As Q3 winds down, many organizations are still reeling from the global ransomware attacks that sent security experts and businesses scrambling. With some 400,000 machines in more than 150 countries impacted by WannaCry, and tens of thousands more hit by NotPetya just over a month later, it's no surprise that everyone is a little on edge.
While it might seem like the attacks came out of nowhere, 'they were actually products of burgeoning trends in malware development. And they've already influenced waves of subsequent attacks, each cleverly designed to bypass traditional firewall and antivirus defenses.
If we limit ourselves to addressing these attacks on a case-by-case basis we also limit ourselves to perpetually playing catch up. But by taking a step back and identifying the common behaviors these attacks rely on, we can position ourselves to be more proactive. Rather than reacting to each new attack as it unfolds, we can invest in solutions that anticipate how it is going to operate, and shift the odds of preemptively blocking it back in our favor.
Here are some of the dangerous malware trends and behaviors we've been identifying and blocking with Barkly in the wake of WannaCry and NotPetya.
1. Infections are happening without users clicking anything. Attackers no longer have to solely rely on baiting end users into clicking malicious links or email attachments. Malware is now breaching organizations via remote execution exploits (such as EternalBlue) or via Remote Desktop Protocol (RDP) brute force attacks. As a result, they are bypassing user interaction altogether.
2. All it takes is one infected computer to compromise the entire network.
Once inside a network, more and more attacks are leveraging worm capabilities to propagate automatically. By using exploits or harvesting credentials and hijacking legitimate tools such as PsExec and the Windows Management Instrumentation Command-line (WMIC), attackers can rapidly spread infections from one computer to another, creating an organization-wide event.
3. Companies' built-in system tools are being used against them.
Rather than dropping malicious files onto disk, criminals are abusing legitimate tools like macros, PowerShell scripts, PsExec, and WMIC to execute their attacks. This "living off the land" approach helps attackers hide in plain sight—achieving execution, persistence, and lateral movement using otherwise valid applications. With no malware involved, security that relies on identifying and blocking malicious files—such as anti-virus (AV) and next-generation AV solutions—is useless.
4. It's not just ransomware.
Ransomware has been dominating the malware landscape of late, but banking trojans like Emotet, TrickBot and QakBot have also started taking cues from WannaCry and NotPetya. But their goal isn't to encrypt or destroy files. Instead, they are adding worm capabilities to silently steal more credentials and drain more corporate bank accounts. Even other ransomware variants like Cerber and Spora have doubled-down in this direction, stealing Bitcoin wallet files, collecting browser history and recording keystrokes in the hopes of further monetizing their attacks.
5. Malware is getting stickier, making cleanup more difficult than ever.
Picking up the pieces after an attack is becoming increasingly complex, time-consuming and expensive. With nearly half of ransomware attacks infecting at least 20 employees in an organization, it can be a massive effort to restore every machine and rid the network of every hidden trace of the malware. Recovery can take weeks or even months, in some cases costing tens of millions of dollars. Some malware (both WannaCry and QakBot, for example) even leave behind backdoors and scheduled tasks that will run or reinstall themselves, so just when security teams think they've got things back in order, the chaos begins anew.
What to do: Prioritize prevention, not just recovery
With so much malicious activity, it's easy to see how some companies might assume attacks are inevitable and choose to focus preparing for recovery. Having a plan for dealing with successful attacks and breaches is vital, but businesses also need to invest in the far more cost-effective mindset of "prevention first."
Prevention can come in many forms and unfortunately these changes in attacks are designed to bypass many of them. With click-less attacks on the rise, for example, educating employees about suspicious links and attachments often doesn't have bearing. And when attacks center around the abuse of legitimate system tools, whitelisting falls short as well. Preventative solutions built around file scanning aren't effective against file-less attacks, and because infections are spreading more rapidly and causing more damage than ever, waiting to respond to them till after the fact with Endpoint Detection and Response tools isn't an acceptable solution, either.
Ultimately, effective prevention against this new breed of attacks comes down to implementing strong endpoint security that is innovative enough to thwart them without bogging down administrators with false positives and overly complicated management. The key, then, is tailoring security solutions to identify malicious behaviors and processes—not just static artifacts like files—at the very outset of attempted attacks.
Malware will continue to evolve at an increasingly rapid pace. It's up to all of us to make sure we're adapting our defenses and developing innovative new approaches to stay one step ahead.
Mike Duffy is CEO and co-founder of Barkly, which specializes in endpoint protection.