NTX Use Case - Ransomware

The threat of ransomware and protecting your organization

In 2018, Europol declared ransomware as the single biggest malware threat to global organizations. Indeed, few threats have the ability to cause as much damage as quickly as ransomware does. Ransomware attacks work by extorting money from victims by making their data unavailable. These attacks can be particularly fast and damaging if the organization has not backed up their data. A single, absent-minded click on a phishing link can initiate a company-wide lock down.

Research from Databarracks revealed that nearly a third of UK organizations suffered a ransomware attack in 2018. What impact can ransomware have on your organization, and how can your business protect itself?

What is ransomware?

Though it may feel relatively modern, ransomware has been a threat to businesses and their infrastructure for over a decade. Ransomware falls into two categories: screen lockers and crypto-ransomware. The former used to be the most common. Hackers would scare victims into paying by flashing up images which stated the victim had accessed illegal content, followed by a demand for payment. In recent years, crypto-ransomware dominates. Payments and attackers are now kept anonymous, with hackers demanding payment via virtual currencies, and users are told that failure to pay will result in their permanent of deletion of their data.

As ransomware has grown more sophisticated over the past couple of years, hackers are moving away from the “traditional” approach of sending out scattered phishing links and malicious attachments. Instead, ransomware attacks are often focused on specific, high-value targets, using tactics such as spreading via exploitation of the Remote Desktop Control (RDP), and the use of file-less malware techniques and “living off the land”, thereby avoiding traditional detection tools.

The impact of ransomware

Industries such as manufacturing, healthcare and the public sector are often facing a considerably higher risk of ransomware attacks, as cyber criminals believe they are more likely to be forced to pay. It’s near impossible to estimate the total amount of money lost to ransomware each year as many organizations never report these incidents. However, there are a number of major cases that illustrate the financial damage that can be done. One incident saw attacks on multiple US cities, costing Baltimore at least $18m due to an outage affecting hospitals, factories, airports and ATMs, and hitting several cities across Florida simultaneously. In the UK, The WannaCry ransomware attack is said to have cost the NHS £92m in lost output and emergency IT support.

Whilst these are great indicators of the financial impact ransomware attacks can have, it doesn’t paint the whole picture. On top of the ransom which organizations may or may not choose to pay, they may face losing business, extra IT support, customer attrition, brand damage and even regulatory fines. In addition, GDPR regulators can deliver financial penalties of up to €20m, or 4% of global annual turnover, if sensitive customer data is lost.

The role of DNS

There are various ways of minimizing the impact a ransomware attack can have, including network segregation, regular patching and multi-factor authentication. However, the increasing sophistication of targeted attacks still presents a challenge to CISOs. One way of improving ransomware insights and preventing attacks is via the DNS.

DNS traffic is vital to any business, constantly ferrying queries to and from servers to ensure employees and users are reaching websites and apps correctly and efficiently. The DNS plays a key role in the ransomware kill chain – for example being used during the reconnaissance phase of a targeted attack, when malicious emails are delivered or when infected clients make queries to command-and-control (C&C) IP addresses for ransomware downloads and other instructions.

The fact that DNS plays a part in ransomware makes it a crucial control plane for both detecting and preventing attacks, as well as for quickly resolving attacks. Throughout an attack, the identifiable DNS requests provide an opportunity to intercept and identify malicious activity before it causes harm.

How Nominet can help

NTX reduces risk on your network and eliminates threats before they cause harm. Analyzing network DNS traffic for both known and unknown threats, NTX eliminates threats from the network and identifies zero-day activity not seen by traditional methods of detection. This narrows the window when malicious activity can compromise your network.