How to prevent ransomware attacks with a zero-trust security model

Photo by Michael Geiger on Unsplash

Before jumping directly into this topic let’s discuss a little bit about ‘what are ransomware attacks and how they work?’.

Ransomware is malware that employs encryption to hold a victim’s information at ransom. A user or organization’s critical data is encrypted so that they cannot access files, databases, or applications. A ransom is then demanded to provide access. Ransomware is often designed to spread across a network and target database and file servers, and can thus quickly paralyze an entire organization. It is a growing threat, generating billions of dollars in payments to cybercriminals and inflicting significant damage and expenses for businesses and governmental organizations.

In most cases, ransomware doesn’t harm the device it infects. Its main goal is to encrypt files on it and get money for their decryption, not to actually harm the device or data. Even the type of ransomware that locks the screen leaves the underlying system unharmed. But of course, there still are a lot of exceptions.

Different Types of Ransomware

CryptoLocker

CryptoLocker botnet is one of the oldest forms of cyber attacks which has been around for the past two decades. The CryptoLocker ransomware came into existence in 2013 when hackers used the original CryptoLocker botnet approach in ransomware.

CryptoLocker is the most destructive form of ransomware since it uses strong encryption algorithms. It is often impossible to decrypt (restore) the Crypto ransomware-infected computer and files without paying the ransom.

WannaCry

WannaCry is the most widely known ransomware variant across the globe. The WannaCry has infected nearly 125,000 organizations in over 150 countries. Some of the alternative names given to the WannaCry ransomware are WCry or WanaCrypt0r.

Bad Rabbit

Bad Rabbit is another strain of ransomware which has infected organizations across Russia and Eastern Europe. It usually spreads through a fake Adobe Flash update on compromised websites.

Cerber

Cerber is another ransomware variant which targets cloud-based Office 365 users. Millions of Office 365 users have fallen prey to an elaborate phishing campaign carried out by the Cerber ransomware.

Crysis

Crysis is a special type of ransomware which encrypts files on fixed drives, removable drives, and network drives. It spreads through malicious email attachments with double-file extension. It uses strong encryption algorithms making it difficult to decrypt within a fair amount of time.

CryptoWall

CryptoWall is an advanced form of CryptoLocker ransomware. It came into existence since early 2014 after the downfall of the original CryptoLocker variant. Today, there are multiple variants of CryptoWall in existence. It includes CryptoDefense, CryptoBit, CryptoWall 2.0, and CryptoWall 3.0.

GoldenEye

GoldenEye is similar to the infamous Petya ransomware. It spreads through a massive social engineering campaign that targets human resources departments. When a user downloads a GoldenEye-infected file, it silently launches a macro which encrypts files on the victim’s computer.

Jigsaw

Jigsaw is one of the most destructive types of ransomware which encrypts and progressively deletes the encrypted files until a ransom is paid. It starts deleting the files one after the other on an hourly basis until the 72-hour mark- when all the remaining files are deleted.

Locky

Locky is another ransomware variant which is designed to lock the victim’s computer and prevent them from using it until a ransom is paid. It usually spread through seemingly benign email message disguised as an invoice.

When a user opens the email attachment, the invoice gets deleted automatically, and the victim is directed to enable macros to read the document. When the victim enables macros, Locky begins encrypting multiple file types using AES encryption.

What is Zero-trust security model

Zero trust security is an IT security model that requires strict identity verification for every person and device trying to access resources on a private network, regardless of whether they are sitting within or outside of the network perimeter. Traditional IT network security is based on the castle-and-moat concept.

Zero trust is based on four principles:

  • Least privilege access with all entities (users, devices, and workloads) being authenticated before granting access and continually re-authenticated and re-authorized based on context
  • Micro segmentation at the application level without network segmentation
  • Applications and network remain invisible to the open internet
  • The internet becomes the new transport network via encrypted microtunnels

Designing for zero trust requires security and IT teams to focus on business concepts: What are we trying to protect? From whom? Recognize that a zero trust architecture underpins the entire security solution; technologies and processes are layered on top of the strategy, not the other way around.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xhavoc

0xhavoc

Cybersecurity Researcher | Penetration Tester