Recent cybersecurity research reveals ransomware that actually mimics other processes on your operating system. Coined “Process Doppelganging”, this new ransom attack uses fileless code injection to evade being detected on most business networks.
Even when your IT Support are actively monitoring your network for suspicious activity, this type of attack may go undetected until it’s too late. [Note: even though there are current attacks that are harder to detect, consistent network monitoring is critical to your network security.]
Essentially, these new fileless attacks mimic specific processes on your operating system—including Windows 10—that go undetected by most IT professionals.
Process Doppelganging works by mimicking processing on your file system. These new ransomware variants replace the memory of legitimate processes on your file system with malicious processes by tricking your operating system’s process monitoring tools and antivirus into believing that the malicious processes are actually legitimate processes that should be running in the background on your machine.
While Process Doppelganging has been around for over a year, cybercriminals are just starting to exploit security systems bypassing routine network monitoring in recent ransomware infecting the US.
What’s particularly interesting about recent Doppelganging attacks? They are not targeted at specific countries (sadly, the US is a prime target).
What happens when your network is infected?
Just like other ransomware attacks—including some that have shut down businesses (and even cities) for days to weeks—recent Doppelganging attacks will encrypt the contents of every file with a hard to crack AES-256-ECB encryption algorithm and a note demanding payment for the encryption key.
The most recent attacks hitting businesses have a ransom note appearing on the Windows login screen instead of the more common text file on the Desktop. This ransomware even clears event logs on your computer to circumvent any forensic analysis (so no one will be the wiser as to how the virus got on the computer).
Although cybersecurity experts are still unsure how exactly these recent ransomware variants get onto computers, most experts imagine that the same old culprits are to blame for these latest cyber events. Here are the common ways ransomware enters a network (and some advice on how to avoid becoming the next victim:
Phishing— cybercriminals continue to target your users, fooling them into clicking on links and opening attachments that contain malicious code. These emails are getting so good that they are deceivingly similar to VIP emails, spoofing email addresses (i.e., making sender addresses to appear very similar to the actual address) and sending emails that seem increasingly believable.
Your IT Support should be monitoring your email, making sure that email is being affectively filtered (to remove phishing emails from received emails) and train your users to understand how to recognize scams.
Malvertising— in addition to phishing emails, many criminals are breaking into business networks when users click on advertisements linked to malicious websites. Thinking they’re clicking on legitimate Facebook or Google Adwords advertisements, some users are infecting their places of business by clicking on ad links that actually redirect to compromised websites.
IT Support should focus on minimizing the risk of malvertising by limiting the types of websites permissible on your business network. Limiting access to the web at work helps ensure that questionable and malicious websites do not end up risking your business security and continuity.
3rd Party apps and programs—some users opt to solve their own tech problems because they either mistrust or have experienced poor service from IT Support. Part of resolving their own problems involves downloading apps from untrustworthy websites, leading to possibly downloading software that may contain malware or even ransomware.
IT Support teams should be proactively helping users figure out what they need on their computers and aid them in downloading and setting up software on their machines.
Unpatched networks—while we all expect our networks to be maintained and running securely, the cold hard truth is that many business networks are left with many holes even when IT assures everything is okay.
IT Support should proactively plan, apply and test patches routinely to ensure your network is not vulnerable to attacks like Doppelganging.
Un-loved computer systems—in addition to unpatched networks, many businesses are assured that cutting a few corners—running legacy or outdated software—won’t hurt business. The problem with this approach is that long term, using old systems may lead to extended downtime or security vulnerabilities (subsequently jeopardizing your network long term).
IT Support should be monitoring and proactively making recommendations for your leadership to strategically make recommendations to keep your network secure and healthy.
No backups—while most It departments will say that your data is backed up, most IT support teams DO NOT test your backups. If infected with ransomware, your only choice for recovery will be paying a ransom and crossing your fingers everything gets recovered.
IT Support should proactively backup and test backups to make sure that they constantly have your network data at their fingertips if any data is needed.
Are you certain your business is safe against ransomware? Will your IT Support be able to detect and mitigate an attack? Do you have all the tools needed to get back up and running quickly? Contact Us TODAY for a free network security assessment!