and demands payment in crypto currency to decrypt the files. This attack is targeted against both individuals and businesses. It often uses ransomware as a service model to distribute the malware
Locker Ransomware
This is a type of an attack where the attacker locks the victimes device and demands ransom to unlock the device
Scareware
This is a type of malware which scares the victim that their machine is infected with a virus and demands payment to remove the virus infection and stay protected. Attackers often don’t infect the machine with virus but use it as a tactic to demand ransom.
Doxware / Leakware
This is a type of attack where the attackers threaten the victim that he will publicize sensitive personal information unless the ransom is paid. This attack is applicable to organizations as well where the attacker threatens to publicize companies sensitive information unless the ransom is paid.
Double Extortion
Double Extortion or multifaceted attack is a type of attack where the attacker infiltrates the organizations network; identifies the intellectual property and exfiltrates the it. Then attacker encrypts the data and demands organization to pay ransom threatening that the attacker will publicize the intellectual property if the ransom is not paid. If the ransom is not paid by the organization the attacker sells the data and publicizes the data in blogs and online forums.
Ransomware Attack Stages
Ransomware attack is a multistaged attack where the attacker performs multiple different steps to exploit the end machine and encrypt data. The ransomware attacks are typically run as campaigns where an attacker looks for potential victims through phishing emails with specific software vulnerabilities. Some ransomware attacks are more targeted towards a specific company or a group of companies with similar software vulnerabilities. Few ransomware attacks are also propagated as software supply chain attacks exploiting specific vulnerability in the software supply chain stack. Below is an example of typical ransomware flow
Reconnsiance
This is the 1st stage where an attacker tries to collect information like infrastructure, vulnerabilities that may exist etc. at potential victims and target companies. Attacker uses techniques like social engineering to gather information about the target victims
Initial attack
This is a phase where the attacker delivers the payload to the victims through phishing emails or other techniques. And the victim clicks on the link
Exploitation
This is a phase where the malware exploits the vulnerability on the victims machine and installs in the machine.
Command & Control communication
This is a stage where the malware contacts the command & control server to download the encryption keys to start the encryption process
Encryption & lateral movement
This is the stage when the attacker starts encrypting the victims machine and starts moving laterally inside the environment to encrypt other machines.
Demand Ransom
This is then stage when the attacker completes encryption of the machine, exfiltrate data and ask ransom from the victim for decryption and to return the data
Protect Google Cloud Resources against Ransomware
Below is a list of best practises and suggestions to protect Google Cloud Resources against Ransomware
- Keep all software up to date
- Use strong passwords & multi factor authentication
- Implement least privilege model for cloud services using IAM
- Disable all unwanted services and fine tune services to meet CIS benchmarks
- Protect software supply chain using software delivery shield
- Adopt Zero trust security like Beyondcorp
- Configure network segmentation and allow only required services through firewall
- Implement Next Generation Firewall
- Implement technologies like Endpoint Detection & Response
- Implement detection services like Google Cloud Chronicle, Security Command Center
- Harden the GKE clusters
- Automate infrastructure deployments using cloud build
Ransomware attacks are one of the biggest challenges organisations are facing today. They have to invest on the right the cybersecurity protection solutions and follow the best practise to stay protected against ransomware attacks.
