Recently, a 0-day vulnerability of a well-known financial software in China may be exploited by large-scale extortion. In just one day, more than 2,000 cases of attacks from the same ransomware have been confirmed, and the number is on the rise. The affected enterprises were required to pay 0.2 BTC (about RMB 28,000) to the attackers. Although the amount of ransom is lower than that of "traditional" ransomware, it is enough to affect the normal operation of the affected enterprises.

Such a large-scale ransomware attack instantly caused a thousand waves in the security industry and aroused widespread social concern. Since the "WannaCry" ransomware incident broke out in 2017, countries around the world have greatly increased the public's attention to ransomware, but ransomware is still unavoidable, and typical ransomware incidents occur frequently.

Why is it so hard to defend against ransomware? Can ransomware attacks be detected in advance? What should you do if your business suffers a ransomware attack? Based on these problems, Ruixu Information conducted an in-depth analysis of the development trend, attack methods and response strategies of ransomware attacks.

Ransomware attacks intensify, showing five new trends

In recent years, ransomware attacks have swept the world, and ransomware attacks exist wherever the Internet is available. With the acceleration of the digitization process, ransomware attacks have become the main threat to current network security. The targets of organized hacker attacks are no longer only core data theft, but also key information in medical, government, industrial manufacturing, finance, energy, communications and other industries. Infrastructure has become a new target for hackers, and the sphere of influence continues to expand. At the same time, the intensity, frequency, scale and influence of global cyber offensive and defensive confrontations are constantly escalating.

After several years of evolution and upgrading of ransomware attacks, today's ransomware attack methods are becoming more and more mature, the attack targets are more clear, the modes are diverse, the attacks are more hidden, more difficult to prevent, and the harm is increasing day by day. With the professional and team-based operation of ransomware attacks, five new trends have gradually developed in ransomware attacks.

l  Trend 1: Supply chain becomes an important entry point for ransomware attacks

A fundamental vulnerability is likely to expose procedures across the supply chain to risk, and when a supply chain attack is used in conjunction with a ransomware attack, the target of ransom is extending from suppliers to its customer base.

l  Trend 2: Multiple ransomware models lead to data leakage risks

The attacker not only encrypts the data and then blackmails the victimized enterprise, but also steals the data to blackmail the enterprise again, and maximizes the benefits of extortion through the mode of double extortion and multiple extortion.

l  Trend 3: The new generation of ransomware attacks adopts low
and slow (highly concealed and high-persistence) attack methods

Attackers slowly encrypt data in the process of stealing data, which enhances the concealment of attacks and makes it difficult to detect attacks, which greatly increases the difficulty of detecting threats and recovering data.

lTrend  4: The combination of ransomware and "mining" Trojans

Attackers will implement both in the course of the attack. The victim's equipment will not only be subjected to ransomware attacks, but will also be used by attackers for mining. In addition to increased power consumption, accelerated equipment aging, and serious economic losses, Attackers will also leave backdoors to maliciously steal confidential information, directly triggering or disguised breeding of various cybercrimes.

l  Trend 5: Ransomware spreads to web application vulnerabilities

With the iterative upgrade of attack technologies, attackers have begun to shift from system vulnerabilities to application vulnerability mining, customizing advanced attack tools for specific applications, and targeting application vulnerability attacks, becoming a new type of ransomware attack method.

The bottleneck of traditional technology highlights the urgent need for new ideas in anti-ransomware

To combat ransomware attacks, there are many anti-ransomware security protection products or data backup products on the market. Even so, when a new type of ransomware attack method appears, it is still unable to protect the data security of enterprises. So, what are the shortcomings of the existing security protection technology?

According to Ruixi Information, the two biggest protection weaknesses of existing anti-ransomware security technologies in the face of new ransomware attacks are application vulnerabilities and response speed. This can be seen from the perspectives of application security and data recovery. The former is used as a defense method for application attack detection and response, and the latter is used as a means of data backup and business recovery. However, these two technologies cannot stay on traditional technical ideas. , otherwise it will not be able to fight the escalating ransomware attacks.

l  Traditional WAF

Application attack protection products represented by traditional WAF are based on fixed rules and signature libraries, and cannot protect against ransomware that uses automated attack technology to conceal malicious attack characteristics and constantly deforms, let alone defend against ransomware attacks that exploit 0-day vulnerabilities.

l  Traditional disaster recovery system

Traditional backup systems perform full data backups on a regular basis, but cannot fully identify whether the backup data is healthy, recoverable, and complete. Once the original data is infected, the backup data will also be infected, making the data unusable. Traditional disaster recovery systems also have no way to deal with ransomware attacks. Once the main system is damaged by virus infection, the backup system data will be replicated synchronously, and all disaster recovery systems will be infected by the virus. At the same time, the new ransomware attack adopts a low and slow attack strategy. The encrypted data spans multiple backup time points. It is difficult for operation and maintenance personnel to confirm the time point that can be used to restore clean data, which greatly increases the challenge and difficulty of recovery work.

If the enterprise only recovers the data through the disaster recovery system after being attacked by ransomware, but does not verify the integrity of the data content, the "dirty data" encrypted by the ransomware will affect the normal operation of the system, cause secondary damage, and cause further damage. damage the goodwill of the company. In addition, traditional backup systems take a long time to restore data, which cannot guarantee business continuity.

Backup of critical data is 'last line of defense' against ransomware

When the existing security protection methods are not effective enough, can enterprises only "let others handle" in the face of ransomware attacks?

