The Last Key on The Ring - Server Solutions to Ransomware

This entry is the last part of a four-part blog series discussing the different techniques ransomware uses to affect users and organizations. These techniques show that the best way to mitigate the risks brought about by this threat is to implement multiple layers of protection in different aspects of an enterprise network: from the gateway, to endpoints, to networks, and servers.

Our midyear security roundup noted how more than half of the files types encrypted by ransomware were directly related to enterprises – database files, SQL files, and web pages on servers were some of the file types that were most commonly targeted.

These all reside on servers; for enterprises, ransomware on servers is a potent threat that needs to be dealt with. We will take a look at how ransomware has evolved to affect servers and what solutions currently exist to tackle this particular problem.

Affected via endpoints

In addition to being targeted directly, servers are frequently affected via ransomware indirectly as well, via the actions of ransomware on endpoints within the same network. File shares are a common way that this can happen; it is now commonplace for ransomware families to explicitly search for available network shares. Depending on the behavior of the ransomware, this may end up affecting the server more directly in the end.

Targeted by exploits

Beyond file shares, however, servers are at risk of being attacked directly. The usual attack vectors used by ransomware (such as phishing campaigns and malvertising) are not applicable. Instead, servers are subject to direct attacks via vulnerabilities.

Recent SAMSAM ransomware attacks that hit hospitals serve as a good example of how servers can become ransomware targets. In these incidents, vulnerabilities in JBoss (a Java-based web application server) were used to gain access to the servers within an organization. Webshells were added to these servers, allowing attackers to take control of these systems remotely.

From then on, files on the server itself would be targeted for encryption; alternately an attacker could try to laterally move within the affected network to try and seek other lucrative ransomware targets. The result is the same: files are encrypted and held for ransom by the attacker.

Attacking servers requires more time and effort than the more commonplace ransomware threats that hit individual systems, but the payoff is generally higher. For example, when the Hollywood Presbyterian Medical Center (located in Los Angeles, California) was hit by ransomware in February 2016, the hospital ended up paying 40 BTC in ransom. This was approximately US$ 17,000 at the time.

Brute-force attacks

Vulnerable applications aren't the only threat to organizations and their servers. Recently, it was reported that the FAIRWARE malware family gained access to servers via brute-force attacks. This attack primarily targeted web servers, and asked for 2 BTC in ransom.

FAIRWARE isn't alone in carrying out brute force attacks. The Crysis ransomware family attempted to brute-force systems that had their Remote Desktop Protocol (RDP) ports open to the Internet. This could include both ordinary desktops and servers. An attacker would be able to gain access to the network via this brute-forced machine, opening the door to further attacks.

These attacks can be mitigated by security solutions detecting suspicious activity on the network (a feature that is part of Deep Security, as we will discuss later), as well as proper application of best practices. The use of non-default passwords and disallowing logins from remote networks can also help mitigate this threat.

Similarities to targeted attacks

The similarities of a sophisticated ransomware attack targeting servers should be apparent: access is gained to the organization via some means, then this access is used to gain further information about the target. Once a suitable target is chosen, the appropriate action is taken: for targeted attacks, this is theft; for ransomware, encryption.

This suggests that some of the solutions aimed at targeted attacks may be effective for dealing with ransomware as well. One solution that may be particularly effective is a proper patch management strategy.

Lagging Behind in the Patching Game

Any business knows it's a tricky balance act between protecting the enterprise environment while maintaining business operations. IT administrators face the seemingly impossible task of supporting daily operations and creating uptime of critical services, while securing the network perimeter. When a new patch has been released by security vendors, they will first need to test it before deploying it in the actual systems. Therefore, very often patching lands on the backburner - it requires restarting mission-critical systems and servers, which can put a burden on overall productivity and cause business interruptions. Of course, reluctance in quick patching, creates a critical window of exposure to enterprises.

To address these challenges, virtual patching has become available. Even if enterprises don’t immediately apply the related patches, their vulnerable servers are protected against crypto-ransomware. This solution technology permits IT administrators to protect vulnerable servers and endpoints without downtime and additional operational costs.

Server Solutions

There is of course no silver bullet when it comes to ransomware. A multi-tier defense architecture is the most fool-proof way to tackle the ransomware threat and provide adequate risk mitigation. These steps include email and web protection, endpoint protection, a network solution and protection for your servers.

Trend Micro™ Deep Security™ is the prime solution to handle the risks for servers created by ransomware, whether physical, virtual or in the cloud. It performs this protection with 3 specific functions:

– Suspicious Activity Detection and Prevention: If ransomware attempts to gain a foothold in a data centre (e.g. via compromised user account credentials connecting to a file or web server), Deep Security can detect suspicious network activity and prevent it from continuing, while also alerting that there is an issue.

– Vulnerability Shielding: This protects servers and applications from ransomware attacks by shielding them from exploits of known software vulnerabilities, 'virtually patching' them until a patch or fix can be applied.

– Lateral Movement Detection: If ransomware should get into the data centre, Deep Security can also help to minimize the impact by detecting and blocking it from spreading to more servers.

As pointed out before, patch management is a crucial measure when faced with malware that exploits vulnerabilities. Trend Micro Deep Security has a virtual patching feature with intrusion detection and prevention technologies. This comprehensive solution can protect organizations and enterprises from exploits and other related malware payload. Since threats and attacks using vulnerabilities are prevalent in today's computing landscape, virtual patching is becoming an absolute baseline necessity - similar to what anti-virus and firewalls used to be.