Ransomware cannot be prevented? "Dynamic security defense" + "key data backup"

Recently, a well-known domestic financial software 0day vulnerability may be used for large-scale ransomware. In just one day, more than 2,000 cases of attacks from the same ransomware virus have been confirmed, and the number is on the rise. The affected companies were required to pay the attackers 0.2BTC (about RMB 28,000). Although the ransom is lower than the ransom of "traditional" ransomware viruses, it is enough to affect the normal operation of the affected companies.

Such a large-scale ransomware attack instantly caused a stir in the security industry and attracted widespread social attention. Since the outbreak of the "WannaCry" ransomware incident in 2017, countries around the world have greatly increased the public's attention to ransomware, but ransomware is still difficult to prevent and typical ransomware incidents occur frequently.

Why is it so difficult to defend against ransomware? Can ransomware attacks be detected in advance? If a company is unfortunately attacked by ransomware, how should it respond? Based on these questions, Ruishu Information conducted an in-depth analysis of the development trend, attack methods, and response strategies of ransomware attacks.

Ransomware attacks are becoming more and more serious, showing five new trends

In recent years, ransomware attacks have swept the world. Ransomware attacks exist wherever there is the Internet. With the acceleration of the digitalization process, ransomware attacks have become the main threat to current network security. Organized hacker attacks are no longer just aimed at stealing core data. Key information infrastructure in industries such as medical care, government, industrial manufacturing, finance, energy, and communications have become new targets for hacker attacks, and the scope of influence is still expanding. At the same time, the intensity, frequency, scale, and influence of global cyber attack and defense confrontations are constantly escalating.

After several years of evolution and upgrading, ransomware attacks are becoming more sophisticated, with clearer targets and more diverse modes. They are becoming more covert, more difficult to prevent, and more harmful. With the professionalization and team-based operation of ransomware attacks, five new trends have gradually developed.

Trend 1: Supply chain becomes an important entry point for ransomware attacks

A basic vulnerability is likely to expose the entire supply chain process to risk. When supply chain attacks and ransomware attacks are used together, they will cause greater harm, and the ransom targets are extending from suppliers to their customer groups.

Trend 2: Multiple ransomware models lead to data leakage risks

Attackers not only encrypt data and then blackmail victim companies, they also steal data and blackmail companies again, maximizing the benefits of blackmail through double blackmail and multiple blackmail models.

Trend 3: The new generation of ransomware attacks uses low
and slow (highly concealed and highly persistent) attack method

Attackers slowly encrypt data during the data theft process, making the attack more hidden and difficult to detect, greatly increasing the difficulty of detecting threats and recovering data.

Trend 4: Ransomware and mining Trojans combined

Attackers will implement both at the same time during the attack. The equipment of the victim company will not only suffer from ransomware attacks, but also be used by attackers for mining. In addition to increased power consumption, accelerated equipment aging, and serious economic losses, attackers will also leave backdoors to maliciously steal confidential information, directly triggering or breeding various cyber crimes in disguise.

Trend 5: Ransomware spread channels turn to web application vulnerabilities

As attack technology is iterated and upgraded, attackers have begun to shift from system vulnerability mining to application vulnerability mining, customizing advanced attack tools for specific applications, and carrying out targeted application vulnerability attacks, which has become a new type of ransomware attack method.

Traditional technical bottlenecks highlight the urgent need for new ideas in anti-ransomware

In order to fight against ransomware attacks, many anti-ransomware security protection products or data backup products have appeared on the market. Even so, when new ransomware attack methods emerge, they still cannot protect the data security of enterprises. So, what are the shortcomings of existing security protection technologies?

Ruishu Information said that the two biggest weaknesses of existing anti-ransomware security technologies in the face of new ransomware attacks are application vulnerabilities and response speed. This can be viewed from the perspectives of application security and data recovery. The former is a defense method for application attack detection and response, and the latter is a method for data backup and business recovery. However, these two technologies cannot remain at the traditional technical level, otherwise they will not be able to fight against the escalating ransomware attacks.

Traditional WAF

Application attack protection products represented by traditional WAF are based on fixed rules and feature libraries. They cannot protect against ransomware that uses automated attack technology to conceal malicious attack features and constantly mutates, and they are even less able to defend against ransomware attacks that exploit 0day vulnerabilities.

Traditional disaster recovery system

Traditional backup systems regularly perform full data backups, but they cannot fully identify whether the backup data is healthy, recoverable, or complete. Once the original data is infected, the backup data will also be infected, rendering the data unusable. Traditional disaster recovery systems also have no way to deal with ransomware attacks. Once the main system is infected and damaged by the virus, the backup system data is replicated synchronously, and all disaster recovery systems will be infected by the virus. At the same time, new ransomware attacks use a low and slow attack strategy. The encrypted data spans multiple backup time points, making it difficult for operation and maintenance personnel to confirm the time point that can be used to restore clean data, greatly increasing the challenges and difficulty of recovery work.

If an enterprise only restores data through a disaster recovery system after a ransomware attack, but does not verify the integrity of the data content, the "dirty data" encrypted by the ransomware will affect the normal operation of the system, causing secondary damage and further damaging the company's reputation. In addition, traditional backup systems take a long time to restore data, making it impossible to guarantee business continuity.

Backing up critical data is the "last line of defense" against ransomware

When existing security protection measures are not effective enough, can enterprises only be at the mercy of ransomware attacks?

In fact, anti-ransomware security protection requires comprehensive consideration, such as: making good data backup and disaster recovery plans; regularly checking for vulnerabilities and updating security patches in a timely manner; regularly changing login passwords; reducing Internet exposure; strengthening network boundary intrusion prevention and management; and improving security awareness. These are all necessary measures that companies need to take in the face of ransomware threats.

