FAQ – Ransomware
Ransomware can infect a single user and then can spread throughout the entire organization, knocking computers offline. Forcing employees to use pen and paper while IT and SOC teams scramble to mitigate the infection.
A user can be infected in a variety of manners, such as actively installing the ransomware (say, when it is appears as an innocuous program), opening a malicious file in an email (aka, a phishing attack) or surfing to a compromised website (aka, a drive-by-download attack)
While in certain scenarios the victim had to be active and click on the malicious program, in most cases, the infection is actually seamless to the user. Ransomware that is triggered should be blocked from encrypting data and spreading through an organization laterally. See how enSilo detected and blocked Scarab ransomware activity and stopped the file encryption.
Ransomware creators are getting more creative with their tactics. Organizations spend thousands of dollars for cybersecurity public awareness and education for their employees. It only takes one employee and one click to trigger a ransomware that can take down an entire organization.
- Implementing the lateral movement capability on their own.
- Using other Trojans that are considered “Stealers” by design
- Finding vulnerabilities that allows them to propagate.
NO, just see the FBI warning:
“Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
The most advanced attacks can crawl across organizational networks and traverse file shares looking for data. What it finds, it encrypts. Confused users have perfectly functioning computer systems, but no data. Or at least no data they can read.
Ransomware is a threat for every organization and very few organization fail to implement disaster recovery planning. “A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000 daily ransomware attacks reported in 2015).”
Wanna Cry ransomware and Petya ransomware attacks were the top ransomware attacks causing complete business disruptions for an array of industries, including critical infrastructures. NGAV and AV security products failed to protect against these ransomware attacks due to missing the post-infection layer of protection element. In addition to post-infection protecting against WannaCry and Petya, post-infection protection protects against many unknown variants due to the capability to detect any malicious outbound connections that may occur after bypassing a pre-infection protection barrier such as NGAV or AV.
A variant of Petya ransomware was utilized in a second worldwide attack, also targeting Windows operating systems. This cyber attack was framed as a ransomware attack for first responders, only to discover this variant of Petya ransomware was paired with a NSA exploit and was a wiper, later dubbed NotPetya.
As there are many variants of ransomware, the two most common types of ransomware are: Crypto ransomware which encrypts files or data preventing access to the user and has evolved to common variants such as: CryptoLocker that generated US $3 million before authorities took it down, CryptoWall generated $18m by June 2015. The second is Locker ransomware, which locks the device from being accessed.
Encryption is encoding information in a format that is not legible to unauthorized parties. Encryption is designed to protect the confidentiality of your files. Encrypting your files is generally a good thing. For example, an application like Bitlocker (which has been part of Windows since Vista) uses an algorithm to convert data on your drive to encrypted data. This makes it unreadable to everyone unless you unencrypt the data. Or you can encrypt individual files. In either case a “key” is used to unencrypt the data.
Encryption time depends on the file extensions existing on the victim’s machine, as well as how many files of these extensions exist.
The proliferation of ransomware is predicted to only get worse. According to McAfee Labs, there were twice as many ransomware samples in 2015 Q1 than in other any other quarter, and the FBI recently issued an alert on the uptick of ransomware (citing Cryptowall as “the most current and significant ransomware targeting US individuals and businesses.”)
Essentially, pre-infection is used to manage cyber hygiene. Pre-infection protection such as NGAV and AV protect users from known ransomware that is signature based, vulnerabilities with a patch or malware that has been seen before.
Step 1: enSilo conducts retroactive review in real-time. It starts by seamlessly recording all OS activity.
Step 2: Only when there’s an attempt to take or modify data, does enSilo freeze the action and retrieve all recorded activity.
Step 3: enSilo retroactively analyzes the retrieved history. This chain of OS activities provides conclusive evidence of whether you’re dealing with an actual threat.
Step 4: If it is a real threat, enSilo blocks the action in real-time, with absolutely no impact on the user’s machine.
Step 5: By tracing malicious activity back to its origin, enSilo can identify the root cause. If you choose to take action, you can also neutralize it.
Post-infection protection is another layer of cybersecurity that protects the operating system from exfiltration. Pre-infection protection has the ability to protect against known infections. Post-infection protection protects an operating system from any malicious outbound connections.
In order to prevent ransomware from infecting, invest in the best endpoint protection with an efficient endpoint security solution. The best ransomware protection provides two separate layers of endpoint protection. The first layer of defense is NGAV or pre-infection protection essentially used to clean up known security vulnerabilities maintaining a better cyber hygiene. The second layer of defense occurs post infection, similar to an EDR, but in real-time. This post-infection layer protects an organization from any malicious outbound activity that usually occurs during a data breach. The post-infection layer protects the organization from any suspected malicious activity that bypassed the pre-infection layer and is the last line of defense that allows a CISO to sleep better at night.