Disturbingly, a recent survey by Ciitrix suggested that many UK firms are now quietly stockpiling Bitcoins to cope with a ransomware attack. This was especially pronounced in medium-to-large firms.
Why do organisations choose to pay ransoms?
As far organisations are concerned it is not because they don't have backups but because the time and cost or reinstating data, including on servers, is simply far greater than the cost of the ransom. The ransomware authors know this and set their demands below this cost. IT could also be the case that firms fear that merely ransoming encrypted data could soon merge with data breaches in which criminals threaten to reveal 'hostage' data.
Ransomware explained - how digital extortion turns data into a silent hostage - can ransomware be stopped?
As with most forms of malware, there doesn't seem to be any fool-proof defence although the Windows PC is clearly a major vulnerability - other platforms are far less likely to be attacked for a variety of reasons. All the same, security vendors have belatedly engineered their technology to cope with ransomware using a number of techniques.
The simplest method is to improve detection and blocking at client level, in the manner of an endpoint security product. Many now claim to do this. The second approach is to build detection directly into network infrastructure, for example advanced firewalls. The third method is to build some kind of correlation engine into a specialised appliance that feeds into a reporting console or SIEM. Most organisations will consider all three at the same time.
Security startup Vectra Networks offered Computerworld UK an example of how the correlation of multiple anomalies can be used to spot ransomware which we describe purely for illustration of the principle. The following attack sequence from the common and aggressive Locky ransomware was recorded recently inside an unnamed US healthcare provider.
01: After infecting a single PC after an unspecified phishing attack Locky network detection triggered the first anomaly after security layer noticing a connection to an unusual domain.
16: Infected PC started scanning the network on port 445, used for file sharing and printers. The malware is looking for secondary targets.
11:53: Ransomware starts polling non-existent IP address range after starting to encrypt a file share. Vectra detection engine pinpoints infected PC and affected share.
12:30: PC is confirmed to have been pulled from the network and re-imaged.
Total time between infection starting and first remediation: 52 minutes.
"The detection of the malware doing its stuff was detected through three different machine learning algorithms. We have deliberately focused on new machine learning strategies," Vectra's Gunter Ollmann told Computerworld UK.