An important difference between ransomware and other viruses and attacks is that once a ransomware attack occurs, data and systems are usually difficult to unlock. Therefore, in addition to focusing on the prevention of ransomware and attack detection, anti-ransomware relies more on emergency efficiency, high security, and high-quality data recovery, which becomes the most critical last line of defense.

From a technical perspective, the use of innovative application security protection technology and data backup technology can build a more solid data anti-ransomware defense line for enterprises. At present, Ruishu's combination of "Dynamic Application Protection System Botgate" + "Data Security Detection and Emergency Response System DDR" is a typical representative of innovative anti-ransomware technology.

1. Dynamic Application Protection System Botgate

As a new generation of WAF star product, Ruishu Botgate is widely known in the industry. With "dynamic protection + AI" technology as the core, it can achieve all-round active protection from the user end to the server end through innovative technologies such as dynamic encapsulation, dynamic verification, dynamic obfuscation, and dynamic tokens. While efficiently identifying various known and unknown attacks, it also makes up for the shortcomings of traditional WAF and antivirus software that cannot identify unknown malware features.

Since Ruishu Botgate does not rely on fixed rules and features for protection, but uses unique "dynamic protection + AI" technology, it can effectively identify 0day attacks before the vulnerability is released, intercept unknown 0days in advance, and effectively defend against ransomware attacks that exploit 0day vulnerabilities. For Webshell tool attacks after the outbreak of 0day, Ruishu Botgate can also block access to Webshell through dynamic technology. No matter how the Webshell is upgraded, it can effectively defeat the enemy with one move and prevent attackers from implanting ransomware attack code through Webshell.

(II) Data Security Detection and Emergency Response System DDR

Once an enterprise application or system is breached by ransomware, quickly recovering the enterprise's core data and maintaining normal business operations are the key to enterprise anti-ransomware. Ruishu DDR system is positioned to back up enterprise core data and quickly recover backup data, which is the "last line of defense" against data ransomware.

Under the new security situation, it is necessary to support the data security base in the original format. As a new generation of data security base, the Ruishu DDR system can effectively achieve the three goals of data anti-ransomware: health check, ransomware monitoring, and rapid recovery.

lGoal 1: Health check-up and pre-data risk management

Inventorying data assets and troubleshooting system risks are the first steps to ensure data security. Based on the innovative "deep file content detection" technology, DDR can efficiently identify the data type of the core backup data of an enterprise, generate reports such as data integrity, sensitive data distribution, and permission audit, so as to fully control the management and control status of the core backup data assets of the enterprise. In addition, through mechanisms such as vulnerability detection and configuration verification, system risks can be checked to protect the security of backup data assets.

lGoal 2: Ransomware monitoring and intelligent threat perception during the event

Based on the original "offline intelligent deep detection engine", Ruishu DDR system can perform security detection on files damaged during the attack, detect files encrypted by ransomware, find clean and available data, and help enterprises quickly restore IT systems.

Traditional backup systems do not detect the quality of backup data, so there may be a large number of damaged files in the backup data due to ransomware attacks, and the restored system may still not work properly. Ruishu Information can find damaged or abnormal files or data during the backup process, find the files infected by the ransomware and the time of infection, and assist security managers to quickly remove the ransomware and reinforce the system.

This technology is derived from Ruishu Information's original file and database dynamic change tracking technology. By comparing the changes in indicators such as file name, file type, file size, file information entropy, and file similarity, suspicious files encrypted by ransomware can be identified. Using information entropy + AI technology for security detection is Ruishu Information's unique skill, and the detection accuracy can be as high as 98%.

lGoal 3: Rapid recovery, rapid response and recovery after the event

Based on traditional backup systems, data merging is time-consuming and requires the backup format to be converted into the production data format. Data must be moved and copied before recovery, and the recovery time often takes days or even weeks. Based on Ruishu's original intelligent fast recovery engine, no matter how large the data volume is, Ruishu's DDR system can automatically generate a clean disk image that can be directly mounted, achieving data recovery in minutes and minimizing business interruption time.

In addition, DDR can also assess the damage caused by the attack, such as: Which data was attacked? How is the affected data distributed? Which users were affected? When did it happen? How much damage and impact was caused? What version is the latest clean backup? This allows the latest clean backup to quickly restore the damaged data and automatically remove the ransom note file generated by the ransomware.

Compared with traditional data recovery solutions, once production data is encrypted, backup data is also likely to be encrypted. The biggest advantage of Ruishu DDR is that it can prevent bulk data destruction, safely isolate backup data, quickly restore in minutes, have low interference in the production environment, and automatically programmable operation and maintenance, which can effectively break through the bottleneck of traditional disaster recovery systems facing the threat of ransomware attacks. Once infected by the ransomware virus, Ruishu DDR can analyze the backup incremental data in the first place, find the encrypted data, and find the unencrypted data in the system for recovery. The biggest risk of data loss is only the encrypted part of the incremental data of the day, which has little impact on the continuity of enterprise business.

Conclusion

As ransomware attacks intensify, traditional security, backup and disaster recovery mechanisms are already stretched to the limit in the face of emerging data security threats, and the construction of a new generation of data anti-ransomware mechanisms is urgent. Data anti-ransomware solutions represented by Ruishu's "Dynamic Application Protection System Botgate" + "Data Security Detection and Emergency Response System DDR" will be based on innovative dynamic security + AI technology, integrated with storage technology, to build a solid security line of defense for users in various industries.