Like the Pandemic’s Asymptomatic, Dormant Ransomware Poses Security Challenges

Over the past year, the global pandemic has taught the cybersecurity industry a lot about the spread of infection–how to control it, how to mitigate against it, and (sometimes) how to detect it. But more often than not, in both humans and cybersecurity, detection only happens because of indicators. 

What remains a mystery and consequently a great challenge for medical professionals and cybersecurity teams alike is how to detect infection among asymptomatic humans and devices. Let’s imagine that through some backdoor or even through a phishing attack, ransomware gains access into a network. What’s widely believed about ransomware is that once a device is infected, its files are locked up, encrypted until the ransom is paid. So, how does ransomware go undetected for months or even years before being activated? Well, defenders have to start thinking of some ransomware as doctors do the asymptomatic. 

The Unknowing Victim

Arguably, it’s the asymptomatic that have caused the greatest pain points when it comes to containing the spread of the virus. People feel fine, thus they go about their days taking fewer precautions. Unbeknownst to them and their unsuspecting victims, the asymptomatic are actually spreading the virus. Sure, if they were tested, they’d have confirmation of their status, but why would someone with no symptoms be tested in the first place? The same is true with corporate supply chains. Like unsuspecting patients, they have no symptoms at all. This puts every one of their business connections at risk of infection.

Security teams need to recognize that many ransomware victims are asymptomatic. At Prevailion, we routinely detect active corporate compromises by ransomware that have remained in stealth mode over a period of weeks or months. 

 

Multiple types of ransomware remain active in this healthcare organization, but have yet to launch an encryption attack. (Source: APEX)

Because most people assume that encryption follows immediately after a ransomware infection, they don’t suspect that they’ve been exposed to a ransomware attack. They’ve been hit, but with a non-encrypting ransomware attack. That’s why dormant ransomware on a network poses major security challenges. 

Lying in Wait

Just as a person can contract COVID but display no symptoms, the reality is encryption post attack doesn’t always happen for a variety of reasons. For instance, ransomware often serves as a dual-purpose weapon, such as backdooring networks or harvesting information. Attackers also commonly wait to deploy the encryption stage of the malware attack until they have been able to spread the infection as far as possible across the network. Certain types of ransomware, like Locker, are deliberately stealthy. And in some cases, like UNC1878, the hackers simply compromise more targets than they can handle, and as a result, the ransomware remains in place, but in a dormant state – waiting to be activated at some future date. Regardless of the reason, when there is no sign of an incident, there is  no response, no quarantining of infected devices, no forensics, no discovery. 

That’s logical, but dangerous. Imagine the already overwhelmed security team drowning in noise. They are simply trying to winnow out the positives in a sea of false alerts. Yet, with some ransomware, there may not be much indication of an attack. Why would an unknowing victim take precautions to stop the spread? 

Stopping the virus in its tracks, though, is the only way to prevent the ransomware from gaining access to as many machines as it can get to. That can’t be done on a whim. Detecting asymptomatic attacks requires the real-time visibility delivered on our platform so that organizations can detect even the most deliberately stealthy ransomware that lies in wait until it has access to as many machines as it can. 

The Latest

How Vulnerable Are America’s Utilities?

Undoubtedly, news that a Florida water plant had been hacked raised a lot of alarms outside the cybersecurity industry. The idea that a water source could be contaminated hit home for many Americans, highlighting the vulnerability of the nation’s utilities and critical infrastructure. But this attack came as no surprise to security experts. It was […]

Learn More

Why Corporate Hacks Go Unreported

Despite the many regulations from GDPR to CCPA, HIPAA, and PCI DSS that mandate a company report a data breach, many corporate hacks go unreported. Certainly, compliance is a driving force for the organizations that do report a data breach. Still, in 2019, CSO Online reported that the FBI’s Internet Crime Complaint Center received reports […]

Learn More

Keep Ramnit on Your Radar

Over a decade ago, security researchers at Microsoft identified a computer worm and dubbed it Ramnit. The malware family, “infects Windows executable files (.EXE) and HTML files (.HTML). It can also give a malicious hacker access to your PC. It spreads through infected removable drives, such as USB flash drives,” Microsoft warned.  Fast forward to […]

Learn More
All Resources
Copyright 2021 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.