When ransomware hit the Horry County School District in South Carolina in February, the IT staff’s first warning of the disaster came from teachers who could no longer access their files. Days later, Hollywood Presbyterian Medical Center staff “noticed issues accessing the hospital’s computer network”—the organization’s only warning that it too had become a victim.
The incidents underscore the fact that many companies and organizations are still unprepared to prevent—or at least, detect—ransomware infections before their data is held hostage by cyber-criminals. While ransomware resembles much of the other malware, its defining feature, the ability to encrypt data, can cause significant damage to business operations, making the detection of such threats imperative. Unfortunately for victims, the time between infection and impact tends to be much shorter with ransomware than for other forms of attack, such as data theft.
“The point of entry is not any different for ransomware, but the shot clock really starts pretty quickly,” Ed Cabrera, chief cyber-security officer, Trend Micro, told eWEEK. While other breaches revolve around exfiltrating data, which may never be used or which may have limited impact on the company, the payload of ransomware makes it fundamentally different. “Through all the stages of a traditional attack, you have a lot of chances to detect and respond. With ransomware, there are not a lot of steps—there is not a lot of time to react.”
Little surprise, then, that ransomware has become the security threat of the 2016. In the first quarter of the year, the FBI estimated that more than $209 million had been lost to ransomware attacks, according to a CNN report. And attackers are ramping up their efforts: Trend Micro identified 50 new variants of ransomware in the five months of 2016, up from 49 variants for all of 2015.
Seeing a market, security companies have added features to current products to allow their clients to better detect and more quickly block ransomware before it can encrypt important data. Illusive Networks, for example, has added ransomware-specific canaries, what it calls “deceptions,” to its product to signal when ransomware is attempting to encrypt files. While it may detect the ransomware after it has infected a system, such an approach can help incident responders shut down the attack before it gets far.
Focusing on how ransomware interacts with data is a popular approach.
Data-protection firm Varonis, whose products monitor servers and devices for changes to data as well as strange user behavior, has added specific patterns to its behavioral analytics that can detect the unwanted encryption committed by ransomware attacks. While a simple rule—such as determining that the renaming of 500 files in a minute is a sign of maliciousness—could detect much of today’s ransomware, it would be easy to circumvent in the future, so Varonis has added more in-depth rules, David Gibson, vice president of strategy and market development at Varonis, told eWEEK.
Solving Ransomware Presents Opportunity for Security Companies
“That is a basic alert, not really user-behavior analytics,” he said. “We are able to discern that something looks like an automated pattern. That is something that is a bit more future-proof when detecting something that is low and slow.”
Rather than focus on the data, other companies are focusing on how a user behaves and using analytics to discern whether the actions taken on a computer are a user or a malicious program.
Exabeam, a company focused on user analytics, has found that a few tweaks to its system can easily pinpoint actions that are likely to be ransomware. The programs, much like other malware, change file names, systematically overwrite files, communicate with malicious domains, and take other actions indicative of an automated, malicious program, Barry Shteiman, director of threat research at Exabeam, told eWEEK.
“I have tracked 86 variants of ransomware,” he said. “I haven’t seen one where we didn’t see artifacts that were totally new.”
Host-based security software—the approach into which many traditional antivirus companies have morphed—can still be relevant. Trend Micro, for example, stops 90 percent of ransomware attacks at the email gateway, another 9 percent through URL filtering and malicious Website detection, and less than 1 percent of attacks through behavioral analytics, Trend Micro’s Cabrera said.
Such a layered approach cannot be avoided, he said. Companies need to focus on better backups, detection of malicious communications and malware activity, and new analytic techniques.
“Arguably, there is no 100 percent solution,” Trend Micro’s Cabrera said. “In the end, that is why you need to be resilient. As your strategy, you need to protect all your assets, and speed up detection and speed up patching.”
Overall, companies should treat ransomware as a special case of traditional malware, he said. Improving the speed in which attacks are detected, and blocking the attacks before they have a significant business impact, are both important.
While some security experts consider ransomware to be a more serious attack than run-of-the-mill malware, Varonis’ Gibson argued that the pain of ransomware is mainly short term. While he would not go so far as to consider such attacks a benefit, companies attacked with the malicious encryption programs are quickly given signs that their systems were vulnerable, which can help them figure out where more insidious attackers might go.
In the end, other insider threats, which Varonis specifically aims to defend against, can be much more damaging, he said.
“The one point that people are missing is that ransomware is the gentlest insider threat that there is,” he said. “Ransomware is the only insider threat that you know is there. The other ones are much more stealthy, and you will not catch them before they have completed stealing your data.”