Ransomware is today the number one cyber threat to businesses. Since cyberextortion first appeared in 1989 as “PC Cyborg,” it has grown, evolved, and come into widespread use among hackers—and in 2017 it has fully come of age. Hundreds of new variations have sprung up this year. Ransomware is a relatively brazen attack where a malware infection is used to seize data by encrypting it, and then payment is demanded for the decryption key. There has been a seismic shift in the ransomware threat, expanding from a few actors pulling off limited, small-dollar heists targeting consumers to industrial-scale, big-money attacks on all sizes and manner of organizations, including major enterprises.
It’s not always about the money though. Some ransomware is not designed primarily to make you pay up, but instead to disrupt operations or wipe data from computer systems.
The Role of DNS in Ransomware Attacks
DNS is the address book of the Internet, translating domain names such as www.google.com into machine-readable Internet Protocol (IP) addresses such as 18.104.22.168. Because DNS is required for almost all Internet connections, cybercriminals are constantly creating new domains and subdomains to unleash a variety of threats including exploit kits, phishing, and distributed denial of service (DDoS) attacks.
Most modern malware used in a ransomware attack, uses DNS at one or more stages of the cyber kill chain. DNS may be used during the reconnaissance phase when it is a targeted attack. It is used in the delivery phase as potential victims unknowingly make DNS queries for IP address involved in the attack. It will also be used in the email delivery process when the ransomware propagates via spam campaigns. Likewise, the exploitation phase may involve DNS queries when the victim’s system is compromised and infected. DNS is frequently used when an infected system checks in with the command and control (C&C) infrastructure. Given that DNS plays such an important role in the ransomware kill chain, it becomes a crucial control plane to prevent, identify, and detect such attacks and resolve them faster.
Organizations in the Middle East can stop Ransomware with the following 10 essentials:
About the author: Ashraf Sheet is Regional Director, Middle East and Africa at Infoblox (News - Alert), responsible for leading the strategic development of the business in the region and further accelerating the high-growth rates that the company has been experiencing in recent years. Ashraf is a network and security expert in the Middle East and has held various progressive roles including senior security consultant, leader for Managed Security services and head of Security Business Unit for local and multinational companies.