Solving Ransomware Presents Opportunity for Security Companies
"That is a basic alert, not really user-behavior analytics," he said. "We are able to discern that something looks like an automated pattern. That is something that is a bit more future-proof when detecting something that is low and slow." Rather than focus on the data, other companies are focusing on how a user behaves and using analytics to discern whether the actions taken on a computer are a user or a malicious program. Exabeam, a company focused on user analytics, has found that a few tweaks to its system can easily pinpoint actions that are likely to be ransomware. The programs, much like other malware, change file names, systematically overwrite files, communicate with malicious domains, and take other actions indicative of an automated, malicious program, Barry Shteiman, director of threat research at Exabeam, told eWEEK. "I have tracked 86 variants of ransomware," he said. "I haven’t seen one where we didn’t see artifacts that were totally new."Such a layered approach cannot be avoided, he said. Companies need to focus on better backups, detection of malicious communications and malware activity, and new analytic techniques. "Arguably, there is no 100 percent solution," Trend Micro's Cabrera said. "In the end, that is why you need to be resilient. As your strategy, you need to protect all your assets, and speed up detection and speed up patching." Overall, companies should treat ransomware as a special case of traditional malware, he said. Improving the speed in which attacks are detected, and blocking the attacks before they have a significant business impact, are both important. While some security experts consider ransomware to be a more serious attack than run-of-the-mill malware, Varonis' Gibson argued that the pain of ransomware is mainly short term. While he would not go so far as to consider such attacks a benefit, companies attacked with the malicious encryption programs are quickly given signs that their systems were vulnerable, which can help them figure out where more insidious attackers might go. In the end, other insider threats, which Varonis specifically aims to defend against, can be much more damaging, he said. "The one point that people are missing is that ransomware is the gentlest insider threat that there is," he said. "Ransomware is the only insider threat that you know is there. The other ones are much more stealthy, and you will not catch them before they have completed stealing your data."
Host-based security software—the approach into which many traditional antivirus companies have morphed—can still be relevant. Trend Micro, for example, stops 90 percent of ransomware attacks at the email gateway, another 9 percent through URL filtering and malicious Website detection, and less than 1 percent of attacks through behavioral analytics, Trend Micro's Cabrera said.