Ransomware attacks have become a significant concern for organizations worldwide, with the frequency and success of these attacks continuing to rise. Ransomware attacks can have devastating consequences for businesses, including costly downtime, data theft, and reputational damage. The average downtime and recovery time after a ransomware attack is 22 days, with a conservative estimate of the cost of downtime being $43.2 million.
Typically, in ransomware attacks, cybercriminals gain access to a company’s data and use encryption to prevent users from accessing that data until a ransom is paid. As these types of attacks became widespread, organizations started to have robust backups so that they could recover their data in case of a ransomware attack and would not have to pay the ransom. To increase the pressure on victims to pay the ransom, cybercriminals then started to resort to double extortion ransomware, where the attackers not only encrypt sensitive data but also steal the data and threaten to publish it on the dark web if the ransom is not paid. Preventing the leakage of sensitive information is critical for companies as such data leaks can result in fines, loss of brand reputation, and lost customers.
Use of DNS by Ransomware for Command and Control (C2) Communications
Once ransomware has infiltrated a company’s network and begins executing, it utilizes Command and Control (C2) communications to download the encryption key to the end host and encrypt the files. This C2 happens over DNS. DNS C2 is a technique used by cybercriminals to communicate with malware that has infected a target system. Also called beaconing, the malware periodically sends DNS queries to the attacker’s server to check for new commands. This communication is crucial for controlling the malware and executing malicious activities. Cybercriminals use DNS for C2 because
- it is a ubiquitous and essential service in network communications. By embedding commands within DNS queries and responses, attackers can communicate with malware without raising suspicion.
- it provides a level of stealth. Since DNS traffic is usually allowed through firewalls and other security devices, it can be used to hide malicious activities. Attackers can encode commands in DNS queries and responses, making it difficult for security tools to detect and block these communications
Use of DNS by Ransomware for Data Exfiltration
In addition to using DNS to relay commands/data out of the organization, ransomware attacks, especially ones that are double extortion, as defined at the beginning of this blog, get hold of sensitive data, such as credit card data, and send this data out in DNS queries. These queries are sent to a malicious DNS server controlled by the attacker. The server decodes the data from the queries and stores it. Data exfiltration over DNS is a sophisticated technique that allows attackers to covertly transfer sensitive data out of an organization by leveraging the DNS protocol. By embedding data in DNS queries, or in other words creating a tunnel over DNS to transfer data, attackers can bypass traditional data loss prevention (DLP) tools that might block other avenues of data theft.
Proactive Blocking of Ransomware Domains Using DNS Threat Intel
The most effective way to deal with Ransomware is to prevent users from accessing ransomware domains in the first place. Phishing, one of the most used delivery methods for ransomware, lure users to domains owned by threat actors. Proactive identification of such domains, even before they are weaponized, is something that DNS threat intel excels at, because it can identify when domains are registered for future malicious purposes and block them, on an average of 63 days ahead of attacks.
Detecting C2 and Data Exfiltration Using DNS Threat Intel and DNS Behavior Monitoring
By monitoring DNS traffic and using DNS threat intelligence, organizations can block the C2 communications, preventing the encryption key download and the eventual encryption of data. Blocking C2 at DNS ensures that the session is not even established with the attacker-controlled server, providing mitigation at the earliest possible opportunity.
Detecting data exfiltration over DNS involves monitoring an organization’s DNS traffic in real time for unusual patterns, such as high-frequency queries to uncommon domains or queries with high entropy in their names. This behavior-based analysis can identify data exfiltration to domains even if those domains are not yet categorized as malicious in threat feeds. It is important that all DNS record types are examined (e.g.: A, AAAA, CNAME, MX, NS, SOA, TXT, etc.) because malware could use any or multiple of these record types to avoid detection by standard security tools.
Summary
Proactive protection against ransomware is extremely important because once ransomware lands, organizations have only about an hour to detect, investigate and remediate to avoid a broader scale incident. Hence it is extremely critical to identify and stop C2 before the ransomware gets activated and propagates.
Infoblox Threat Defense uses a combination of unique DNS threat intelligence and behavioral analysis, to disrupt and minimize the damage caused by ransomware attacks, while delivering precise protection with 0.0002% false positive rate. Learn more here.
Sign up for a Free Security Workshop
To learn more about all the ways threat actors can abuse DNS, and how you can stay protected, sign up for a free security workshop here.
Sources:
https://ransomware.org/blog/how-downtime-drives-up-the-cost-of-a-ransomware-attack/
