Highly publicized ransomware attacks are never short of golden nuggets of wisdom for the cybersecurity industry.

They first teach us that attackers control the rules of the game once infiltration is complete. Second, large enterprises that use cloud-based technologies to store sensitive financial information continue to be at risk. Finally, there’s nothing much an organization can do besides restoring files using backups (when these remain available) in the event of a ransomware attack.

This last nugget seems to be the case for multiple victims, such as cloud-based billing service provider Billtrust. The business-to-business (B2B) payment vendor is reeling from the effects of a ransomware attack back in October, which disrupted its operations for four days. The company has since restored services and claimed to be working with law enforcement and a private security firm to investigate the data breach.

The Role of Threat Intelligence Platforms in Ransomware Prevention

While Billtrust did not disclose the specific ransomware strain that hit its network, some sources alleged that BitPaymer was responsible for the incident. Independently of the actual malware used, what’s common is for ransomware strands to be delivered as a secondary payload.

Usually, threat actors first conduct reconnaissance on a target’s network for vulnerabilities to exploit before sending the phishing email with the appropriate malicious attachment or download link—typically redirecting users to a website where the malicious script is hosted.

Scripts are often used to scan the target network for other vulnerabilities or brute-force their way into systems with weak passwords to obtain high-privilege credentials. More sophisticated malware applications spread laterally throughout a target network. Regardless of the means used, once hackers gain unauthorized access, they can manually install a ransomware into a connected computer.

In short, vulnerabilities play a massive role in the success of ransomware attacks. One way to stay ahead is by integrating a threat intelligence platform into organizations’ intrusion prevention systems (IPSs).

Our Investigative Tools: Threat Intelligence Platform

Threat Intelligence Platform can be used to assess a domain’s vulnerability based on its hosting configuration. With it, users can determine if their domains possess known vulnerabilities such as invalid Secure Sockets Layer (SSL) certificates or dangling records.

The platform provides color-coded ratings (i.e., green, blue, orange) for a particular website metric. Using Billtrust’s website (i.e., www.billtrust.com) as an example, you’ll see in TIP’s report that it has several warnings concerning its mail servers and SSL configuration.

The report also retrieved the following list of domains hosted on the same IP address:

We randomly picked a domain from the list, 11412.tradebig[.]com, and saw that it had multiple SSL vulnerabilities and an invalid SSL certificate:

Analyzing other domains on the list showed additional warnings including scripts opening to other websites (which may or may not be dangerous).

While we’re not claiming that any of these online properties are malicious, you may want to avoid associations with them as their vulnerabilities may backfire on you.

Some websites (not on the above list), however, do have recorded ties to malware such as “4sharedtrend[.]com”—do not visit or share—that has been flagged on Yandex Safe Browsing, a known malware-checker data feed:

* * *

All in all, ransomware applications are extremely difficult to decrypt even with advanced forensic tools. To avoid falling victim to them, infosec professionals can gain more in-depth visibility into their networks and the threat landscape in general.

Threat Intelligence Platform can aid them in monitoring sites connecting to new strains and protecting potentially vulnerable endpoints. Reports from the tool include a variety of data points like connected IP addresses and SSL certificates. What’s more, it may inform you about a host’s website content, WHOIS records, and mail and name servers.