• View The Gartner EDR Market Guide for Endpoint Detection and Response Solutions. Check it out.

  • enSilo Recommended in NSS Labs 2018 Advanced Endpoint Protection (AEP) Group Test Check it out.

  • “We were very impressed with the enSilo platform.” – SC Magazine Check it out.

Ransomware FAQ

What is ransomware?
Ransomware is an increasingly popular tactic used to steal data and disrupt a system’s operations. Essentially, ransomware is malware used by attackers to infect a device, hijack files on that device and lock them, via encryption. These maliciously encrypted files can no longer be accessed by users, and are held hostage by the attacker until a ransom is paid.
Who does ransomware affect?

Ransomware can infect a single user and then can spread throughout the entire organization, knocking computers offline. Forcing employees to use pen and paper while IT and SOC teams scramble to mitigate the infection.

How is a user affected?

A user can be infected in a variety of manners, such as actively installing the ransomware (say, when it is appears as an innocuous program), opening a malicious file in an email (aka, a phishing attack) or surfing to a compromised website (aka, a drive-by-download attack)

What triggers ransomware?

While in certain scenarios the victim had to be active and click on the malicious program, in most cases, the infection is actually seamless to the user. Ransomware that is triggered should be blocked from encrypting data and spreading through an organization laterally. See how enSilo detected and blocked Scarab ransomware activity and stopped the file encryption.

How do I recognize ransomware?

Ransomware creators are getting more creative with their tactics.  Organizations spend thousands of dollars for cybersecurity public awareness and education for their employees.  It only takes one employee and one click to trigger a ransomware that can take down an entire organization.

How can ransomware spread and infect my entire organization?
3 ways ransomware can spread:
  1. Implementing the lateral movement capability on their own.
  2. Using other Trojans that are considered “Stealers” by design
  3. Finding vulnerabilities that allows them to propagate.
See how enSilo blocked Bad Rabbit Ransomware from spreading via SMB by enSilo’s Exfiltration Prevention policy.  Also, enSilo blocked the ability of encrypting files is with enSilo’s Ransomware Prevention policy.
How much is the demanded amount from a ransomware attacker?
The ransom can range from hundreds of dollars to hundreds of thousands, depending on the type of file and victim. Usually, the extortionists set a deadline for paying up and when that deadline is not met, a new deadline is set and the ransom rate increases.
Can I still work on my computer if a ransomware is triggered?

The most advanced attacks can crawl across organizational networks and traverse file shares looking for data. What it finds, it encrypts. Confused users have perfectly functioning computer systems, but no data. Or at least no data they can read.

What happens if I accidentally click on a ransomware file?
Some ransomware encrypts files, while others lock out the user. After a ransomware is triggered, a file appears in a pop-up format and it is often a friendly message from the attacker explaining exactly how the user can regain access to their files – and how much it’s going to cost them."Of course, there’s no guarantee that even if a victim pays the demanded amount they will actually get access to their files again, which makes dealing with ransomware somewhat of a tricky issue"
How severe is the ransomware threat to organizations?

Ransomware is a threat for every organization and very few organization fail to implement disaster recovery planning.  “A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000 daily ransomware attacks reported in 2015).”

How to prevent ransomware attacks?

Wanna Cry ransomware and Petya ransomware attacks were the top ransomware attacks causing complete business disruptions for an array of industries, including critical infrastructures.  NGAV and AV security products failed to protect against these ransomware attacks due to missing the post-infection layer of protection element. In addition to post-infection protecting against WannaCry and Petya, post-infection protection protects against many unknown variants due to the capability to detect any malicious outbound connections that may occur after bypassing a pre-infection protection barrier such as NGAV or AV.

What is Wanna Cry ransomware?
Wanna Cry ransomware was a worldwide cyber attack targeting computers with dated Windows operating systems.  WannaCry completely disrupted business production for many industries due to lack of proper cyber security having the capability to protect systems from a ransomware that used a NSA exploit EternalBlue.
What is Petya ransomware?

A variant of Petya ransomware was utilized in a second worldwide attack, also targeting Windows operating systems.  This cyber attack was framed as a ransomware attack for first responders, only to discover this variant of Petya ransomware was paired with a NSA exploit and was a wiper, later dubbed NotPetya.

What are common types of ransomware?

