Of all the money-making schemes hackers employ, the most prevalent is perhaps ransomware, a malware that is usually delivered through infected email attachments and hacked websites or websites featuring ads. Ransomware encrypts files on a user’s computer and renders them unusable until the victim ransoms the key for a specific amount of money.
Cybercriminals are making millions of dollars from ransomware. According to forecasts and assessments made by experts, the threat of ransomware will continue to rise in the months and years to come. Recently, several organizations were badly hit by ransomware, including a police department in Massachusetts, a church in Oregon, schools in South Carolina schools and several medical centers in California and Kentucky, one of which ended up paying the attackers 40 bitcoins (approximately $17,000).
Attacks on individuals seldom make the headlines, but in 2015 alone, the FBI received some 2,500 complaints related to ransomware attacks, which amounted to approximately $24 million in losses to the victims.
Technologies such as modern encryption, the TOR network and digital currencies like bitcoin are contributing to the rising success of ransomware, enabling hackers to stage attacks with more efficiency while hiding their trace.
In many cases, victims are left with no other choice than to pay the attackers, and even the FBI often advises victims to pay the ransom as the only recourse. Traditional methods and tools no longer suffice to deal with the fast-evolving landscape of ransomware viruses, and new approaches are needed to detect and counter its devastating effects.
The problem with traditional security solutions
Most security practices rely largely on regularly updating your operating system, software and antivirus tools, which are effective to protect yourself against known ransomware viruses — but are of no use against its unknown variants.
The other safeguard against ransomware is to keep offline backups of your files, which will enable you to restore your hostage files without paying the crooks. This is a very effective method, but for many organizations, the downtime of a ransomware attack is more damaging than the ransom itself, which warrants the need for methods that can help avoid ransomware altogether.
Prevention through behavior analysis
The high success rates of ransomware attacks are directly attributed to the shortcomings of antivirus software that rely on static, signature-based methods to detect ransomware. With several variants of ransomware being developed on a daily basis, there’s simply no way signature-based defenses can keep up. Udi Shamir, Chief Security Officer at cybersecurity firm Sentinel One, explains, “With minor modifications a cybercriminal can take a well-known form of ransomware like CryptoLocker, and make it completely unknown and undetectable to antivirus software.”
Cybercriminals are making millions of dollars from ransomware.
Experts agree that fighting ransomware needs a new approach, one that should be based on behavior analysis rather than signature comparison. “Behavior-based detection mechanisms are now playing a key role in detecting and preventing ransomware-based attacks,” Shamir says. “While there may be many ransomware variants in the wild, they all share a common set of traits that can be detected during execution.”
Most ransomware can be detected through a set of shared behavioral characteristics. Attempts at deleting Windows Shadow Copies, disabling Startup Repair or stopping services such as WinDefend and BITS are telltale signs of ransomware work. “Each of these actions are behaviors that, if detected, translate into a ransomware attack,” Shamir explains.
This is the general idea behind some of the newer security tools — instead of making signature-based comparisons, processes are scrutinized based on their behavior and blocked if found to be carrying out malicious activity. “Once detected, any malicious processes are killed instantly, malicious files are quarantined, and endpoints are removed from the network to prevent any further spread,” Shamir says.
Aside from Sentinel One, other big players such as TrendMicro, Cisco and Kaspersky Labs are also offering behavior-based security tools.
“These new ‘next-generation’ endpoint protection solutions have proven to be effective against all variants of ransomware,” Shamir says.
Prevention without detection
One of the methods ransomware developers use to evade detection is to force their tool to remain in a dormant state while it is under examination by security tools. This enables new variants of the virus to get past antiviruses and even some behavioral-based security solutions without being discovered. Once out of the sandbox, the ransomware is in the ideal environment to unpack its malicious payload and deal its full damage.
The workaround to this technique, as discovered by an Israeli cybersecurity startup, is to trick the ransomware that it is always in the sandbox environment, which will convince it to remain in the “sleeping” state and never wake up to deploy itself.
Minerva Labs, which came out of stealth this January, presented a solution that uses the ransomware’s own evasion techniques against it. “We figured that in order to fight malware, we have to think like the hackers that develop it,” says Eddy Bobritsky, CEO of Minerva Labs.
Traditional methods and tools no longer suffice to deal with the fast-evolving landscape of ransomware viruses.
Minerva has introduced the concept of a low footprint endpoint protection platform that “prevents targeted attacks as well as ransomware before any damage has been done, without the need to detect them first or to have prior knowledge,” Bobritsky explains.
By simulating the constant presence of different sophisticated cybersecurity tools, such as Intrusion Prevention Systems (IPS), the ransomware becomes trapped in a loop that prevents it from knowing where it is. The malware cannot differentiate between the simulated environment and real security environment that it tries to evade, and thus it stays inactive, “waiting for conditions that will never materialize,” Bobritsky says.
Prevention through a multi-pronged approach
“Per se, new products, tools or technology and processes may not solve the challenges individuals or organizations face when infected with ransomware,” says Jens Monrad, consulting system engineer at security firm FireEye. “Above all we need a fundamentally new way of thinking about cyberattacks.”
Monrad suggests the Adaptive Defense model, which instead of focusing on total prevention recognizes that some ransomware attacks will get through and aims at reducing the time to detect and resolve threats.
“In the adaptive model, security teams have the tools, intelligence, and expertise to detect, prevent, analyze, and resolve ever-evolving tactics used by advanced attackers,” Monrad explains.
Adaptive defense should encompass three core interconnected areas of technology, intelligence and expertise, which, according to Monrad, are fundamental for enterprises, governments and organizations that want to develop their capabilities to minimize the time it takes to discover a threat and recover from it.
At the technology level, Monrad proposes the use of sophisticated security tools. “Simple sandbox solutions aren’t enough though,” he explains, “because in many cases a piece of malicious code and an attack can happen over multiple stages, which makes detection and prevention more challenging, if your sandbox is just relying on a single object.”
This includes viruses that download and execute their malicious payload after getting past the sandbox. That’s why sandboxing should occur at the network level, Monrad argues, where you can “focus on the entire stream of packets, in order to analyze what is happening, in a similar way, as normal users are exposed to the code when they browse the Internet, click on a link in an email or open an attached file.”
At the intelligence level, “data should be gathered and shared across many endpoints and should be managed by a dedicated research team that knows attackers and how they operate,” Monrad says. The right solution should “provide intelligence before a ransomware attack happens, while it is happening and also explain why it did happen,” he says.
The expertise discipline includes experience in responding to data breaches, unique insight into how attacks are happening and knowledge on what sort of operational methods attackers employ in order to carry out successful attacks.