By: Ashraf Sheet, regional director, Middle East and Africa at Infoblox
Ransomware is today the number one cyber threat to businesses. Since cyberextortion first appeared in 1989 as “PC Cyborg,” it has grown, evolved, and come into widespread use among hackers—and in 2017 it has fully come of age. Hundreds of new variations have sprung up this year.
Ransomware is a relatively brazen attack where a malware infection is used to seize data by encrypting it, and then payment is demanded for the decryption key. There has been a seismic shift in the ransomware threat, expanding from a few actors pulling off limited, small-dollar heists targeting consumers to industrial-scale, big-money attacks on all sizes and manner of organizations, including major enterprises.
It’s not always about the money though. Some ransomware is not designed primarily to make you pay up, but instead to disrupt operations or wipe data from computer systems.
The Role of DNS in Ransomware Attacks
DNS is the address book of the Internet, translating domain names such as www.google.com into machine-readable Internet Protocol (IP) addresses such as 22.214.171.124.
Because DNS is required for almost all Internet connections, cybercriminals are constantly creating new domains and subdomains to unleash a variety of threats including exploit kits, phishing, and distributed denial of service (DDoS) attacks.
Most modern malware used in a ransomware attack, uses DNS at one or more stages of the cyber kill chain. DNS may be used during the reconnaissance phase when it is a targeted attack. It is used in the delivery phase as potential victims unknowingly make DNS queries for IP address involved in the attack.
It will also be used in the email delivery process when the ransomware propagates via spam campaigns. Likewise, the exploitation phase may involve DNS queries when the victim’s system is compromised and infected. DNS is frequently used when an infected system checks in with the command and control (C&C) infrastructure. Given that DNS plays such an important role in the ransomware kill chain, it becomes a crucial control plane to prevent, identify, and detect such attacks and resolve them faster.
Organizations can stop Ransomware with the following 10 essentials:
Watch your Back – Always backup your essential data.
Stay Current – Prioritize and apply the latest security updates and patches.
Segment for Safety – Limit spread of ransomware with network segmentation.
Get the Word Out – Train employees in safe email and Microsoft macros best practices.
Implement DNS Response Policy Zone (RPZ) – enforcement to prevent data exfiltration and block DNS communications with malicious sites and command and control servers.
Monitor DNS Requests – to identify suspicious DNS activity and to detect “kill switch” domains that can be used to disable some types of ransomware attacks (e.g., by redirecting requests to internal “sinkholes”).
Improve Visibility and Discovery – with tools that can detect unauthorized or compromised devices and virtual machines anywhere on your network so you can automatically block their access and ensure compliance.
Use Data from DNS, DHCP and IP Address Management – to gain valuable insights that help you see ransomware attacks in context so you can better understand risk and prioritize remediation.
Harness Threat Intelligence – consolidated, curated, and updated—to detect, prioritize, and anticipate evolving threats.
Integrate Security Response – to accelerate remediation by sharing threat data, malicious events, and context across entire security ecosystem including endpoint security, NAC, SIEM and other technologies.