Hongke shares | how to solve blackmail software security vulnerabilities

In recent years , The number and frequency of various network attacks are increasing , Especially ransomware that has experienced rapid evolution . Five years ago , Blackmail software is a relatively remote problem for most organizations . But now , Several attacks and intrusions of extortion software occur every minute . Few executives will despise the threat this malware poses to their organizations , But not many people know how to prevent blackmail attacks .

  Typical blackmail software attacks

More dangerous ransomware

In recent years, the number of blackmail software intrusions has increased , The growth of extortion software intrusion as a criminal business activity has also catalysed its profound technological transformation .

It is worth noting that , One side , Today's third-generation blackmail software has become a multi-level threat combining blackmail and denial of access ; Another aspect , Malware developers continue to improve the delivery and deployment methods of ransomware . therefore , Ransomware is becoming more dangerous , And can often completely avoid the control of the security mechanism . 

The most worrying development at present may be The transformation of file based blackmail software deployment .

Now? , The attack chain of a payload delivery often starts and ends in the memory of the device runtime . This is an extremely vulnerable attack medium for most organizations . In response to the profound changes in the deployment of such attacks , It is necessary to re evaluate whether the defense measures of the terminal organization are effective . 

How to defend against ransomware

01 The dilemma of blackmail software defense ？

When defending against ransomware , Security professionals usually rely on the feedback of threat intelligence to correlate and analyze information , So as to evaluate the security defense measures , And give priority to actions to reduce risks . 

Unfortunately , There is a serious gap between the environment monitored by the threat intelligence source and the place where the attack occurred . Because scanning monitoring solutions usually focus on static files and network behavior , These data provide static intrusion indicators （IOC） It often leads to the security team lagging behind the attacker . This means that most organizations do not have equipment memory to defend against a key threat carrier .

  Most network security solutions are difficult to cover this vulnerability , The reason is simple ： Scanning memory and processes during runtime slows everything down , The use of devices and servers is rarely compatible with facilities that constantly scan the memory of devices . therefore , Most security solutions scan devices only at the beginning and end of the run . They rely on detectable features left by threats , These characteristics are trained , Recognizable . However , Modern ransomware uses memory attack chains , Mercilessly exploited the weakness of this method .

02 How memory attacks are carried out ？ 

The first stage :

The Downloader is downloaded to the victim's device . At this point , Anything based on static IOC Threat Intelligence   Feedback is redundant . for example , Whether the bait is malicious Excel Installed , It is also installed without files through remote code , Highly confused attacks will not appear in Threat Intelligence feedback , Until the attack is understood and classified .

The second stage :

Loader deployment threat . Access to the runtime memory of the device through the process of runtime download or code injection . Up to now , The attack has been completely separated from the monitoring of traditional terminal defense .

The third stage :

Payload deployment . It could be like RAT Or the reverse shell in memory , It also occurs in the device runtime memory . This means that the attack is invisible , It can only be statically detected after damage is caused . From here , Threats can move horizontally in the network , Turn off the control of the solution , And deploy ransomware . When blackmail software attacks attract the attention of defenders , The game is over .

Blackmail software attack chain  

We noticed that , Memory attack chains often involve things like Cobalt Strike Such malware or things like Conti Such memory extortion software strains are deployed . In an attack like this , In the use of API Call to download malicious .dll Documents before , One shellcode Dynamic space usually allocated to device memory . 

Such threats Highly elusive , It mainly exists in the device memory , So any level NGAV Or the best EDR Can't reliably detect and stop them . The network security community must respond to these types of attacks by upgrading Threat Intelligence and focusing on memory detection .

03 How to resist the attack of blackmail software ？ 

The answer to how to prevent ransomware attacks is to use Siphonaceae Morphisec Mobile target defense （MTD） technology . It provides active protection against zero sum memory attacks 、 Lightweight protection .

· What is mobile target defense （MTD） technology ？

Mobile target defense （MTD） Technology is the industry-leading solution for advanced attacks . It provides a low impact for every organization facing memory attacks 、 Highly effective defensive solutions . 

· Mobile target defense （MTD） How technology can resist blackmail attacks ？

1. By deforming the device memory during operation , Mobile target defense （MTD） Technology increase Strengthen the existing security stack of the enterprise , To prevent and attribute file free attacks , Otherwise, its intrusion cannot be detected . 

2. Customers often enhance their existing solutions , Include AV and EDR, With Create defense in depth . And will be MTD Technology and operating system are native Windows Defender pairing , Can create a very cost-effective security stack , Able to defeat advanced threats .

· Siphonaceae Morphisec Mobile target defense （MTD) The advantages of Technology

Unique in the security industry , Siphonaceae Morphisec Of MTD Technology takes advantage of polymorphism , Hide application and operating system goals from rivals in unpredictable ways . This has led to a sharp reduction in the attack surface , Make the target impossible to find . It raises the bait , Spoofing and trapping intrusion threats without affecting availability . Siphonaceae Morphisec Of MTD Rely on dynamic changes in memory to prevent and expose hidden attackers .