Ransomware: Understanding the threat and blocking lateral movement

May 12, 2021

A guest blog by ITHealth partner, Osirium – Author: Andy Harris, Chief Technology Officer

Ransomware: Understanding the threat and blocking lateral movement

For years, ransomware has been a serious problem that starts in user space and migrates across infrastructure until an organisation cannot function. Ransomware is targeted at user workstations and often uses social engineering to get the user to initiate the ransomware. System/network administrators and developers are targeted using polluted utilities.

This all means that it is very hard to defend the various perimeters in your infrastructure. You’ll need to rely on full coverage of currently updated anti-malware on ALL systems that access your infrastructure – this means not only your staff, but your contractors, vendors, auditors and any other third-party granted access.

It’s really an over-generalisation, but there are three ‘bands’ of ransomware:

  • User space: Typically end-user workstations and laptops. Often, the ransomware needs no special privileges and tends to encrypt files normally seen by the user immediately and asks for the ransom once it has encrypted documents and images. It will continue to encrypt whilst the demand banner is up.
  • System space: The shared IT systems, services and data that are key to the business operations. This variety of ransomware uses the underlying file system or device drivers to encrypt local files. It then infects files and migrates on to user shares. It continues to serve files to the user for weeks, so that both encryption and infection are well embedded into the backup cycle. Once the trigger day has passed, the demand banner is shown on all infected systems. Systems that are returned from an infected backup will immediately show the demand banner.
  • Pop-up nuisance: This merely pops up a banner over the entire screen demanding the bitcoin ransom – in reality it has done nothing to the file system, it is mostly designed to fool home users and harvest a little bitcoin as well.

It is the ‘system’ style ransomware that is the most dangerous. It is mostly constructed from on-line toolkits and can be adapted to target specific organisations.

Once running, ransomware seeks to infect and encrypt all the files it can find. So the initial spread of ransomware is limited to whatever ‘patient zero’ can access. Ransomware seeks out network file shares which means other users can pick up the infection thus causing the spread.

There are two important factors here. If ‘patient zero’ has administrator rights, they can access a lot more than a regular user. The second factor is time. Ransomware generally has a delay so that other users can get infected and thus increase the reach of the attack.

Ransomware is a specific type of malware – so anti-malware tools are the first line of defence. However all organisations should realise that 100% coverage of all workstations is impossible and there are always new variants that elude anti-malware. Thus, the second line of defence is vital.

In cybersecurity we first need to know which data assets are the most important to the organisation, and which assets if lost would stop the company from operating. These then drive our backup policy – given that we have to take into account that we could be backing up assets that are already polluted with ransomware (I recently wrote about the challenges of protecting backups and backup systems). Knowledge of the critical assets will also drive our file sharing and permissions policy. Critical systems should never use the same file shares as the general user base.

Pure data cannot be infected. Ransomware tends to come in active containers, for example documents and spreadsheets. This means that once the user has opened the container, the application reading the document executes the ransomware. Obviously, the effects of running applications with unnecessary admin rights will be higher. Right now, far too many people have local admin rights since they are working from home. Osirium’s Privileged Endpoint Management (PEM) product controls which applications can be run with local admin rights. If it cannot run, it cannot infect.

Ransomware needs file access or file transfer to spread. Unnecessary drive mappings to critical systems are clearly troublesome. This is where Privileged Access Management (PAM) allows for the administrative access required and controls any file transfers needed – and moreover does not leave any file share mappings in place after administrative sessions. Osirium’s PAM works by proxying the RDP protocol and injecting the privileged credentials. This means that an admin can use a non-privileged account to access a Windows system at a privileged level. There is no direct connection between the admin and administered system. The PAM product can control any file shares required.

Using automation as an insulating layer between users and critical systems is by far the safest long term protection. With Osirium Automation (available standalone or as part of the Osirium PAM solution) the processes become a series of tasks run on a secure appliance on the requesting user’s behalf – and this is the best separation you can get.

The combination of PEM, PAM and Automation from Osirium creates a series of security cells around your systems that help prevent lateral movement of ransomware from the user’s workstations to your more critical systems.

If you’d like to know more about how Osirium Privileged Access Security can help protect your business from ransomware, please get in touch.

Leave a Comment

Get all the latest news direct to your inbox


View all news