Carolyn Crandall, CMO
In the ‘30s, bank robber Willie Sutton was asked why he robbed banks. “That’s where the money is” was his well-known response. The reply could just as well apply to the cybercriminals using ransomware today.
While Mr. Sutton was left on his own by fellow criminals to pursue banks, not so for today’s information society. Three months ago researchers uncovered a dark web site called The Hall of Ransom. Accessible through the Tor network, the underground site boasts a line-up of ransomware-related goods and services sold for hefty prices.
So it shouldn’t come as a surprise that while the estimates vary, according to a recent report by NBC News, ransomware netted over $325 million in 2015, and has already made over $200 million in the first half of 2016. That’s some serious motivation.
In fact, according to TrendMicro, ransomware development and infections have been so rampant that it has turned into a common occurrence. Over 50 new ransomware families have already been seen within the first five months of 2016 alone, a big leap from the figures seen in 2014 and 2015 combined. The most alarming fact is that the threat is still continuously growing—in number and level of effectivity.
Some progress is being made. Last week, as reported in ZD Net, victims of the Wildfire ransomware can get their encrypted files back without paying hackers for the privilege, after the No More Ransom initiative released a free decryption tool.
No More Ransom runs a web portal that provides keys for unlocking files encrypted by various strains of ransomware, including Shade, Coinvault, Rannoh, Rakhn and, most recently, Wildfire. Aimed at helping ransomware victims retrieve their data, No More Ransom is a collaborative project between Europol, local law enforcement authorities, Intel Security, and Kaspersky Lab. This can be a great “Hail Mary”, but I would caution that even with this resource, there are no guarantees that once infected you are guaranteed of restoration and it certainly does not avoid the disruption of business during the remediation efforts from these attacks. This also won’t help with the new forms of ransomware that threaten to publicly release the data if not paid.
Interesting note: researchers suggest that the malicious code in Wildfire– which contains instructions not to infect Russian-speaking countries – points to Wildfire operating as part of a ransomware-as-service franchise, with software likely to be leased out by developers in Eastern Europe. The easy of setting up a ransomware would predict that there will be no slowdown in this form of attack any time soon.
With the various flavors of ransomware, it seems there is potential to affect everyone. While the most notorious incidents are with larger companies, large businesses and organizations aren’t the only ones being targeted. Stories in the Wall Street Journal and New York Times have reported on cases of small businesses having their files held hostage too.
So no matter what the size of your company, you should be concerned and educated. Education starts by being aware that most ransomware is activated by phishing directed at your employees, which are often the weakest link in your IT security posture. It is more critical than ever to help users understand the consequences of their actions and learn how to combat cybercrime attacks. Some of the best ideas to help with employee education I’ve seen come from security and IT pros in the blog Social Engineering Attacks: Common Techniques & How to Prevent an Attack by Nate Lord in the Digital Guardian. It’s worth a quick read.
While training employees is critical there is still an absolute need to protect yourself with the best possible security solutions. You should certainly deploy firewalls and security appliances that filter out malware before it penetrates the network, spam blockers and filters to separate out phishing attempts on user emails, and have fast and automated methods for quickly determining the maliciousness of questionable emails. That said, the standard should be that you can’t afford to have even one ransomware attack get through these perimeter defenses. Yet based on breaches and infections we have seen during the past two years alone, there is a track record of breaches that show that even the best security defense can and will fail. All the training in the world isn’t necessarily going to assure that none of your employees makes that one little “click” and game over.
Or is it? As we’ve said in earlier blogs, deception technology provides early detection for advanced threats and for ransomware that has managed to get into your network. Consider these five fundamental reasons we mentioned on why organizations are deploying deception to detect and protect against ransomware.
- Efficient Detection: A ransomware attack will look to infect networked drives in order to encrypt and or erase them. Deception creates deception drives with lures that once an attacker seeks to infect the deception drive will immediately raise an alert with information on the infected end-point. Automatic quarantining can also help prevent the attack from propagating from that infected system.
- Detects New and Unknown Ransomware:Deception does not rely on known signatures or attack patterns to detect inside-the-network threats. Deception instead uses a blend of deception lures (fake credentials, ransomware lures, files, etc.), decoys, and engagement servers to deceive an attacker into engaging. Once the attacker touches a deception system, there is no turning back. We immediately have their information and through our analysis engine can immediately create the signatures for prevention systems to block, quarantine, and remediate against the attack.
- Phishing Analysis:Attivo technology advocates early visibility as an integral part of attack detection. As part of the ThreatDefend end-point suite which provides credential and ransomware lures, organizations can also upload an email icon plug in so that users can directly submit suspicious emails for evaluation. The Attivo analysis engine will analyze each email for malicious links and downloads and will create a summary report saving organizations hours of time and energy in preventing a phishing attack’s success.
- Lateral Movement Detection:Many variants of today’s malware move low and slow across the network or use sleeper or time-triggered tactics to evade detection and sandbox technology. This can make it very difficult to understand the magnitude of an alert plus sandbox technology is not inherently designed for long-term analysis. A cleverly timed attack plan can easily work around a sandbox’s limitations. Deception is different since it is designed to detect and analyze lateral movement inside-the-network. Whether the attack is directly detected through decoys or deception lures or the SOC team feeds information into the system for non-time bound analysis, the BOTsink platform provides efficient and prompt detection of threats before they have the time to mount their attacks.
- Efficiency of Incident Response:A customer recently shared a story of a malware infection that was identified by their team. This malware had bypassed their anti-virus systems and every time they thought they had the attack contained it resurfaced in a different place. In parallel, an incident response team was brought in and the Attivo deception platform was activated. Long story short, before the incident response team had landed from their flight in, the Attivo BOTsink had created full forensic analysis of the attack and with this information had empowered the SOC team to be able to limit the infections to around 60 systems and to put the blocking and quarantining in place to protect from the various mutations of this malware. During the BOTsink attack analysis, the malware morphed multiple times and had multiple C&C addresses, which they had not been able to discover with their sandbox or other detection methods.
Finally, while no one is certain how long ransomware attacks will continue, if Willie were alive he’d probably tell us “as long as there’s money in it”. And with that in mind, it makes a world of sense to go on the offense and set traps for these attackers versus waiting for the ransomware note to reveal their presence and a strong prayer that you will get your data back.