A little about Ransomware and DNS

January 21, 2020

Tweet This:
Share on LinkedIn:

By Kevin Prater, Kovarus, Practice Manager Collaboration / Network Edge

It’s become an all too familiar story in the news, “Data Breach Threatens Millions.” Compromised credit card and social security numbers, health information and other personal details all exposed to the bad guys by a temporary lapse in security, exploited vulnerabilities, or simple bone-headedness. Each of these huge data breaches carry the same career limiting ramifications and can cost organizations 100s of millions of dollars, but are the hackers really the ones getting rich off of these incidents? Maybe, maybe not. Much of that money is being paid in regulatory fines, legal fees, lost business through shaken customer confidence, and remediation costs.

Far more lucrative for the hackers though, and the incidents we should really be concerned with, are the ones the media are not focusing so much on. The attacks that target Enterprise, Small Business and individuals alike. We’re talking Ransomware; the equal opportunity attack. And even more concerning is the availability of these tools in malware kits and even malware-as-a-service resources that are enabling the bad guys whether they have the technical skills or not.

Anatomy of an Attack

Ransomware is an extortion-like cyberattack where malicious software (malware) is used to infect a target system, search and catalog data, then encrypt it, holding it hostage until a ransom is paid. Here’s essentially what’s happening:

  • Infection — Yes, we know opening that unknown email or clicking that unknown link is a no-no, but you’d be surprised at the stuff that continues to get clicked and opened even by intelligent people in the know. The sheer barrage of spam and malvertising seen everywhere today lends to the late-night, bleary-eyed CLICK.
  • Command and Control (C2) — Now that you’re infected, this little gem phones home to a C2 server to generate an encryption key to lock down your stuff!
  • Lockdown — All the while our new friend is quietly scanning your system, searching your local drives, removable drives, even network shares, and encrypting as many files as it can. It’s typically selective though. It doesn’t want to risk rendering the system unstable, so as to allow you to make a prompt payment.
  • Ransom Note — Now that you’re all locked up, a notice will typically be displayed with instructions on how and where to pay the ransom and if there are any timers before things start getting destroyed. The bad guys like to keep it anonymous so they’ll likely need it in cryptocurrency delivered somewhere in the dark web.

Now you as the victim have a decision to make. Pay or not to pay, that is the question. And what guarantees do you have that your corporate data, or pictures of late aunt Millie will be decrypted and released to you once paid? You guessed it, absolutely zero. And if you do get it back, you’ve now helped fund the next round of malware variants and who’s to say your data hasn’t been copied, altered, sold or being saved to extort you in the future. Oh boy.

Importance of DNS

A first line of defense just happens to be a tool we all use every single day. It’s DNS. I don’t care how good you are with numbers, you’re hardly likely to remember the IP addresses of all the websites and network resources you access on daily basis. Given this human limitation we rely on the Domain Name System. Think of DNS as the white pages of the internet providing a mapping between the well-known names we can remember to their corresponding IP addresses.

Just about everything uses DNS: servers, PCs, printers, Alexa, even your IP enabled fridge. In fact, a typical user makes an average of 2000 DNS requests each and every day. Consider this example, browsing to www.cnn.com hits:

  • 26 Domains
  • 39 Hosts
  • 171 Objects
  • 557 Connections

(Chris Riviere, CSE CiscoLive)

When you browse to a website these days there’s a lot more going on than just loading a static web page. It’s pulling in 3rd-party content, images, advertisements, etc. all of which need to live somewhere, so DNS is leveraged to reach it.

And here’s a fun fact. A surprising 68% percent of organizations today don’t even monitor it.

First Line of Defense

So, in looking to address threats like ransomware and others, it makes sense to take a look at the DNS layer, because DNS requests precede all internet activity. Secure it and gain much needed visibility while quickly identifying malicious domains allowing you to:

  • Block dangerous connections
  • Stop C2 callbacks and data exfiltration
  • Reduce security incidents and alerts by being proactive instead of reactive

And we can do that today with solutions like Cisco Umbrella. Umbrella is a cloud-based recursive DNS service providing Global Internet activity visibility, network security without adding latency, and consistent policy enforcement ensuring that even off-net mobile users have some sort of protection.

With over 15 years of threat intelligence built in, you can quickly protect your entire enterprise and have an immediate impact. You’re simply sending your DNS requests to Cisco Umbrella. Of course, this is just one piece to a good defense, in-depth security strategy but one that should not be discounted.

Let’s talk more! Connect with me on Webex Teams! You can find me at kprater@kovarus.com


Looking to learn more about modernizing and automating IT? We created the Kovarus Proven Solutions Center (KPSC) to let you see what’s possible and learn how we can help you succeed. To learn more about the KPSC go to the KPSC page.

Also, follow Kovarus on LinkedIn for technology updates from our experts along with updates on Kovarus news and events.