In fact, anti-ransomware security protection needs to be considered in all aspects, such as: data backup and disaster recovery plan; regular inspection of vulnerabilities and timely update of security patches; regular replacement of login passwords; reducing Internet exposure; strengthening network border intrusion prevention and management; Raising security awareness is a necessary measure for companies to face the threat of ransomware attacks.

An important difference between ransomware and other viruses and attacks is that once ransomware is encountered, data and systems are usually difficult to unlock. Therefore, in addition to focusing on ransomware prevention and attack detection, anti-ransomware relies more on emergency efficiency, high security, and high quality. data recovery has become the most critical last line of defense.

From a technical point of view, the adoption of innovative application security protection technology and data backup technology can create a stronger data anti-ransomware defense line for enterprises. At present, the combination of Ruixu's "Dynamic Application Protection System Botgate" + "Data Security Detection and Emergency Response System DDR" is a typical representative of innovative anti-ransomware technology.

(1) Botgate, a dynamic application protection system

As a new generation of WAF star product, Ruixu Botgate is widely known in the industry. With the "dynamic protection + AI" technology as the core, through dynamic encapsulation, dynamic verification, dynamic obfuscation, dynamic token and other innovative technologies, it can achieve the All-round active protection on the server side. While efficiently identifying various known and unknown attacks, it also makes up for the shortcomings of traditional WAF and antivirus software that cannot identify unknown malware characteristics.

Because Ruixu Botgate does not rely on fixed rules and features for protection, but through the unique "dynamic protection + AI" technology, it can effectively identify 0day attacks before the vulnerability is released, and can intercept unknown 0days in advance, effectively defending against the use of 0days Vulnerable ransomware attack. In response to the Webshell tool attack after the zero-day outbreak, Ruixu Botgate can also block the access of the Webshell through dynamic technology. No matter how the Webshell is upgraded, it can effectively defeat the enemy and prevent attackers from implanting ransomware attack code through the Webshell.

(2) Data security detection and emergency response system DDR

Once an enterprise application or system is breached by ransomware, it is the key to enterprise anti-ransomware to quickly restore the core data of the enterprise and maintain the normal operation of the business. Ruixu DDR system is positioned as the core data backup of enterprises and the rapid recovery of backup data, which is the "last line of defense" against data extortion.

Under the new security situation, a data security base that supports the original format is required. As a new generation of data security base, the Ruixu DDR system can effectively achieve the three goals of data anti-ransomware: health examination, ransomware monitoring, and rapid recovery.

l  Goal 1: Health check-up, data risk management in advance

Inventorying data assets and troubleshooting system hidden dangers is the first step in data security. Based on the innovative "deep file content detection" technology, Ruixu DDR can efficiently identify the data type of the enterprise's core backup data, and generate reports on data integrity, sensitive data distribution and authority audit, so as to fully control the management and control status of the enterprise's core backup data assets. . In addition, through mechanisms such as vulnerability detection and configuration verification, system hidden dangers are checked and the security of backup data assets is protected.

l  Goal 2: Ransomware monitoring, intelligent threat perception in the event

Based on the original "offline intelligent in-depth detection engine", the Ruixu DDR system can perform security detection on files damaged during the attack, detect files encrypted by ransomware, find clean and usable data, and help enterprises quickly restore IT systems.

The traditional backup system does not detect the quality of the backup data, so that there may be a large number of damaged files in the backup data due to ransomware attacks, and the restored system still cannot be used normally. Ruixi Information can find damaged or abnormal files or data during the backup process, find files infected by ransomware and the time of infection, and assist security managers to quickly remove ransomware and strengthen the system.

This technology comes from Ruixu Information's original file and database dynamic change tracking technology. By comparing the changes of file name, file type, file size, file information entropy, file similarity and other indicators, it can identify suspicious encrypted by ransomware. document. The use of information entropy + AI technology for security detection is the unique skill of Ruixu Information, and the detection accuracy can be as high as 98% or more.

l  Goal 3: Quick recovery, quick response and recovery after the event

Based on traditional backup systems, data merging takes time and the backup format must be converted into the production data format. Data must be moved and copied to be restored. The restoration time often takes days or even weeks. Based on the intelligent and fast recovery engine created by RISU, regardless of the amount of data, the RISU DDR system can automatically generate clean disk images that can be directly mounted to achieve minute-level data recovery and minimize business interruption time.

In addition, Ruishu DDR can also evaluate the damage caused by the attack, such as: Which data was attacked? How is the affected data distributed? Which users are affected? When did it happen? How much damage and impact was caused? Which version is the latest clean backup? This makes it possible to quickly restore damaged data with an up-to-date clean backup and automatically remove the ransomware note files generated by the ransomware.

Compared with traditional data recovery solutions, once the production data is encrypted, the backup data is likely to be encrypted. The biggest advantage of Ruixu DDR lies in the prevention of batch data damage, safe isolation of backup data, fast recovery in minutes, low interference in the production environment, and automation. Arrangeable operation and maintenance can well break through the bottleneck of traditional disaster recovery systems when facing the threat of ransomware attacks. Once infected by ransomware, Ruixu DDR can analyze the backup incremental data at the first time, find the encrypted data, and recover the unencrypted data from the system. The biggest risk of data loss is only in the incremental data of the day. The encrypted part has less impact on the business continuity of the enterprise.

Epilogue

Today, when ransomware attacks are intensifying, traditional security, backup and disaster recovery mechanisms are already stretched thin in the face of emerging data security threats. The construction of a new generation of data anti-ransomware mechanisms is urgent. The data anti-ransomware solution represented by Ruixu's "Dynamic Application Protection System Botgate" + "Data Security Detection and Emergency Response System DDR" will be based on innovative dynamic security + AI technology and integrated storage technology to build a solid foundation for users in various industries. security line.