Ransomware Unbound: Critical Knowledge for a Growing Threat


Posted on by Nathan Eddy

Ransomware is the most pervasive form of malware out there, as attackers have shifted their focus away from more traditional attacks, and the number of new strains of ransomware continues to grow exponentially.

Using ransomware, the criminal takes control of a user’s laptop and data and requires payment to get the control back, and tries to price the crime at a high enough value that it is worth it to them and not so high that people will not pay.

Email is by far and away the most common way of delivering ransomware to computers and other devices, and as it evolves, ransomware will likely become more intelligent, employing existing encryption tools already existing on the system so the actual malware is smaller and easier to transfer.

One recent strain of ransomware called Ranscam, looks like ransomware, behaves like ransomware in that it demands money of the victim, but in this case it is not encrypting files but rather destroying them.

Upon making that one uneasy payment, the user gets nothing back, and with attackers assembling some very cleverly-crafted phishing and spear phishing emails to deliver their payload, users are clicking on attachments and links in high volume, which only fuels this type of attack.

Targeted, or untargeted, it is simply a numbers game, and anyone’s money will do – individuals small business and all the way up to the largest corporations – everyone is at risk.

With such a broad spectrum of targets, defending an organization from ransomware is best addressed by applying layers of security.

"You have to secure the network perimeter with a next generation firewall, and you have to have email security tools that identify malicious emails, viruses, scams, and malware," Darius Goodall, Barracuda’s director of security product marketing, said.

He explained organizations should also consider endpoint protection for mobile and remote workers who are not protected by firewalls and such.

"While email is by far the most common conveyor of ransomware, you should also protect other threat vectors and secure your web applications from attacks and install secure web gateways to stop the malware," he noted.

Finally, if all these defenses fail, businesses should always have business-level backup solutions.

"In short, ransomware requires different security measures depending on the situation or entity," Goodall said.

In addition, all the security measures Goodall listed should be secured by a dynamic threat protection umbrella that has a very diverse threat intelligence system associated with it – one that has the ability to detect new strains on the fly and take the appropriate action immediately to keep users’ information safe.

"Organizations struggle with ransomware primarily because employees click on links and after becoming infected, the systems are interconnected with the enterprise data stores," Art Gilliland, CEO of secure infrastructure specialist Skyport Systems. "Neither of those two realities are easy to remedy."

He explained that as is seen with phishing, there are a certain number of employees who despite extensive training continue to behave in ways that create risk for the organization.

After infection, the connected nature of corporate networks makes the proliferation of malware difficult to stop, and the lack of lateral communication within an organization makes it difficult for them to identify an intrusion or stop its proliferation.

Todd O’Boyle, co-founder and CTO of IT security firm Percipient Networks, said in the near future hackers are going to need to adapt and, as a result, their tactics are going to change.

"Phishing messages will improve and become more sophisticated and difficult to spot," he warned. "There will be a rise in the use of exploit kits that are serving up malvertising in an attempt to trick people using other means."

O’Boyle also noted attackers will also innovate in economics and become more conservative in terms of the price tag, lowering ransom prices to increase the likelihood that victims will pay up.

Dima Barboi, senior director of technologies and research and development at security specialist CyberArk, explained there’s no doubt that the number of attempted ransomware infections will continue to grow exponentially in the near future.

"Attackers will continue to leverage the polymorphic nature of malware, rapidly creating new, slightly morphed pieces of malware to attempt to stay ahead of blacklisting technologies and evade detection," he said.

Barboi noted recent research from CyberArk Labs found the combination of application greylisting and the removal of local administrator rights proved to be 100 percent effective in preventing ransomware from gaining the permissions necessary to access protected file types and complete the encryption process.

"This greylisting approach enables organizations to focus on protecting access to the target of malicious applications – the files – instead of solely relying on the ability to detect polymorphic malware, which is incredibly difficult to do in practice," he noted. 

Contributors
Nathan Eddy

Technology Writer,

anti-malware ransomware

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs