A new ransomware strain is showcasing the adaptability of threat actors. Nicknamed Bart, this new advanced attack downloads malware to end-user machines over HTTPS, but varies from predecessors like Dridex 220 and Locky Affid=3. The Bart ransomware doesn’t require connection to a command-and-control server to encrypt files.
Instead, it uses an intermediary loader to download both the ransomware and a ransom note directly to the endpoint. The Bart ransomware was expertly investigated and dissected by researchers at Proofpoint. (Bonus points for their Simpsons-inspired chalkboard).
According to Proofpoint, the Bart payload is delivered over HTTPS when a target clicks on a malicious attachment in an email. Threat actors are able to evade detection from perimeter security controls by encrypting the email and accompanying attachments.
For public email services (e.g., Gmail, Yahoo, etc.), this is achieved through SSL-based encryption. For enterprise-grade email clients (e.g., Microsoft Outlook), the attachments are often encrypted with the S/MIME-based standard. Proper SSL (Secure Sockets Layer) decryption and SSL inspection can properly monitor these specific attack vectors and allow perimeter security tools to take necessary actions.
If the phishing attempt is sent to a public email domain, the malicious attachment will likely evade detection by hiding behind SSL encryption.
With a proper SSL decryption solution in place — coupled with integrated third-party security controls — organizations are able to quickly decrypt, inspect and block malicious traffic. The remaining “good” traffic is then re-encrypted and sent on its way without hindering performance.
This helps organizations protect valuable data and assets, even when employees are accessing personal cloud-based email — and the potential for increased exposure to phishing attempts — that is encrypted.
In a more common enterprise scenario, a threat actor sends phishing attempts to a large number of corporate email addresses in hopes that a few end-users are fooled into clicking and executing dangerous files. Malware would then covertly download ransomware from a malicious site by hiding itself from corporate security systems behind SSL encryption.
The nefarious activity typically identified and blocked by a network forensics sensor or intrusion detection or prevention systems (IDS/IPS) can’t detect the attack without first decrypting the communications.
A proven SSL decryption solution will have authorized access to the certificate key and will have the ability to securely decrypt and re-encrypt network traffic for secure SSL inspection by the security infrastructure.
As mentioned, where Bart differs from previous ransomware variants is the lack of a command-and-control requirement. This makes executing a successful ransomware attack that much easier and quicker for threat actors.
Without the need to call back to a command-and-control server, there’s less of a chance of being discovered by security solutions like network behavior anomaly detection (NBAD) or next-generation firewall (NGFW) solutions.
Proper SSL decryption would either expose the attachment so that the initial payload would be stopped (assuming it’s not a zero-day vulnerability), or the outbound connection and subsequent download of the ransomware payload would be blocked.
For security-conscious organizations committed to proper and proactive cybersecurity, SSL decryption and SSL inspection is no longer a luxury. It’s a critical security requirement.
SSL-encrypted traffic is growing, rendering most security devices ineffective. According to a 2016 Ponemon Institute report, 80 percent of responding organizations were a victim of a cyber attack or malicious insider. Of those, 41 percent of the attacks used encryption to evade detection.
When evaluating SSL decryption solutions, consider: