Ransomware is an increasingly popular tactic used to steal data and disrupt a system’s operations. Essentially, ransomware is malware used by attackers to infect a device, hijack files on that device and lock them, via encryption. These maliciously encrypted files can no longer be accessed by users, and are held hostage by the attacker until a ransom is paid.
Ransomware can infect a single user and then can spread throughout the entire organization, knocking computers offline. Forcing employees to use pen and paper while IT and SOC teams scramble to mitigate the infection.
A user can be infected in a variety of manners, such as actively installing the ransomware (say, when it is appears as an innocuous program), opening a malicious file in an email (aka, a phishing attack) or surfing to a compromised website (aka, a drive-by-download attack)
While in certain scenarios the victim had to be active and click on the malicious program, in most cases, the infection is actually seamless to the user. Ransomware that is triggered should be blocked from encrypting data and spreading through an organization laterally. See how enSilo detected and blocked Scarab ransomware activity and stopped the file encryption.
Ransomware creators are getting more creative with their tactics. Organizations spend thousands of dollars for cybersecurity public awareness and education for their employees. It only takes one employee and one click to trigger a ransomware that can take down an entire organization.
3 ways ransomware can spread:
- Implementing the lateral movement capability on their own.
- Using other Trojans that are considered “Stealers” by design
- Finding vulnerabilities that allows them to propagate.
See how enSilo blocked Bad Rabbit Ransomware from spreading via SMB by enSilo’s Exfiltration Prevention policy. Also, enSilo blocked the ability of encrypting files is with enSilo’s Ransomware Prevention policy.
The ransom can range from hundreds of dollars to hundreds of thousands, depending on the type of file and victim. Usually, the extortionists set a deadline for paying up and when that deadline is not met, a new deadline is set and the ransom rate increases.
The most advanced attacks can crawl across organizational networks and traverse file shares looking for data. What it finds, it encrypts. Confused users have perfectly functioning computer systems, but no data. Or at least no data they can read.
Some ransomware encrypts files, while others lock out the user. After a ransomware is triggered, a file appears in a pop-up format and it is often a friendly message from the attacker explaining exactly how the user can regain access to their files – and how much it’s going to cost them. "Of course, there’s no guarantee that even if a victim pays the demanded amount they will actually get access to their files again, which makes dealing with ransomware somewhat of a tricky issue"
Ransomware is a threat for every organization and very few organization fail to implement disaster recovery planning. “A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000 daily ransomware attacks reported in 2015).”
Wanna Cry ransomware and Petya ransomware attacks were the top ransomware attacks causing complete business disruptions for an array of industries, including critical infrastructures. NGAV and AV security products failed to protect against these ransomware attacks due to missing the post-infection layer of protection element. In addition to post-infection protecting against WannaCry and Petya, post-infection protection protects against many unknown variants due to the capability to detect any malicious outbound connections that may occur after bypassing a pre-infection protection barrier such as NGAV or AV.