When ransomware hit the Horry County School District in South Carolina in February, the IT staff's first warning of the disaster came from teachers who could no longer access their files. Days later, Hollywood Presbyterian Medical Center staff "noticed issues accessing the hospital’s computer network"—the organization's only warning that it too had become a victim.
The incidents underscore the fact that many companies and organizations are still unprepared to prevent—or at least, detect—ransomware infections before their data is held hostage by cyber-criminals. While ransomware resembles much of the other malware, its defining feature, the ability to encrypt data, can cause significant damage to business operations, making the detection of such threats imperative. Unfortunately for victims, the time between infection and impact tends to be much shorter with ransomware than for other forms of attack, such as data theft.
"The point of entry is not any different for ransomware, but the shot clock really starts pretty quickly," Ed Cabrera, chief cyber-security officer, Trend Micro, told eWEEK. While other breaches revolve around exfiltrating data, which may never be used or which may have limited impact on the company, the payload of ransomware makes it fundamentally different. "Through all the stages of a traditional attack, you have a lot of chances to detect and respond. With ransomware, there are not a lot of steps—there is not a lot of time to react."
Little surprise, then, that ransomware has become the security threat of the 2016. In the first quarter of the year, the FBI estimated that more than $209 million had been lost to ransomware attacks, according to a CNN report. And attackers are ramping up their efforts: Trend Micro identified 50 new variants of ransomware in the five months of 2016, up from 49 variants for all of 2015.
Seeing a market, security companies have added features to current products to allow their clients to better detect and more quickly block ransomware before it can encrypt important data. Illusive Networks, for example, has added ransomware-specific canaries, what it calls "deceptions," to its product to signal when ransomware is attempting to encrypt files. While it may detect the ransomware after it has infected a system, such an approach can help incident responders shut down the attack before it gets far.
Focusing on how ransomware interacts with data is a popular approach.
Data-protection firm Varonis, whose products monitor servers and devices for changes to data as well as strange user behavior, has added specific patterns to its behavioral analytics that can detect the unwanted encryption committed by ransomware attacks. While a simple rule—such as determining that the renaming of 500 files in a minute is a sign of maliciousness—could detect much of today's ransomware, it would be easy to circumvent in the future, so Varonis has added more in-depth rules, David Gibson, vice president of strategy and market development at Varonis, told eWEEK.