How to Counter Threat From Latest Ransomware ‘Bart’

Bart varies from its predecessors since it doesn’t require connection to a command-and-control server to encrypt files.

By Sanjai Gangadharan India is already ranked among the top five countries in the world being vulnerable to ransomware attacks, according to a report by Kaspersky earlier this year. Ransomware in simple terms means forcing a victim to pay ransom in order to gain access to the system. In 2016, ransomware is expected to become more deadly and focused in targeting. Of late, you would have heard of the emergence of gaming ransomware and ransomware affecting mobile phones and even smart TVs. To add to this growing list, another new threat has arisen nicknamed ‘Bart’.  This new ransomware strain is showcasing the adaptability of threat actors. Bart’s advanced attack downloads malware to end-user machines over HTTPS, but varies from its predecessors since it doesn’t require connection to a command-and-control server to encrypt files. Instead, it uses an intermediary loader to download both the ransomware and a ransom note directly to the endpoint. Thankfully through proper SSL decryption and inspection, this malware can be defeated and businesses can be secured via two methods. . Mitigation 1: Decrypting Email Bart payload is delivered over HTTPS when a target clicks on a malicious attachment in an email. Threat actors are able to evade detection from perimeter security controls by encrypting the email and accompanying attachments. For public email services (e.g., Gmail, Yahoo, etc.), this is achieved through SSL-based encryption. For enterprise-grade email clients (e.g., Microsoft Outlook), the attachments are often encrypted with the S/MIME-based standard. Proper SSL decryption and inspection can facilitate in monitoring these specific attack vectors and allow perimeter security tools to take necessary actions.

  • Public Email
If the phishing attempt is sent to a public email domain, the malicious attachment will likely evade detection by hiding behind SSL encryption. With a proper SSL decryption solution in place — coupled with integrated third-party security controls — organizations are able to quickly decrypt, inspect and block malicious traffic. The remaining “good” traffic is then re-encrypted and sent on its way without hindering performance. This helps organizations protect valuable data and assets, even when employees are accessing personal cloud-based email — and the potential for increased exposure to phishing attempts — that is encrypted.
  • Corporate Email
In an enterprise scenario, a threat actor sends phishing attempts to a large number of corporate email addresses in hopes that a few end-users are fooled into clicking and executing dangerous files. Malware would then covertly download ransomware from a malicious site by hiding itself from corporate security systems behind SSL encryption. The nefarious activity typically identified and blocked by a network forensics sensor or intrusion detection or prevention systems (IDS/IPS) can’t detect the attack without first decrypting the communications. A proven SSL decryption solution will have authorized access to the certificate key and will have the ability to securely decrypt and re-encrypt network traffic for secure inspection by the security infrastructure. Mitigation 2: Stop the Download As mentioned, where Bart differs from previous ransomware variants is the lack of a command-and-control requirement. This makes executing a successful ransomware attack that much easier and quicker for threat actors. Without the need to call back to a command-and-control server, there’s less of a chance of being discovered by security solutions like network behaviour anomaly detection (NBAD) or next-generation firewall (NGFW) solutions. Proper SSL decryption would either expose the attachment so that the initial payload would be stopped (assuming it’s not a zero-day vulnerability), or the outbound connection and subsequent download of the ransomware payload would be blocked. High-Performance SSL Decryption is Possible For security-conscious organizations committed to proper and proactive cybersecurity, SSL decryption and inspection is no longer a luxury. It’s a critical security requirement. SSL-encrypted traffic is growing, rendering most security devices ineffective. According to a 2016 Ponemon Institute report, 80 percent of responding organizations were a victim of a cyber-attack or malicious insider. Of those, 41 percent of the attacks used encryption to evade detection. When evaluating SSL decryption solutions, there are some basic guidelines to go by:
  • Consider dynamic URL classification to define policies that allow specific traffic streams to bypass decryption
  • Allow proper URL filtering to deny access to specific URL categories or harmful sites
  • Use of advanced server load-balancing to offload decryption and improve performance
  • Traffic-steering to intelligently route traffic, optimize performance and reduce security appliance costs
  • Validated interoperability with existing solutions within the network
(The author is Regional Director, SAARC, A10 Networks)


Around The World