Cisco Umbrella, combined with Cisco AMP for Endpoints, can help organizations prevent and contain ransomware attacks.

Ransomware attacks have reached epidemic proportions, and more evasive and destructive threats are on the horizon. In their 2016 Midyear Cybersecurity Report, Cisco’s Talos researchers predict that new modular strains of ransomware will be able to self-replicate, spread faster and quickly switch tactics to maximize efficiency. Because traditional security tools are helpless against ransomware, organizations need a new set of weapons to wage war against these attacks.

Most IT professionals understand the basics of a ransomware attack. By clicking on a malicious link, ad, attachment or infected thumb drive, a user launches a malware infection that uses strong encryption to “lock” all the files it can access. Unless detected and stopped, a ransomware attack can spread quickly throughout an organization, encrypting the files on the victim’s device and any network- or cloud-connected file shares.

In actuality, ransomware attacks occur in phases. The initial payload of the attack is not the ransomware itself but an exploit kit such as “Angler” or “Zeus.” The exploit kit analyzes the environment to determine which ransomware variant will be most effective, then initiates a callback to its command-and-control host to receive the private keys needed to encrypt the data.

“Antivirus software, intrusion prevention systems and other tools that rely upon known attack signatures cannot detect these exploits. In fact, the rise of ransomware is driving a shift away from signature-based solutions,” said Michael Hritz, Vendor Alliance Manager, ProSys.

“But by understanding the phases of a ransomware attack, it’s possible to greatly reduce the odds that the attack will be successful. The Cisco Umbrella cloud security platform is capable of recognizing malicious domains and blocking those connections. If the exploit does reach the device, Cisco AMP for Endpoints employs continuous analysis, sandboxing and other advanced capabilities to help identify and strop the threat.”

Blocking Connections

Cisco Umbrella uses the foundation of the Internet – the domain name system (DNS) – to protect against malware, botnets and phishing campaigns regardless of location or device. After all, hackers generally must rely upon the DNS to execute their attacks. When a user clicks on a malicious link in a phishing email, for example, the browser sends a DNS request to the website hosting the malware. In addition, the exploit kits used in ransomware attacks typically make DNS requests to their command-and-control systems.

Leveraging technology Cisco acquired through its purchase of OpenDNS in 2015, Umbrella uses big data analytics and statistical models to examine more than 80 billion DNS requests each day. Umbrella “learns” to identify Internet activities that point to cyberattacks, making it possible to discover and even predict the domains and IP addresses used by exploit kits and many ransomware variants.

“Umbrella is capable of blocking malicious traffic that travels over any port, protocol or application, including direct-to-IP connections,” Hritz said. “If a user clicks on a malicious link or is redirected from a compromised site, Umbrella prevents the browser from connecting to the malicious host and downloading the malware. And infected devices are prevented from phoning home to their command-and-control systems, so exploit kits are unable to launch their malicious tasks.

“Unlike HTTP proxies, which intercept all DNS requests, Umbrella selectively reroutes suspicious domains for further inspection to provide effective protection without impacting performance. And because it is highly effective at stopping command-and-control callbacks, it can stop the execution of a ransomware attack even if devices become infected.”

Umbrella Investigate enables security researchers to query Umbrella’s indexed and cross-referenced data using sophisticated analytics, real-time cyber intelligence scoring and threat classification. The data can also be integrated with SIEM and threat intelligence tools through a RESTful API.

Preventing Infections

Cisco AMP for Endpoints works in concert with Umbrella to protect against ransomware attacks at the device level. If a user downloads a malicious email attachment or inserts an infected thumb drive, AMP for Endpoints uses reputational and behavioral indicators as well as signatures to detect the exploit kit and prevent it from executing. It can also detect and block many ransomware variants.

“Because traditional signature-based solutions do not provide an effective defense against modern malware, organizations have begun layering additional products onto the endpoint to identify and respond to threats. However, this adds operational complexity,” said Hritz. “Cisco AMP for Endpoints is an end-to-end solution that provides simpler, more effective endpoint security. It is capable of blocking known and emerging threats in real time through a combination of traditional antivirus scanning, big data analytics, machine learning and other advanced techniques.”

Through continuous monitoring, AMP for Endpoints can also detect and rapidly respond to threats that are successful in evading its front-line defenses. It records all file activity to detect malicious behavior, and shares and correlates threat information in real time. Deep visibility and a detailed recorded history of malware behavior reduces detection times to minutes. Built-in sandboxing technology allows organizations to quarantine and analyze unknown files.

AMP for Endpoints also accelerates investigations through a simple cloud-based user interface that enables IT teams to search across all enterprise endpoints for indicators of compromise. Users can systemically respond to attacks across PCs, Macs, Linux and mobile devices, removing malware with just a few clicks.

Ransomware may be the biggest threat organizations face, but new tools are available to help organizations defend their systems. With the ability to disarm an attack at every phase, Cisco Umbrella and AMP for Endpoints are proving effective weapons in the war against ransomware.