ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Caught in the Act: Targeting Ransomware on the Wire

Caught in the Act:  Targeting Ransomware on the Wire

Clemens Kolbitsch
| Published: 11/20/2017 3:04 PM | Category: Security | Permalink | Email this Post | Comments (0)

Ransomware holds a tight grip on its victims and their most valuable data and is a global epidemic reaching all corners of the world.

The most commonly used infection vectors used by ransomware are email attachments, links in emails, compromised websites and malvertising. The first type, attacks via email attachments, can be intercepted by a security or gateway appliance before a user even receives the lure.

When an attack is using a website that security products have already identified as having been compromised or hosting malicious behavior, it can be blocked by looking at the domain or IP used in the link embedded in the email or the URL visited by a user. In practice, however, simple blacklisting approaches suffer from the relatively short lifespan of these drive-by landing pages.

To cope with this problem of blacklisting short-lived content, security solutions must find the attack “on the wire.” This means that the system either proactively probes for the content of a website or it waits until a real user is tricked into following the link to the exploit site and finds the attack in the live traffic.

A particularly effective way of addressing ransomware is finding suspicious modifications of web page content, such as the use of inline frames with hidden attributes or obfuscated JavaScript. When such an anomaly is found in a page in transit, a security product can block a user from accessing any additional content from that site. This prevents exploit-kit code from reaching and exploiting a user’s browser.

However, not all attacks make use of exploit kits; often, victims are simply tricked into downloading and running the ransomware payload. Thus, security technologies need to intercept these downloads and evaluate whether the file is safe to be opened by a user—typically by running the program inside a sandbox.

As ransomware evolves, it is imperative for enterprises to adopt solutions that intercept ransomware on the wire to protect their users from these emerging and ongoing attacks.

Read Clemens Kolbitsch’s recent Journal article:
Evasive Malware Tricks: How Malware Evades Detection by Sandboxes,” ISACA Journal, volume 6, 2017.


There are no comments yet for this post.