In late 2014 my company predicted that ransomware attacks would shift from consumers to businesses to extort larger ransoms for unlocking encrypted files. Unfortunately, this prediction has come true.
Recent Data from the FBI's Internet Crime Complaint Center (IC3) shows ransomware continues to spread and is infecting devices around the globe. IC3 identified CryptoWall as the most significant ransomware threat targeting U.S. individuals and businesses.
CryptoWall and its variants have been used to target U.S. victims since April 2014. The financial impact to victims goes beyond the ransom fee itself, which is typically between $200 and $10,000. Many victims incur additional costs associated with network mitigation, network countermeasures, loss of productivity, legal fees, IT services, and/or the purchase of credit monitoring services for employees or customers. Between April 2014 and June 2015, the IC3 received 992 CryptoWall-related complaints, with victims reporting losses totaling over $18 million. In October 2015, experts estimated that the group behind CryptoWall attacks caused $325 million in damages after infecting hundreds of thousands of computers across the world.
These financial fraud schemes are usually very successful, and have a significant impact on victims. The problem begins when a victim clicks on an infected advertisement, email, or attachment, or visits an infected website. Once a victim’s device is infected with ransomware, the victim’s files become encrypted. In most cases, once the victim pays a ransom fee, they regain access to the files that were encrypted.
Ransomware is not just lucrative for criminals, but also relatively easy to carry out. The advent of bitcoin has transformed ransomware into a money-making machine anyone can use. Most criminals demand payment in Bitcoin, according to the FBI. Criminals prefer Bitcoin because it's easy-to-use, fast, publicly available, decentralized, and provides strong anonymity.
Attacks Growing in Sophistication
Ransomware has become a cash cow for cybercriminals. As a result, they are investing in better attack techniques to evade detection by the more advanced security systems in place at enterprises. A few weeks ago reports emerged about victims being attacked by a new ransomware variant called XRTN. Unlike traditional approaches, XRTN uses a “pure” batch script as its payload delivery mechanism. This makes it even easier for the malware to bypass anti-virus (AV) solutions.
Until now, binary files were the most common method for delivering payloads used by ransomware. This made it possible to develop static AV or IOC-based signatures aimed to detect “known malicious files”. Scripts, on the other hand, contain text-based commands that appear benign to AV tools. In addition, the arbitrary obfuscation of scripts further complicates things for an AV tool, making it harder to generate effective signatures that do not introduce multiple false positives.
3 Ways Companies Can Protect Themselves
1. Employee training
Clearly, the best defense against ransomware is to deny criminals access to your system and ultimately data. If they can’t access your system, they can’t hold your data hostage. The simplest way to avoid these attacks is to educate employees about ransomware, and the techniques criminals use to launch attacks such as phishing emails or distribution through social media channels.
Some common spear phishing tactics used to deliver ransomware are:
- Spoofing law enforcement agencies through emails that claim you downloaded illegal content and demand you pay a fine for the violation
- Sending a message that says your Windows program is bogus and requires a legitimate version
- Sending a message that your security software is out-of-date or not working.
2. Maintain up-to-date backups
If your enterprise follows a strict routine of frequent backups, you will be better prepared to respond to ransomware attacks. Oftentimes, even after a ransom is paid, the criminal will permanently delete files. Having a consistent set of backups allows systems to be restored to a last known good backup.
3. Consider new endpoint protection approaches
To fully protect endpoints against increasingly sophisticated threats, organizations need advanced endpoint protection that goes beyond the capabilities of AV and sandboxing products. New approaches combine dynamic real-time endpoint activity monitoring with behavioral analysis to pinpoint malicious behaviors and block threats like ransomware before they can execute (and encrypt files).
Ideally, endpoint protection should incorporate prediction, prevention, detection, and remediation. Working together with forensics, these four capabilities deliver the strongest possible defense against both known and zero-day attacks in real-time, including the most virulent forms of ransomware.