The word “ransomware” terrifies individuals and organisations alike. We look at how this threat works – and how to fight it!
The ransomware mood music isn’t good this year. As security publications and commentators tell us, ransomware is expected to dominate the malware arena in 2017.
More than ever, then, security partners need to offer sound, confident advice to end-users on both the nature of ransomware, and how to defend against it.
So look no further!
Ransomware: how it works
Ultimately, the aim of ransomware is to paralyse companies’ operations, usually by encrypting data, then demanding money to decrypt it and render it usable again.
For security partners and their customers, one of the challenges with ransomware is that it can enter the network through many different routes – malicious links or infected file attachments in emails, drive-by attacks triggered by a visit to an infected website or ad, botnets, USB drives, Yahoo Messenger images… the penetration potential is extremely high.
But to rub salt into it, ransomware also dodges many of the traditional anti-virus defences.
It disguises filenames and attributes and hides behind legitimate file extensions. And it often uses secure communications protocols like https and Tor, and encrypts its communications as it goes, obscuring the tell-tale server calls that would ordinarily betray its presence.
What this means is that most anti-virus protection is none the wiser to the threat – and so the latter finds its target, which is usually the most critical data the business holds. (Indeed, the notorious Cryptolocker ransomware, as this blog, from Bitdefender, explains, hunted out 70 different specific file extensions, precisely for this reason).
Ransomware: how to stop it
A threat that can infect via so many different channels, and hide its tracks whilst it’s doing it, clearly can’t be stopped by a single “silver bullet.”
It can only be stopped by layered protection that detects and blocks at all the levels at which ransomware can penetrate and spread.
Research carried out by Trend Micro has found that 99% of over 99 million ransomware attacks were found in malicious email or web links, so robust defence at the email and web gateway level, as well as at the endpoint and network levels, are a must.
Protecting email and web traffic from ransomware
Analysis is the key here; in the absence of the normal malware “cues” that signal a threat, security solutions have to look harder, deeper and wider for signs of the miscreants.
This means not just analysing links in the body of an email, for example, but also the links in the attachments that that email contains – as well as the attachments themselves.
It means scanning for zero-day and browser exploits, and other favoured ransomware entry points that are buried in applications (such as within Office 365 – 2 million threats discovered to date, according to Trend Micro!), rather than just in links or attachments.
And it means both being able to instantly compare links with a global database of known malicious URLs, and automatically rewrite links (as we discussed in this post) to divert them into a sandbox and analysis environment.
There, they can be triggered and inspected at no risk – even if they are not “known suspects.”
Protecting endpoints from ransomware
But what if the threat enters the network from an endpoint, like a PC – triggered, perhaps, by an infected document on a USB stick?
Actually, it’s at this level that some of the most useful indicators of ransomware behaviours – rapid encryption of multiple files, for example, or exploit kits that look for unpatched software vulnerabilities, as a prelude to sending ransomware through them – can be detected.
A security solution that can isolate the endpoint can stop the ransomware from spreading further via the network. And on that point…
Protecting networks from ransomware
The network itself must of course be protected.
But network traffic flows across myriad nodes, ports and protocols, so security mustbe capable of identifying ransomware and attacker behaviour in and across each of these sub-layers.
Here, too the sandbox analysis that we mentioned above is a powerful resource, mirroring the actual network environment so that the presence of typical ransomware behaviours can be accurately tracked and their effect (and therefore likely objective) revealed.
Ransomware immunisation: using the threat against itself
But one of the slickest anti-ransomware developments we’ve seen recently is a “vaccine”, which literally uses the ransomware’s own programming against it.
Ransomware typically prevents a machine it has already infected from playing host to any other infection that could interfere with the ransomware’s own endgame.
But this same feature, deployed on uninfected machines, effectively blocks the ransomware itself, as we have previously described in this post. So, does this mean ransomware is finally hoist by its own petard?
I wouldn’t bet on it. But by sharing knowledge about how ransomware works, how we can defeat it, and where businesses and security partners can go for more advice, we make every hostage that bit more difficult to take.
And that’s a ransomware result.