Why Ransomware is Winning – and How to Turn the Tide

Every week we hear of several new high profile ransomware incidents affecting hospitals, schools, businesses and government. It’s gotten so bad that cybersecurity agencies in the U.S. and Canada recently issued an alert about the growing number of ransomware attacks affecting health care organizations. Clearly ransomware attackers are winning. Why?

First, it’s important to understand, that most (if not all) ransomware victims are typically running fully-updated antivirus engines, and sometimes even anti-exploit and/or HIPS engines. The problem is, rapid changes made in the builds and versions of the malware used in ransomware  campaigns creators allows the code to repeatedly evade detection by traditional security measures.

To make matters worse, non-Windows variants have begun to emerge, notably on the Mac OS X and Linux platforms. These include the Encoder family which targets Linux-based web servers, and KeRanger which is based on the same code but has been recompiled to attack OS X targets.

The root of the ransomware problem lies in our reliance on signature-based detection techniques.

The methods attackers use to infect victims are well-known, very effective and difficult to eliminate no matter how end-user education and patching organizations perform. These include spearphishing emails and silent drive-by downloads that use exploit kits to take advantage of system vulnerabilities. Or more recently have taken a network-based approach, like the SamSam campaign, that targets vulnerable JBoss application servers, using accessible pentesting tools. Once inside the network the attackers collect credentials to install the actual payloads, and eventually get to the ransom stage.