Ransomware has become one of the most widespread and damaging threats that businesses or organisations face.
Since CryptoLocker first appeared in 2013, there has been an ever-increasing number of file-encrypting Ransomware variants commonly delivered through attachments from spammed e-mail, downloaded from malicious pages through malvertisements, or dropped by exploit kits onto vulnerable systems. The current wave of Ransomware shares a common goal – to extort money from victims through intimidation.
The rise of ransomware can be attributed to its undeniable success. Variants such as ‘CryptoLocker’, earned an estimated $3m before it was taken down by authorities , and ‘CryptoWall’, which has been estimated to have accumulated over $325m in payments .
The damage of becoming a ransomware victim and not having effective safeguards and prevention strategies in place is considerable and at times, potentially life threatening. as seen recently when a US based hospital had its computer systems infected .
Like others before it, this infection started with a seemingly routine email but contained a malicious attachment, upon execution, all the hospitals files, including patient data was encrypted. In the end, the hospital was required to pay the $17,000 ransom in order to regain access .
Ransomware uses asymmetric encryption to hold a victim’s information at ransom. Asymmetric (public-private) encryption generates pair of keys is used to encrypt and decrypt a file. The public-private pair of keys is uniquely generated by the attacker for the victim with the private key to decrypt the files stored on the attacker’s server.
Variants of the malware will look for files with specific file extensions to encrypt on network shares even when they are not mapped to a local drive. For example, the Locky variant will look for dozens of file types, such as:
.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, wallet.dat
Any data stored in these files will encrypted and unusable until the ransom is paid.
Over time ransomware variants are becoming more sophisticated, the most notable new technologies include:
Common methods to prevent infection include filtering e-mails that contain malicious attachments or enforcing user permissions. While blocking known attacks works to prevent a high number of infections – it is not possible to block all variants, attackers are always one step ahead.
With this limitation, it is essential to employ security solutions that are first able to detect ransomware when it lands and second provide an effective method to defend against its malicious actions.
An effective way to detect a ransomware threat is through the use of anomaly based threat detection. Such system will detect ransomware at three important stages:
By flagging for such events and observing for this these type of behaviours it is possible to identify an infection and restrict the amount of damage it is able to do.
Integration of a reliable endpoint solution can stop a threat from ever being able to execute.
An important first step is to step away from traditional solutions which only rely on whether a file is known good or has previously been flagged as bad. Solutions no longer rely on this approach to detecting Ransomware. In addition to known good and known bad, they utilise an additional “unknown” category, for detecting advanced threats that have never previously been seen, and bypass traditional tools.
An endpoint solution that runs as a kernel level driver, is able to monitor all the input and output of applications as they run. With this in mind, if suspicious behaviour is detected it can be blocked therefore stopping malicious activities from occurring.
Another approach is use of journaling or rollback features. If a file is unknown the file is only allowed limited processing and monitoring and journaling features are activated:
When a known ransomware variant is downloaded, it will automatically be quarantined and prevented from executing. When a variant that has not been previously seen before is executed, its actions are monitored. When a file is later flagged as bad it is possible to then reverse its effects and encrypted files returned to their previous state.
Ransomware is growing in popularity because it has the ability to be indiscriminate. Any organisation, regardless of size, is a potential target. This is why attackers are spreading malware by any means possible.
Fortunately, Cyberseer’s approach uses a combination of cutting edge technologies and human expertise to offer a truly intelligent and flexible defence that all organisations now require.
Cyberseer leads a new era of business endpoint security with Webroot SecureAnywhere Endpoint Protection, by enabling organisations to disrupt advanced attacks, deploy the best prevention strategies and shift the power back to security teams.
It shields businesses from infections on the endpoint within your network and stops malware from around the globe the moment they are discovered. Having a cost-effective cloud-based management solution running behavioural analysis on the endpoint with unique journaling and roll back features provides organisations with effective threat mitigation.