ZTNA as a ransomware defense

Shift your ransomware security posture from defense to offense

This post discusses ransomware, explaining what ransomware is, how ransomware attacks, and how ransomware attacks can be prevented from disabling any business with zero trust architectures.

Ransomware overview

Ransomware is not new, but it is now more costly than ever. In fact, ransomware is simply a form of malware. There are many types of malware, and different malware is designed to perform different negative functions. In the case of ransomware, the goal is to encrypt business data and hold that data hostage until the owner of the data pays a ransom. For example, ransomware can encrypt all the files on a business server. All of the business systems and processes which need the data in the encrypted files can’t use the data (because the data is now encrypted with keys which the systems do not have). The data is effectively gone.

If the ransomware finds and encrypts enough critical data, then a business may not be able to operate until it can decrypt and restore the data. That is the goal of every ransomware attack – it seeks to find and encrypt a valuable set of business data such that the business is forced to pay a ransom to get the decryption keys to unlock the data.

Modern businesses no longer just use software – modern businesses are software. All software depends on data. This is why ransomware is more dangerous and costly than ever. How much money per day would your business lose if operations ceased completely? How many customers would you lose?

Is it worth paying a ransom to recover your data? The math is a simple. It’s the cost to your business (and number of lost customers) based on the number of days it would take you to recover the data on your own compared to the cost of paying the ransom to ‘instantly’ decrypt your business critical data. The BIG if here is; can you recover the data from backups, and that is a big ‘if’ for most companies. This is why the Colonial Pipeline and JBS paid millions of dollars in ransom. That is why victims of the Kaseya ransomware attack are reportedly being shaken down for $70 million of ransom.

How ransomware works

All ransomware follows a similar operational pattern with four key stages as follows:

1. Land
Get on to a computer. Unfortunately, there are a zillion methods to do this. It is almost impossible to prevent them all, although zero trust architectures can ‘remove’ some of the targets. Recently ransomware actors have leveraged new zero-day vulnerabilities (vulnerabilities discovered and used by attackers before they are discovered by defenders like your anti-malware software) in devices such as firewalls, VPN concentrators, SD-WAN devices, WAN management software and MSP management software. Ransomware often targets users by compromising their passwords or baiting users into downloading corrupt files that launch malware via phishing and social engineering techniques.

2. Expand
Once the ransomware malware lands, it ‘calls home’ – contacts a server operated by the ransomware bad actor to expand its capability by loading more bad software on the infected computer. The initial software is usually a thin loader app designed to be undetectable because it is usually easier to initially infect a machine using small snippets of code.

Now, in its expanded state, the ransomware has more capabilities by which to continue its seek and destroy mission. If the ransomware can be prevented from calling home, and zero trust architectures do indeed mitigate this threat, then the ransomware cannot expand – it remains frozen in its less dangerous loader app shell – doing nothing. With zero trust active, the ransomware loader app cannot access a dial tone to phone home!

3. Multiply
If the ransomware successfully expands its footprint on the compromised device, then the ransomware malware starts exploring the WAN – finding other personal computers and servers on the WAN to spread itself to. Unfortunately, business WANs are inherently vulnerable to ransomware propagation and other cyberattacks, because navigation across the WAN is wide open and accessible, so the ransomware can quickly multiply itself.

This multiplication is critical because the ransomware needs to find enough data valuable enough to be able to cease operations by the business – and it is rare that all that data is on or accessible by the first infected machine. This is often the ransomware step which zero trust network architectures are the most effective at mitigating.

4. Destroy
In ransomware terms, destroying a business requires encrypting valuable aka data which the business depends on (rendering it useless to the systems which need it), and taking copies of the data. With enough data from enough computers and servers, ransomware will bring the business to its knees.

Copies of business data can be used as another ransom – one ransom for the decryption keys and a second ransom by which the ransomware attacker promises not to share the data on the dark web or expose it publicly. Ransomware can potentially, and often does, create new side doors and back entrance doors for future use. Bad actors now understand the value of a recurring revenue stream!

