The Why and How of Ransomware

Written by

Ransomware is undeniably becoming one of the biggest threats facing businesses today. The last year or so has seen an incredible rise in the number of ransomware attacks; some reports have claimed that 40% of businesses have been hit in the last 12 months, encrypting files and data until a ransom is paid.

Fears over the rise and potential impact of ransomware have even caused Europol, the European Union law enforcement agency, to label it the, “leading cybercrime threat in Europe,” and point out that it is increasingly targeting sectors that will pay a higher ransom, rather than individuals who will only pay a smaller fee to unlock their files.

What’s more, companies certainly are paying out to regain access to their files. The FBI announced that in the first three months of 2016 $209 million was paid to cyber-criminals; at that rate it’s possible that 2016 as a whole will see over $1 billion paid out in ransomware attacks.

We are also seeing a trend emerge in terms of the types of organizations that are being targeted – public-facing organizations where data is the lifeblood: councils, hospitals, schools, for example.

So why now? What’s behind the rise of ransomware as a cyber-attack tool? Well, the short answer is it works. The figures above show that it’s an effective way of extracting financial gains from victims. Blocking access to vital data or files can cripple an organization and render it useless, so it’s not surprising that some pay up as soon as possible so they can get back to work. Can you imagine the potential damage if a hospital, for example, couldn’t access patient data?

So that leads to the next question – why is it so effective? There are a couple of things about ransomware that separate it from other pieces of malware we’ve seen. The first is that it’s polymorphic. This means it can change tiny little details about itself frequently, so that antivirus programs no longer pick it up; it appears as a brand new piece of malware each time it undergoes a little change.

The second is that all it needs to start encrypting user files is standard user privileges...the kind of privileges that the vast majority of workers in an organization will have. That means its barrier to entry, as it were, is very low.

So now we know a little more about why ransomware is becoming the attack vector of choice for cyber-criminals, let’s look at how it spreads across a business. What we’ve discovered so far is that generally ransomware arrives via a targeted phishing email. Once the attachment is opened the ransomware makes contact with its C&C server to generate and retrieve an encryption key. From there the ransomware begins its scan of the infected machine, looking for files. It then builds its inventory.

As well as building an inventory of files, it also scans for other machines on the network and, if it can, it grabs credentials. It then connects to those machines and infects them. Once this process is complete, the ransomware encrypts files and announces its arrival to unsuspecting users.

However, it doesn’t have to get this far. The key is where the defense lies. It’s difficult to stop ransomware at the perimeter, and while it’s easier at the point of the server callout, that can sometimes be too late to stop the damage. So that leaves the file level, and that has proven to be most effective in our lab tests, where we have so far examined 157,000 ransomware samples.

Using application control at the file level means whitelisting good, known and trusted applications and blacklisting anything that’s unknown, not trusted or known to be bad. In the middle you have greylisting, where applications you’re not sure about can run in restricted mode – with limited access to files and data, no internet access and no access to network shares or servers.

Taking this approach and combining it with tighter control over user privileges is the best way of combating ransomware. In our tests application greylisting and using least privilege proved to be 100% effective in stopping ransomware from encrypting files, rendering it useless.

What’s hot on Infosecurity Magazine?