Dated references aside, this exploration of the efficacy of Ransomware is still relevant. Read the whole blog post for the ways we have been successful at preventing, blocking, and responding to Ransomware.
Original blog posted on 13, March 2018.
You can almost feel the tension when mentioning the word Ransomware in discussions about Cybersecurity. It's easy to see why WannaCry has infected over 400,000 machines, with some estimating financial losses at $4 Billion USD: which is equivalent to the estimated cost of Brexit for the UK. It's also more than just a news story - many people know of a company or individual that have had to deal with this issue directly. With many organizations trying to deal with this issue, there are numerous questions we at ActZero get about how this malware works. In this post we're counting down the most prevalent reasons for why Ransomware still works and how to avoid it - forewarned is forearmed!
5) Positive Reinforcement - Victims Do Pay: Think about it: if someone can anonymously generate hundreds of millions of dollars (thanks BitCoin!) from Crypto malware before the FBI/DOJ can catch them, then it can come as no surprise that a few copycat malware versions pop up daily as a result. At a security summit in 2015 an FBI agent even recommended paying the ransom because the malware was "that good". While you shouldn't lower your security standards to paying ransoms, you should be aware of the motivation driving many variants on your hard drives: high profitability for con-men.
4) You Can't Detect Encryption: It's an annoying fact, but the truth is if a process is allowed to write files it can encrypt them. This is because encryption is just changing the data in the files one at a time to an unusable format. The key for a sensor to detect this is using the behavior of the process writing a lot of files or a signature of the process writing them. So, running traditional AV is fine if you keep it up-to-date, but running detection based on behavior is more important.
3) It Deletes Your Backups: The first major operation of ransomware is to delete backups/shadow copies. These are local processes on Windows that typically run scheduled incremental backups and are sometimes your only out when hit with Ransomware that isn't blocked. By deleting your back-ups this Ransomware increases its efficacy - people end up forced to pay.
2) It Spreads Quickly: Most people imagine malware bouncing around through SMB like WannaCry, but the file shares mapped locally are encrypted which spreads encryption to central shares. If you have a drive mapped by 50 users it only takes one to infect the whole central file system. The more users you have on your file-share system, the more opportunities there are for you to get hit.
1) It's Easy to Get In: Remote Access, Emails, Hyperlinks, Ads, JavaScript and even that pesky Zero-Day SMB vulnerability provided by the NSA are all ways we've seen Crypto Malware downloaded to machines and launched. In fact, some of you may remember reading a news story about a British Security analyst who was credited with finding and stopping the outbreak of WannaCry accidentally, only to be arrested later for working on separate malware to target bank accounts. For most organizations, this ease-of-entry often means there is an uncountable number of possible entry-points for Ransomware.
Here are a few ways ActZero's MDR service has been effective at preventing, blocking, and responding to Ransomware:
1) Security Hygiene: ActZero makes sure you have a backup, are up-to date on AV, are up-to-date on Patches, are running regular scans, and have anti-phishing mechanisms in place so that you are protected against Ransomware threats.
2) Endpoint Detection & Response: Because our service is able to decode and find Ransomware variants based on behavior, we are more effective than traditional AV at finding and solutioning Ransomware threats.
3) Threat Intelligence: The Threat Intelligence portion of our service looks at your network's communications with BOTnets like Avalanche etc. It also stops automated downloads of malware, and system probes designed to download viruses directly onto your network.
4) Incident Response: ActZero's MDR Service is designed to detect, 'Quarantine', 'Kill' and 'Delete' processes that are associated with Ransomware, allowing an advantageous timeframe with which to detect, analyze, and respond to threats faster.
For a detailed look at extortion and its evolution, check out this webinar. Or, for an even deeper dive on Ransomware, check out our white paper: The Rise of Ransomware-as-a-Service (RaaS).