As there are many variants of ransomware, the two most common types of ransomware are: Crypto ransomware  which encrypts files or data preventing access to the user and has evolved to common variants such as:  CryptoLocker that generated US $3 million before authorities took it down, CryptoWall generated $18m by June 2015.  The second is Locker ransomware, which locks the device from being accessed.

What is encryption?

Encryption is encoding information in a format that is not legible to unauthorized parties.  Encryption is designed to protect the confidentiality of your files.  Encrypting your files is generally a good thing. For example, an application like Bitlocker (which has been part of Windows since Vista) uses an algorithm to convert data on your drive to encrypted data. This makes it unreadable to everyone unless you unencrypt the data. Or you can encrypt individual files. In either case a “key” is used to unencrypt the data.

How long does it take for a ransomware to encrypt my files?

Encryption time depends on the file extensions existing on the victim’s machine, as well as how many files of these extensions exist.

Are organizations required by law to report a ransomware infection?
According to Ransomware Fact Sheet “the newly released guidance from the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) ransomware is now considered a data breach. Healthcare organizations are required by law to report ransomware attacks.  In fact, in the 2015 reported cases of ransomware, victims paid a total of $18 million.  HHS has developed guidance to help covered entities and business associates better understand and respond to the threat of ransomware. HHS has developed guidance to help covered entities and business associates better understand and respond to the threat of ransomware.”
Can the FBI help me retrieve my files?

The proliferation of ransomware is predicted to only get worse. According to McAfee Labs, there were twice as many ransomware samples in 2015 Q1 than in other any other quarter, and the FBI recently issued an alert on the uptick of ransomware (citing Cryptowall as “the most current and significant ransomware targeting US individuals and businesses.”)

How can I prevent ransomware pre-infection?

Essentially, pre-infection is used to manage cyber hygiene. Pre-infection protection such as NGAV and AV protect users from known ransomware that is signature based, vulnerabilities with a patch or malware that has been seen before.

How can I protect my computer utilizing automated post-infection protection in real-time?

Step 1: enSilo conducts retroactive review in real-time. It starts by seamlessly recording all OS activity.

Step 2: Only when there’s an attempt to take or modify data, does enSilo freeze the action and retrieve all recorded activity.

Step 3: enSilo retroactively analyzes the retrieved history. This chain of OS activities provides conclusive evidence of whether you’re dealing with an actual threat.

Step 4: If it is a real threat, enSilo blocks the action in real-time, with absolutely no impact on the user’s machine.

Step 5: By tracing malicious activity back to its origin, enSilo can identify the root cause. If you choose to take action, you can also neutralize it.

Pre-infection protection VS. Post-infection protection?

Post-infection protection is another layer of cybersecurity that protects the operating system from exfiltration.  Pre-infection protection has the ability to protect against known infections.  Post-infection protection protects an operating system from any malicious outbound connections.

How is Ransomware evolving?
In the past couple of years, we have seen ransomware growing from a nickel & dime operation targeting individual computers to a multimillion-dollar criminal operation targeting organizations that can afford to pay enterprise-level payments.
Can Ransomware bypass AV and NGAV pre-infection defenses?
Antivirus and NGAV solutions are simply not enough.  Traditional antivirus was designed and built before the ransomware epidemic.  NGAV claims to defeat ransomware “better” than AV.  “The bad guys are still iterating far faster than the antivirus companies can keep up, next-generation or not.”
What is Ransomware as a Service?
My organization has backup data, we should be ok. Right?
Due to the cost of backing up files, most organizations don’t include their most important documents in their backup and having the most updated version is impossible.
If my organization has already been hit with ransomware; Can we get hit again?
Ransomware exploits human and technical weaknesses to gain access to an organization’s technical infrastructure in order to deny the organization access to its own data by encrypting that data, HHS stated.  Chances are if the organization has been hit with ransomware, the infections will only increase.  Unless, the organization deploys a solution with post infection protection.
What is the best defense against ransomware?

In order to prevent ransomware from infecting, invest in the best endpoint protection with an efficient endpoint security solution.  The best ransomware protection provides two separate layers of endpoint protection.  The first layer of defense is NGAV or pre-infection protection essentially used to clean up known security vulnerabilities maintaining a better cyber hygiene.  The second layer of defense occurs post infection, similar to an EDR, but in real-time. This post-infection layer protects an organization from any malicious outbound activity that usually occurs during a data breach.  The post-infection layer protects the organization from any suspected malicious activity that bypassed the pre-infection layer and is the last line of defense that allows a CISO to sleep better at night.