10 Takeaways from the SANS Webcast: Evasive Ransomware & Malware

September 20, 2021

The SANS webcast uncovers valuable new insights to help organizations combat the ever-growing number of cyber threats. 

In our latest webcast,  Evasive Ransomware & Malware: How It Works & How to Prevent It, ex-IDF security researcher, pentester, and current Votiro CTO, Aviv Grafi, and SANS Analyst Jake Williams discussed the stealthy ways that ransomware and other evasive malware enter organizational networks. They cover new trends in delivery channels for ransomware attacks, and highlight innovative tools and techniques that can be used to combat evasive malware.

Listen in to the full webcast here, or read on for the 10 key facts you need to know:

1. Employee Productivity Trumps Caution

Employees need to be able to do their jobs and, at many organizations, productivity trumps security. According to TechRadar, 90% of data breaches are caused by human error and Security Intelligence reports that 27% of employees in an organization fail phishing or social engineering attacks. Aviv says that he recognized this security gap from his days of doing penetration testing. He would take a weaponized document, make it look like a resume, email it to the HR department, and then watch the client’s open rate. The malicious document was opened almost 100% of the time. And if HR didn’t fall for it, he sent a bogus invoice to the Finance department. At some point, the scheme would work. He says, “It’s the tension between productivity and security that actually makes the bad guys successful because they know we cannot really stop being productive.”

2. Malware is Easy and Practically Free to Generate

There is a reason why an average of 10 million new malware threats are recorded each month. Jake stresses how easy and inexpensive it is to create and send an infinite number of weaponized documents, each with its own unique hash, each technically a new, zero-day threat. “While we on the defensive side have to do a lot of work to deal with the different variations of weaponized documents, the threat actor has very little work to do.” 

3. Malware has Become Big Business

Jake puts it plainly, “If you haven’t been living under a rock for the last few months, you know that ransomware is out of control.” He attributes this to its widespread availability due to hackers selling access to their malware to brokers. Malware has become a commodity. 

Watch the full webcast here

4. Sandboxes are Ineffective at Catching Malware

A sandbox is an isolated testing environment where a file or program from untrusted sources can be executed in isolation. Discussing the drawbacks of the sandbox, the security experts talk about latency. Users expect documents in seconds, and even the smallest delay caused by the sandbox has become unacceptable. Jake and Aviv also discuss how easy it is for malware to evade the sandbox. Simple google searches can produce dozens of evasive techniques that hackers have used successfully.

5. Legitimate Features are Being Misused: The Macro Misfortune

VBA Macros are a legitimate feature in Excel spreadsheets, and most companies are unwilling to simply disable them despite the risks they present for hiding malware. After all, macros are a feature, not a bug, and they are a feature that enterprise workflows depend on. Says Jake, a “huge majority of the weaponized documents that we see today use features, not vulnerabilities.” This requires new thinking and security innovations.

According to Aviv, the trick to dealing with macros is to look for the good and not for the bad. If you start to create a blacklist, there will be an endless list of files to block.  But if we know what we DO want to allow, it will actually serve the business better. Instead of taking an “allow all, deny by exception” approach, take a zero-trust approach to files and the elements inside. 

6. Fear of File Formats

File formats are ridiculously complex, and as Jake explains, “complexity is the enemy of security.” For example, most people have no idea that there can be attachments in PDFs. But hackers certainly do. As there is no traditional solution in the world that can really check those attachments within the PDF, the bad guys learned to use this evasive technique. And this is just one example.

Watch the full webcast here

7. Watch Out for Embedded Fonts

Embedded fonts may be one of the biggest threats out there, as fonts access the highest privileges within the operating system. A hacker can easily embed a new malicious font in a PDF or Office document, and the system will render that font by default. “This is the stuff that makes my skin crawl,” says Jake. From Vista and on, there are almost no security mechanisms that prevent threat actors from embedding malicious fonts within your documents. 

8. Unknown Emails from Known Senders

Hackers are getting their hands on the email lists of customers and other third-party business partners and sending emails with malicious attachments…from hacked trusted senders’ inboxes. So investing hundreds of hours in building awareness of phishing schemes doesn’t catch everything because, in fact, the user often DOES know the sender and may be expecting an email from them. Releasing an attachment because the user was expecting it is “like handing a toddler a hand grenade,” says Jake. Knowing this, leaving users to protect themselves from sophisticated social engineering attacks “represents a failure from a technical control standpoint.” 

9. Ransomware is the Downstream Effect of Commodity Malware

Jake says, “The vast majority of the ransomware intrusions start with some commodity malware deployment, typically some kind of banking Trojan. The operator realizes that he’s entered a domain and thinks, ‘we should sell that to one of these ransomware operators and they will go and encrypt the network.’ When somebody says, “I’m worried about the ransomware, not the commodity malware.” I’m like, “That makes about as much sense as you saying, “I’m really worried about lung cancer. I’ll deal with my smoking problem down the road.” The security risks of malware and ransomware are inherently linked.

Watch the full webcast here

10. Cloud Docs Can Also Be a Threat

There is an uptick in companies that are developing their own cloud solutions. They want to join the digital transformation and allow their clients and employees to upload documents and collaborate via an online, responsive system.  However, these companies need to ensure that the uploaded documents are safe, as even one compromised file presents a massive risk to your organization. 

Learn More About Evasive Malware and Ransomware

Aviv rounds out the discussion by explaining how Votiro’s Positive Selection technology, the most advanced form of Content Disarm and Reconstruction technology, sanitizes every document that enters the organization via email, via file sharing, collaboration platforms, or even their client-facing applications. By ensuring that only safe content is delivered to the network, organizations effectively eliminate the possibility for threat actors to evade detection. Votiro’s technology allows users to click on anything they want anytime, while still ensuring the organization remains safe.  To learn more about Votiro’s innovative approach to cyber security, click here or contact us for more information.