Offensive defense: using deception against ransomware attacks 

The trend of ransomware attacks that increased greatly during the year of COVID-19 continues to intensify. Moshe Ben Simon from Fortinet outlines the dangers and the ways of utilizing cyber deception for the struggle  

Moshe Ben Simon. Photo courtesy of Fortinet

By Moshe Ben Simon

Cybercriminals have worked during the last year to maximize their ability to exploit the COVID-19 pandemic in unprecedented ways and at scale. The rapid shift to remote work was an immediate opportunity for cybercriminals to target employees connecting to corporate resources from often poorly secured home networks and devices in a ransomware attack. This trend continues to spread in 2021, with recent ransomware attacks focused on extortion or stopping critical operations.

The most common ransomware attacks so far during this pandemic have all begun with social engineering. Properly conducted social engineering strategies, usually in the form of phishing or spear phishing strategies, can trick users into divulging critical information, from passwords to financial accounts to sensitive personal information. Today, social engineering is being combined with hacking techniques and malware distribution to power increasingly insidious attacks.

One outcome of using social engineering techniques against a remote workforce has been an increase in ransomware attacks, which saw a sevenfold increase in the second half of 2020. The attack sequence starts by exploiting the concerns of individuals about the pandemic, as well as other social events such as elections. Enterprises around the world have been reporting on cyberattacks involving ransomware, and this is a trend that is expected to continue across all organization types. 

In a typical ransomware attack, hackers use phishing or other means to introduce malware onto a victim's computer system that then spreads across the network. Once enough systems have been compromised, the hacker triggers the malware to encrypt all infected systems, rendering the files and data on those devices inaccessible to the organization. The hacker then attempts to extract a monetary payment from the organization in exchange for the key needed to decrypt the compromised files.

When a threat actor uses ransomware to withhold your data, the assumption is that you will pay virtually any price to regain control. And if you do not, the hacker will then put it up for sale on the darknet. However, we are also seeing a growing number of cases where a victim pays a ransom but never gets the decryption keys needed to restore their network. Or in even more brutal cases, the ransomware went ahead and destroyed the network by wiping the disks of desktops and servers in spite of their having paid a ransom. 

Addressing ransomware attacks with deception

Protecting your organization from a ransomware attack should involve things like keeping up-to-date backups of critical files off-network and scanning devices seeking network access for malware infection. But this is just the start. We should also understand how ransomware works, because once we understand what is happening there are effective ways to use its own techniques and tactics against itself.

Ransomware often uses sophisticated techniques and tactics to penetrate an organization and compromise an endpoint. But, at the end of the day, its primary goal is to encrypt your files. Rather than fighting against this process, you could surreptitiously redirect the ransomware to only encrypt fake files—files you intentionally created and placed on the network to entice would-be attackers. 

By trying to encrypt these fake files, those hackers would expose themselves and their intentions, as well as reveal the existence of their malware, before they could do any damage. In other words, an extremely powerful counterattack strategy is to deceive ransomware into running against a benign target of our choosing to trigger an alert and reveal its criminal intentions. We can achieve this using Cyber Deception technology.

Cyber deception allows organizations to rapidly create a fake network that automatically deploys attractive decoys and lures that are indistinguishable from the traffic and resources used in the legitimate network. This pseudo network is then seamlessly integrated with the existing IT/OT infrastructure to lure attackers into revealing themselves.

Deception technology doesn't install any agent on the endpoint, doesn't require any network change, and doesn't rely on any signature or anomaly engine. Of course, the question is, how does cyber deception technology find and mitigate ransomware? The answer is, we use the ransomware’s encryption activity against itself.

Cyber deception against ransomware attacks

Deception solutions start by setting up and deploying a fake network shared drive across every endpoint/server in your network. This pseudo network is hidden from legitimate users to avoid their clicking on decoy systems and generating false alerts.

This fake network drive also contains fake files and workflows that exist to expose an attacker and/or malicious ransomware.

This fake network drive mapped using a network decoy that acts as a fake file server, complete with fake traffic and files.

Any worthwhile cyber deception tool should also be able to be fully integrated into your third-party security tools, such as your Firewall, Network Access Control, and Next-Gen AV so that all identified malicious activity can be quickly mitigated.

Once ransomware compromises an endpoint and starts to encrypt local and network drives, the decoy (fake network file server) can immediately detect its malicious activity and slow down the encryption process while leveraging one of your existing security tools to automatically limit or prevent damage, and simultaneously isolate the infected endpoint to immediately protect the rest of the network.

Not only does cyber deception technology use ransomware’s own techniques and tactics against itself to trigger detection, but more importantly, it uncovers the attacker’s tactics, tools, and procedures (TTP) that led to its successful foothold in the network so those vulnerabilities can be mitigated at a security architecture level. Effective deception should provide contextual threat intelligence that can be used to trace how an attacker compromised the organization—such as through weak or stolen credentials or a vulnerable endpoint or server that allowed the ransomware to spread—so those gaps in protection can be closed.

Deception as part of a comprehensive security fabric to stop the ransomware attacks

Deception technology should be fully integrated with NGFW, NAC, SIEM, Sandbox, SOAR, and EDR solutions to automate the mitigation response based on ransomware detection. By combining deception technology with a comprehensive security platform, organizations will be able to detect and respond to attacks, such as ransomware, long before they can achieve their malicious goals.


Moshe Ben Simon is Vice President of Product Management at Fortinet

Rare-earth elements between the United States of America and the People's Republic of China
The Eastern seas after Afghanistan: the UK and Australia come to the rescue of the United States in a clumsy way
The failure of the great games in Afghanistan from the 19th century to the present day
Russia, Turkey and United Arab Emirates. The intelligence services organize and investigate