Seven ways to detect ransomware beyond antivirus

Ransomware is a creative malware that infects systems and locks down data, preventing users from accessing it until a ransom is paid. It can affect individuals and businesses alike, but can become a critical threat for enterprises dealing with huge amounts of data.

Once you are infected with it your data is more or less lost, unless backups are available. In these types of threats, it is better to focus on prevention and detection mechanisms before it is too late. Due to the evolving threat situation in the Ransomware space, it is ineffective to have a signature oriented approach to detection. The new breed of security products need to be multi-pronged and should be able to look at multiple dimensions to protect an organization or individuals from such attack

1. Secure Network Shares
At a basic level, none of the shared folders should have read\write rights to “Everyone” in the group. Malware needs to propagate further to maintain stealth and persistence in the network. It will have to find a mechanism to copy files to the connected target machines. Ensuring shared folders do not have open ended permissions can prevent this from happening. Tools to warn you of such violations should be deployed.

2. Regular Analytics on Service Usage
If you are not using any services, then it is better to stop them. Unused services are often not monitored and tend to remain undetected. Malwares look for such gaps and use them to piggyback and maintain stealth. Tools to detect such unused services will enable you to make decisions on stopping such services.

3. Detect Internal C&C Accounts
Malwares create local accounts to conduct activities in a stealth mode. Once a malware gets hold of a local account, its activities become authorized and an antivirus may not be able to flag it. The solution is to run periodic discovery tools for user accounts across the systems and detect such Command & Control accounts.

4. Actively Detect Rogue Browser Plugins
A common entry point for Ransomware is through browsers. Most times malwares are pushed into a system through malicious plugins that get installed by users while browsing. Tools that can continuously scan browsers across network endpoints and force its removal is needed.

5. Applying Threat Intel on Outbound Connections
Firewall, IPS, WAF, NetFlow and Proxy are devices through which outbound traffic of your organization goes through. The need of the hour is to have a tool that can sift through this outbound data across these technologies. Such centralized monitoring tools of all outbound traffic combined with the ability of the tools to apply Threat Intelligence on malware sites, IP addresses, C&C and Botnet URLs to the outbound traffic  ..

6. Scan for Indicators of Compromise
There is usually a delay in anti-virus signatures of new malwares and variants. Till the signatures are established you are at a risk. Some Ransomware type of malware does not have fixed signatures. They keep changing their signatures to avoid detection. In such a situation, other Indicator of Compromises (IOCs) should be used for detecting malware. There is a need for IOC-based scans rather than signature-based scans.

7. Detect Drive by Downloads
The indicators of Drive by Download are available in Proxy, NetFlow and DNS logs. Tools that can analyse such logs to determine patterns or outliers indicating Drive by Download behaviour is needed.

Conclusion
Ransomware uses new paradigms of stealth which makes it difficult to detect. Combating Ransomware type of threats needs multi-dimensional approach that focuses on a number of factors as outlined above. So to fight such threats, you will need to enable yourselves with tools that provide a comprehensive solution across these multiple dimensions.