The best defense for the destroy phase is proper application, data, and system backups, and the business processes to ensure those backups are accessible at a moment’s notice, ALWAYS up to date and thereby usable. This is easier said than done. Data replication and protection is a complex area in and of itself and for many organizations that are under prepared ransomware payments are often the only way to recover locked data.

How NetFoundry Zero Trust Network Access (ZTNA) prevents the spread of ransomware and other malware.

The land and destroy steps are difficult to prevent with any set of systems and technologies. Bad actors have gotten extremely proficient at perfecting various exploits to breach into corporate networks aka to “Land” into systems.

That said, zero trust architectures can greatly minimize the risks and impacts of the expand and multiply steps. Specifically, zero trust network access (ZTNA) can help mitigate the expansion and multiplication of ransomware. This is absolutely critical because ransomware cannot generally ‘break’ a business unless it can expand and multiply to capture highly valuable business data.

NetFoundry zero trust is designed to isolate and contain ransomware. Deploying ZTNA in an overall zero trust architecture, provides five important ransomware defense pillars. If you are using a non-NetFoundry ZTNA solution, then make sure your MSP, ISV, SaaS or solution provider is defending you against ransomware via each of these pillars. The pillars serve as security layers which work together to fight and prevent ransomware and other attacks. Below, we discuss both the general ZTNA pillars and the NetFoundry implementations of them.

ZTNA pillar one: Secure identity

Business WANs lose the cybersecurity game before they even start playing because they rely on weak identities such as IP addresses. IPs are a substitute for secure identity like a newspaper is a substitute for an umbrella. Unfortunately, business WANs don’t have a better option.

The NetFoundry platform provides secure identity, as a turnkey service, embedded within NetFoundry’s ZTNA solution. NetFoundry bootstraps a secure trust environment (details here) with each application or endpoint. Each app or endpoint then uses a bi-directional, private key authenticated identity which the NetFoundry platform leverages for secure identity-based networking.

The business doesn’t need to build and manage another PKI infrastructure. NetFoundry provides this key infrastructure as-a-service in the platform. The business simply manages its network solution, via NetFoundry APIs or web console. Ransomware, because it doesn’t have the secure identity and proper authentication and authorization (as described below), can’t spread across a NetFoundry zero trust network.

ZTNA pillar two: authenticate before connect

Applications, endpoints, and users in NetFoundry zero trust networks can connect only after they have been authenticated with NetFoundry edge controllers. The controllers are hosted and managed by NetFoundry as part of the zero trust platform, delivered as-a-service, that leverage the private public key cryptography secured identities described above. There is no NetFoundry network data plane without this authentication.

In a NetFoundry zero trust architecture, ransomware can’t phone home, can’t augment itself (download additional ransomware functionality) and can’t spread across the business WAN. No dial tone = no phone home!

This also means the business, and the ISVs, MSPs, solution providers and SaaS providers serving the business, do not need to be open to the Internet. The need for “protection” of inbound ports with firewalls and VPNs is rendered mute. (yeah, the same firewalls and VPNs being used as ransomware today as network insertion points).

Instead, the business and its providers use Internet access, but only open outbound ports which listen for authenticated traffic from the private NetFoundry Fabric Routers (described below). The NetFoundry Fabric and Edge Components will drop any sessions which are not properly authenticated, protecting both the business and service providers.

ZTNA pillar three: least privileged access microsegmentation

Even a securely authenticated NetFoundry ZTNA powered app or endpoint cannot access the WAN. A full NetFoundry zero trust solution essentially eliminates the WAN. The app or endpoint only has access to the specific services (controlled via policies) it needs. Working in conjunction with secure identity and secure authentication, this least privileged access (LPA) microsegmentation means that any ransomware is stranded and isolated on an island.

