Why Do We Keep Talking About Ransomware?

Ransomware has been around since 1989, yet the security industry has a history of ineffective responses to attacks, making it the most common and successful kind of attack. They impact businesses of all sizes! Take a look at the estimated global costs each year: a whopping $10 billion! Not to mention the first six months of 2018 alone saw 180 million reported ransomware attacks.

For a malware that has been around so long, it’s definitely frustrating to know that it still prevails and beats the most modern solutions available. Many ransomware developers use psychology to trick users into responding to requests from colleagues or donating Bitcoins to children’s charity – but what about the other variations? Why do our solutions fail at preventing these attacks in the first place? Well, first we need to understand how this kind of malware functions before we can analyze our approaches.

The Encryption Process:

1. First, ransomware locates files to encrypt, like MS Office documents or photos.
2. Then, the malware encrypts that data in memory and destroys the original. It may also save the encrypted data into a new file before deleting the original.
3. Sometimes, the encrypted data is written into the original file making it difficult to tell between encrypted files and those that haven’t been encrypted.
4. After the encryption process is complete, the ransomware note is displayed to the user.

Now, we should discuss how the five top methods the security industry typically uses and why they aren’t consistent enough to protect users from attacks.

Five Methods and Why They Fail:

1. Static file analysis – nearly half of attacks still go undetected by next-gen antivirus solutions.
2. Relying on a blacklist of file extensions ransomware typically uses in encrypted files – too easy to bypass, developers just create new extensions.
3. “Honey pot files” for attackers to go after and change – other files might get attacked before these do.
4. Monitoring for mass rename, write, or delete operations then terminating the offense – some files still get encrypted until a threshold is met.
5. Tracking file data change rate, and after the threshold is met, the attack is terminated – not all damage is blocked before the threshold is met.

Organizations often use a combination of these methods, which in theory would be more effective. However, there are examples of ransomware that still bypass these solutions. You might even be familiar with some of them.

Famous Ransomware:

1. CryptoMix used a deceptive approach by claiming to be from a charity organization to increase the odds that users pay the ransom.
2. LockerGoga cost Norsk Hydro facilities $40 million by using multiple processes for file encryption to bypass their “next-gen” antivirus product
3. Chimera captures sensitive data and releases it onto the Internet if the user doesn’t pay
4. WannaCry impacted 150 countries and cost $4 billion in losses but was completely preventable! Companies failed at staying up to date with their operating systems and the latest patches. Although MS released the latest patch against the vulnerability two months prior to the attack, organizations failed to update their systems and paid the price.

Now that you understand how ransomware works, why it continues to prevail after years of being around, and why companies still get impacted by this malware despite having an IT team and the latest antivirus in place:

1. Stay up to date with all patches and OS updates!
2. Implement a backup and disaster recovery strategy, not just for your servers, but for your endpoints to protect your company’s IPs.
3. Complement your security layers with approaches that whitelist (track the good, not just the bad) as a last line of defense in case ransomware does evade your antivirus
4. Educate your employees by investing in security awareness training – often times, the vulnerability might occur due to your own employees’ negligence
5. Consult with security professionals who stay ahead of malware trends and can offer an assessment of your current network and what you can do to protect it further.

Is your business prepared to deal with Ransomware and zero-day attacks?

Contact us today at (407) 995-6766 to learn more about our Next-Generation Endpoint Protection Platform with Ransomware Rollback, which is driven by machine learning, intelligent automation, and backed by our 24/7 Security Operations Center (SOC). Not only does our solution defend every endpoint against all types of attacks and at every stage in the threat life cycle, but it also comes with a vendor-warranty of up to $1,000 per endpoint or up to 1 Million Dollars per organization if the solution ever fails to protect against Ransomware!

Concerned about the security status of your business IT network? We can help… Call us to schedule a FREE Cybersecurity Consultation.

Aurora InfoTech is an Orlando-based premier managed services provider specializing in both network security and information technology. Give us a call today at (407) 995-6766 to discuss your network security concerns and to learn how we can you secure your business IT network.

Want more Tech Tips & Security Strategies? Sign-up for our Free Cyber Security Tip of the Week email to always stay one step ahead of hackers and cyber-attacks.