Can ransomware spread through WiFi?
Can ransomware spread through WiFi? Yes, it’s possible.
Citing Wikipedia: “Ransomware is a type of malware that threatens to publish the victim’s personal data or perpetually block access to it unless a ransom is paid.
Ransomware attacks are typically carried out using a Trojan, entering a system through, for example, a malicious attachment, embedded link in a phishing email, or a vulnerability in a network service.”
Since 2020, ransomware attacks are growing day by day. This type of malware has become one of the first threats in the cybersecurity landscape of several industries. Several reports have shown how MSPs, ISPs, and SPs remain prime targets for those attacks. The reason is simple: their business model serves many SMBs, medium and large enterprises.
In its last report about network security, Cybersecurity Ventures has estimated that “every 2 seconds, a ransomware attack occurs. The expected global damage costs by 2031 will be around $265 billion”
It is easy to understand how the growth of damage occurs in parallel with the growth of downtime, caused by increasingly sophisticated ransomware.
Average duration of downtime after a ransomware attack from 1st quarter 2020 to 3rd quarter 2021.
The threat of ransomware is not always related to software download or email phishing. The increase of global network traffic and the economical interests of hacking groups during post-Covid19 have multiplied the types and quantity of attacks against business networks. There are ransomware categories, such as Emotet, that operate as worms bypassing the weakest passwords and infecting multiple contiguous wireless networks. There are ransomware categories, such as Chameleon, that replace the firmware of an existing AP and masquerade the outward-facing credentials.
It’s basically impossible to defend WiFi networks from every type of ransomware. The correct approach that MSPs, ISPs, and SPs should have in this complex scenario of malware threats is to adopt the best defense technologies against ransomware in relation to Wi-Fi.
What is the best defense for business networks against ransomware in relation to Wi-Fi?
Tanaza suggests Configuring RADIUS Authentication + NAS ID with WPA-Enterprise.
For instance, let’s analyze the behavior of the ransomware Chameleon to understand the approach used by Tanaza to fight ransomware attacks.
The goal of this ransomware is data theft, device malfunctions at the OSI layer 2, and the lock of lists of files or entire systems for ransom reasons when integrated with worms.
The first malicious portion of the code of this ransomware executes a deep network scan to discover possible susceptibilities into the access points. Scanned vulnerabilities include weak passwords, outdated firmware, and unsafe encryption protocols of the Wi-Fi device (as WEP, WPA, WPA+TPKI, WPA + TKIP/AES, WPA + AES). When the ransomware finds access points with easy to crack passwords (appealing for dictionary attacks) or unsafe network protocols, the ransomware can bypass the security protocols and the administrative interface of the access point.
At that moment, Chameleon identifies and stores AP system settings, replacing the original firmware with a virus-loaded and reloading the new malicious AP settings.
The activity of malware is unstoppable. The propagation of ransomware would continue despite upgrades to security methods, such as deep packet inspection or the change of security protocols in a second moment. The malware could infect other nodes. The propagation would continue near weak networks on an infinite loop.
Threat prevention against WiFi ransomware is the best cure
The configuration of the RADIUS Authentication server + NAS ID with WPA-Enterprise represents a triple level of security for MSPs, ISPs, and SPs.
When a user tries to authenticate to the network, he fills the fields with a username and password to execute the login. The device creates an Access-Request message and sends it to the preconfigured RADIUS server. In this message, there are the encrypted credentials. The Radius server will confront the received login credentials with the data on an internal database to establish if the client is known.
If the device is a client known to the RADIUS server and the shared secret is correct, the server looks at the authentication method requested in the Access-Request message. If not, the RADIUS sends an Access-Reject message that shows authentication failure. The RADIUS communication ends and the client is denied access.
At this level, the MSPs, ISPs, and SPs network have solid protection standards because, during the network scan by malware to find AP susceptibilities, the ransomware should crack the WPA Enterprise AES-CCMP protocols (bypassing robust cryptography techniques: “counter mode” and “CBC-MAC”) and intercept the Access-Request message, falsing it with the list of credentials into the database.
What is WPA Enterprise?
WPA Enterprise is one of the safest WiFi security methods for network protection. The protocol was specifically designed for the network defense of business organizations. The encryption method used by this security protocol is AES-CCMP: it encrypts data transmitted over the air.
What is RADIUS Authentication?
Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service.
And if the authentication fails on the primary server?
Tanaza has enabled a secondary server feature. As for the first one, it’s possible to configure IP addresses or hostnames, ports, and shared secrets (password, passphrase, or a number).
How to configure radius server for wireless authentication?
For best performance and network security, Tanaza suggests having the RADIUS server and gateway access points located within the same layer-2 broadcast domain to avoid firewall, routing, or authentication delays. Another interesting feature that MSPs, ISPs, and SPs can use as a security method, it’s to set the NAS ID.
NAS ID – Network access server identifier
NAS ID is the further protection technology developed by Tanaza to protect networks from ransomware. NAS ID is textual code that enables the RADIUS server to choose the policy for that specific request. The NAS-ID is sent to the RADIUS server by the centralized platform through an authentication request to classify clients into different groups and subgroups. This enables the RADIUS server to send a customized authentication response.
Network segmentation security through SSH access of APs
Above, we have analyzed how Radius Server Authentication and WPA security protocol are solid protection against ransomware for SSIDs security.
Tanaza offers another level of protection at the AP level: SSH access.
SSH protection provides IT and information security professionals with a solid mechanism to manage clients remotely. Rather than requiring password authentication to initialize a connection between an SSH client and server, SSH authenticates the access point themselves.
Operators can enable SSH access on different granularities of the segmented network:
– for each single access point;
– for the entire network through the feature network-wide configuration.
Remember for a second the aforementioned ransomware Chameleon and its malicious action of network scanning to find APs susceptibilities in order to replace the original firmware. The SSH encryption protocol is a further robust shield to avoid AP intrusions and firmware modifications. When SSH is enabled, the access point is protected by the highest compliance requirements related to SSH keys.