Ransomware, or any unauthorized code, can’t reach out to other servers to download more capabilities including the capabilities to decrypt and steal data, as well as capabilities to reach out across the WAN. The ransomware can’t probe the WAN and discover new victims. The ransomware can’t spread.

Secure identity with authentication and LPA microsegmentation is critical for SaaS providers, MSPs, solution providers and ISVs who serve business customers. As a provider, you want app level microsegmentation. With NetFoundry you have the ability to embed zero trust in your solution(s) so that ransomware can’t use your solution as a conduit to take down the businesses you are serving. With NetFoundry’s unique, agentless, app-embedded ZTNA, you can tell your business customers that you are ensuring ransomware will not use your solution as a distribution channel.

ZTNA pillar four: Integrated posture check and endpoint security

Ransomware looks for the weakest targets. For example, endpoints without proper endpoint security, or with the security disabled – a common situation in IoT scenarios which become target entrance points into networks. The NetFoundry endpoint software checks endpoint attributes such as the OS version, patch status, domain membership and running processes (e.g. is the antimalware process running) to ensure the app or endpoint is in compliance with your organization’s policies.

If the endpoint is not in compliance, then NetFoundry can cut off the network access. Similarly, NetFoundry has integrations with industry leading endpoint security software such as Microsoft Intune, such that if the endpoint security software tells NetFoundry that there is a problem then NetFoundry can cut off network access.

NetFoundry SDKs (fully open sourced) enable ISVs, SaaS providers, MSPs and solution providers to use the same posture check and endpoint security solution. From an enterprise perspective, this means that even if your providers are on “unmanaged endpoints” (endpoints which are not managed by the enterprise), then the NetFoundry zero trust solution can be extended to them.

ZTNA pillar five: NetFoundry Fabric

The first four layers of NetFoundry’s zero trust network access solution are augmented by layer five, the NetFoundry Fabric. The Fabric takes networking off the Internet, while still leveraging Internet access.

NetFoundry Fabric Routers reject all inbound traffic from the Internet, and any traffic which is not properly identified, authenticated, and authorized. Malware, ransomware, port scanning, DDoS, botnets, and any non-authorized code are all blocked. This enables both app providers and organizations to eliminate reactive infrastructure complexity, such as VPNs or firewalls (or at least reduce complex firewall policies to one rule which does not need to be constantly updated: aka permit only outbound connects to private NetFoundry Fabric routers).

Endpoints open outbound-only sessions to their private overlay network to connect to NetFoundry Fabric Routers. This reduces the attack surface area – eliminating the need for firewalls and VPN concentrators to have public Internet facing IP addresses (successfully attacked relentlessly by ransomware), and need to reactively deal with attacks from the Internet to those public IP interfaces.

The Fabric Routers are also private public key authenticated, and are built to be disposable, storing no data of interest. This means that the Routers can be constantly changed, creating an ephemeral, moving target for attacks. All NetFoundry inter-element communication is encrypted. A blocker for ransomware and other malware.

Summary: ransomware and zero trust architectures

Ransomware is a form of malware which can cripple modern businesses by essentially destroying (encrypting) the data which the business needs to operate. No viable solution is 100% impervious to ransomware and security threats.

ZTNA can prevent ransomware loaders from expanding and multiplying across the business WAN to become destructive. A business is best positioned to defend against ransomware with a zero trust architecture and a proper backup architecture. NetFoundry’s ZTNA solution takes five pillar approaches to isolating and segmenting ransomware, delivering each function (identity, authentication, authorization, least privileged access, microsegmentation, private SDN fabric) as part of a zero trust as a service solution.

SaaS providers, ISVs, MSPs and solution providers can immediately use the NetFoundry platform to protect the businesses they are serving today – ensuring their services are not turned into ransomware conduits.

Zero trust and Zero Trust Network Access changes the ransomware game. The good actors can now strike back! With NetFoundry zero trust architectures, you can shift your security posture from defense to offense.