Stopping Ransomware and Lateral-Movement thanks to Segmentation

If we have learned anything in recent years, it is that ransomware attacks are and will continue to be a threat. Ransomware attacks started as ‘drive-by’ operations that didn't specifically target an individual or a company, but nowadays they have evolved into a lucrative, professional business. In this article, we show you how to protect yourself effectively against them.

How did Ransomware come about?

Looking back to a few years ago, most ransomware attacks used malvertising as an initial vector, targeting pretty much anyone who would download these malicious ads. If the victims paid up, great! If not, it was also fine because there were always plenty of other fish in the sea. But this all changed in 2012 with Shamoon, a targeted Iranian cyber-attack on the Saudi company Aramco. Shamoon enabled the attackers to exfiltrate large amounts of information from Aramco. Once the exfiltration was done, the attackers used Shamoon to overwrite the master boot record on the compromised computers, rendering them unusable until they could be reinstalled. This caused significant downtime for the company and marked the real birth of ransomware.

How did Ransomware develop?

Of course, ransomware has evolved since then. Jumping forward to 2017, WannaCry and NotPetya were two devastating ransomware attacks that wreaked havoc on large corporations and government institutions, for example, the shipping group MAERSK. The particular thing about these attacks was not just that it mercilessly exposed how vulnerable the internet is, but also that these attacks use zero-day vulnerabilities to move laterally between computers on the network and infect and render any computer they encountered completely unusable. These ransomware attacks were then used by crimeware groups, which up until then had mainly focused on using malware such as Zeus (and all its variants) to break into bank accounts and steal money.

In 2020, the COVID 19 pandemic was raging around the world and many people were forced to work from home, so ransomware attackers changed their modus operandi. They now targeted large companies by carrying out a double extortion attack. Not only did they break into the company, encrypt the files and hold them hostage, they also exfiltrated this data in advance and threatened to make the confidential data accessible to the public if the ransom was not paid.

So how can the ransomware threat be tackled?

This new era of ransomware attacks sheds light on a problem the solution to which is long overdue: lateral movements. For attackers to exfiltrate all this data, they need to know its location on the network. To be able to do this, they need to map the network and know it just as well as (if not better than) the people who originally constructed it. This requires attackers to move laterally from one computer/server to another, often using different login details. They have in turn stolen these from various computers in the network.

Many security solution providers have tried to resolve this problem, for instance with DLP solutions, EDRs and EPPs. However, it is extremely difficult to solve the problem of lateral movement, because attackers use the properties of a network against itself. They inventively use administrator credentials and various legitimate management tools such as Microsoft's own Psexec, Remote Desktop or even WMI. They do this by moving from computer to computer in order to steal data and later encrypt the network and start the blackmail operation. Preventing lateral movement by monitoring with EDR/EPP solutions only works to a limited extent.

Stopping sideways movement by segmentation

However, there is one solution that is much easier to implement than you might imagine, namely network segmentation. Segmentation is often forgotten about, even ignored altogether because many people think that it is (too) complex to implement it. This leads to networks being “flat”, which means that all endpoints or servers can communicate with each other with no restrictions at all. But please don't misunderstand – network segmentation is no alternative to virus protection or an EDR platform, it is an extra way of reducing – if not completely eliminating – the risk of large-scale attacks based on lateral movement within companies.

Until recently, segmenting a network meant placing different resources on different subnets, with a firewall in the middle. This made granularity impossible, managing the network was made much more difficult and it required administrators to manage the complex firewall configurations along with the administration of IP address assignments in different subnets. In turn, this made it much more difficult for IT staff to design and scale up the network. At the same time, incorrect configurations were liable to lead to either a security risk or network failure (and in some cases, both!). All this meant that many networks remained completely flat and unsegmented.

Segmentation to slow down ransomware

In a recently published White House memo discussing the rise of ransomware attacks, the frequently overlooked importance of network segmentation was emphasised alongside traditional precautions and recommendations like patches, 2 factor authentication and updated security products.

However, network segmentation does not just help reduce risk in some cases, it also significantly lessens the risk of a double blackmail attack if it is implemented properly, because a ransomware attack's “explosion radius” is contained and kept to a minimum. Even if the antivirus programmes and EDRs could not prevent ransomware from being executed, correct segmentation keeps the damage within bounds. It also prevents attackers from moving laterally through the network, stealing even more data and encrypting even more computers.

Guardicore slows down lateral movement and stops ransomware attacks

In hybrid IT environments, preventing ransomware attacks and lateral movement is a real challenge. Our recommendation is Guardicore Centra. Guardicore’s solution enables you to achieve the segmentation and visibility you need across your infrastructure and to protect systems via detection of security breaches in real-time. Guardicore provides you with a cost-effective way of achieving permanent, consistent security based on software-based segmentation, whatever the application or the IT environment. The strength of reducing ransomware risk by using an appropriate segmentation policy lies in its simplicity.

We would be pleased to show you Guardicore's capabilities in detail and provide you with assistance with all your cyber security needs. Do you have any questions?
Contact us!

<< >>

Cyber Defence , Cyber Security

Reinhold Zurfluh
About the author / Reinhold Zurfluh

InfoGuard AG - Reinhold Zurfluh, Head of Marketing, Mitglied des Kaders

More articles from Reinhold Zurfluh

Related articles
Dark clouds on the security horizon – Azure accounts compromised
Dark clouds on the security horizon – Azure accounts compromised

Over the past few months, InfoGuard's CSIRT has been working on various cyber incidents in the Azure [...]
Ransomware – a Latent Threat [Part 1]
Ransomware – a Latent Threat [Part 1]

For a long time now, ransomware has been an issue, but it's far from being a short-lived phenomenon – quite [...]

Exciting articles, the latest news and tips & tricks from our experts on all aspects of Cyber Security & Defence.

Blog update subscription
Social Media