Stopping Ransomware and Lateral Movement with Segmentation

If we look back to just a few years ago, most ransomware attacks were using malvertising as their initial penetration vector targeting pretty much anyone who would load these malicious ads, be it ‘Bob from accounting’ in a large corporation or someone’s grandmother trying to read her emails. Ransomware did not really distinguish between who it was targeting – it targeted everyone and if these victims paid – great –  and if they didn’t it was fine because there were plenty of other fish in the sea.

However, this all changed in 2012 with Shamoon, a targeted Iranian Cyberattack against the Saudi Aramco corporation. Shamoon allowed the attackers to exfiltrate large quantities of information out of Aramco and once the exfiltration was done, the attackers used Shamoon to overwrite the Master Boot Record in the attacked machines,  rendering them useless until they are reinstalled. This caused a substantial amount of downtime for the company.

Fast forward to 2017. WannaCry and NotPetya, two devastating ransomware attacks, wreaked havoc on large corporations and government entities. The unique thing about these attacks, other than showing how fragile the internet is, was that these attacks used 0-day vulnerabilities to move laterally between computers on the network in a virulent way, infecting and rendering every machine it encountered completely useless. A lot was written about NotPetya and WannaCry, but we know today that the motives behind these attacks were related to cyberattacks initiated by a nation-state adversary.

These ransomware attacks then started being used by crimeware groups, which until that point were mostly focused on using malware like Zeus (and all of its variants) to breach people’s bank accounts to syphon money. This was often a long, complicated, and risky operation – especially when it came to actually receiving the money. Until now, the prevailing belief was just that it could be easier to target only large corporations and blackmail them into sending large amounts of money in bitcoin- which made ransomware more of a corporate threat that needs to worry CISOs, but not necessarily unsuspecting private citizens.

Now jump to 2020. While the COVID-19 pandemic rages on around the world and most people are forced into working from home, completely changing threat models, risk factors and network architectures on very short notice, the world started seeing ransomware attack operators change their modus operandi. They were now targeting large companies by conducting a double extortion attack, where the attackers not only breach the organization, encrypt the files and hold them as hostage- but they also started exfiltrating that precious and highly valuable data back to the attackers, threatening to make this data publicly available if the ransom is not paid.

This new age of ransomware attacks shines a light on a problem that has been long overdue from solving: lateral movement.

In order for the attackers to exfiltrate all of that data, they have to know where it is on the network- and in order to know that, they have to map the network and know it just as good (if not better) than the people who had originally built it. This requires the attackers to “move laterally” from one machine/server to another, often using different credentials by stealing them from various machines across the network.

Many security vendors tried to solve this problem, and some succeeded more than others. The security market has seen new types of products emerge over the years to prevent this very problem – from DLP solutions to EDRs and EPPs – they all have tried but had very partial success in solving the problem of lateral movement.

Solving lateral movement is hard – attackers are using the features of a network against itself.

They will use administrator credentials and various legitimate administrative tools (such as Microsoft’s own Psexec or Remote Desktop, or even WMI) moving from machine to machine, executing malicious commands and payloads in order to steal data and later encrypt the network and start the extortion operation. Many organizations are investing resources in trying to put a bandaid on this problem by overly monitoring various resources using EDR/EPP products that weren’t meant to be used for that purpose, thus resulting in partial success of mitigating or even lowering the risk of a ransomware attack.

However, there is a solution and it’s much simpler to implement than you may think – network segmentation. Segmentation is something that’s often forgotten or even ignored altogether since it’s believed to be hard to implement, and requires careful attention to network engineering and asset management. Because of this, network segmentation is often disregarded, which leaves networks “flat,” meaning every endpoint or server can talk to each other without any restriction.

Up until recently, segmenting a network meant putting different assets in different subnets with a firewall in the middle. This didn’t allow any granularity, made managing the network significantly harder, and required administrators to manage complex firewall configurations along with managing IP address allocations on different subnets, which then made designing and scaling the network much harder for the IT staff, while incorrect configurations could lead to either a security risk or a network failure (and in some cases, even to both!). This, again, caused IT staff to not put an emphasis on segmentation and put much more trust on execution prevention products while leaving the network completely flat and unsegmented.