August 2, 2016 | CyberArk Labs | Lauren Horaist
Reports of ransomware attacks continue to escalate, as we’ve explored in recent posts. The FBI reported that cyber criminals used ransomware to extort $209 million from enterprise organizations in the first three months of 2016 alone. This form of malware – designed to infect machines, encrypt as many files as possible and hold the decryption key for ransom until the victim submits the required payment – has skyrocketed in popularity in recent months for two key reasons:
- Many organizations fail to practice good hygiene when it comes to backup and recovery.
- Many organizations still rely on traditional anti-virus solutions, which are often not effective in blocking ransomware.
As part of an ongoing investigation, our CyberArk Labs team has tested more than 23,000 pieces of real-world ransomware to learn more about how it works and to identify alternative methods for mitigating the threat. As a result, they have identified a common prevention denominator across all tested ransomware instances to-date. This revelation, along with actionable recommendations for combatting ransomware attacks, can be found in the just-published report: “Analyzing Ransomware and Potential Mitigation Strategies.”
Five high-level findings detailed in the report:
- Ransomware is Evolving by the Hour: Unlike traditional malware, which is frequently reused across a wide range of targets, ransomware strains are typically mutated for each new victim. Traditional anti-virus solutions that rely on blacklists are typically ineffective in preventing ransomware because they simply can’t keep up with the thousands of new samples produced each day. To effectively protect against ransomware risks, organizations can’t just protect against known malware; they also need to protect against unknown malicious applications.
- A Common Path to Encryption: The team observed what actions were executed by different ransomware samples, and learned the samples across different families all followed similar subsequent processes. Typically, the malware first attempted to communicate back to an attacker-managed key server, which held the unique public key used to encrypt files on the machine. Second, the ransomware began to scan the infected machines to locate specific files types. Third, upon locating the files, the ransomware began the encryption process, while working to maximize the number of impacted machines.
- Ransom Payment Method of Choice: To receive the key needed to decrypt the impacted files, users were required to submit payment – the ransom – to the attackers. Payment was typically demanded in Bitcoin, and for Bitcoin novices, some attackers went so far as to set up “help desks” to help victims purchase Bitcoin and complete the funds transfer.
- Ransomware Seeks Admin Rights: In 70 percent of tested cases, ransomware attempted to gain local administrator rights once activated. But interestingly, only 10 percent of the tested files failed if these rights could not be attained. This shows that even though the removal of local administrator rights from standard users is a best practice and certainly could have prevented some of the ransomware, this measure must be layered with application control to reliably protect against file encryption.
- A Common Denominator: Testing by CyberArk Labs demonstrated that a highly effective way to mitigate the risk of ransomware attacks is to prevent unknown applications, including unknown ransomware, from gaining the read, write and edit permissions needed to encrypt files. When tested by CyberArk Labs, a combined approach of removing local admin rights and application control, including greylisting, which restricts read, write and modify permissions from unknown applications was 100 percent effective in preventing ransomware from encrypting files.
The full research report explores a number of techniques used to mitigate the risk of ransomware, outlining the pros and cons of each. Based on this extensive research, the Labs team also presents an alternative, proactive approach that to application control that, when combined with least privilege controls, can enable organizations to better protect themselves from both known and unknown threats. To learn more, download the free research report here.