Ransomware is not going away: Prepare or pay up

In case you’ve been fortunate enough to avoid it, Ransomware is a security plague that encrypts victims’ files, requiring a complex and expensive payment to free those files.  There is no denying that ransomware schemes have become one of the most popular means of criminal revenue generation.

The reason ransomware and related threats are becoming more common is for one simple reason: they work and they are very financially lucrative.  An effective ransomware peddler can rake in as much as US$25,000 per day, by some estimates.  They operate from overseas locations that provide adequate protection via organized crime and corrupt government channels, so the risk to the operators is extremely low.

That harsh realization leads to the reasonable question of how many ransomware threats are out there.  However, that’s a very difficult number to nail down with any degree of accuracy.  There are a few main variants of ransomware (CryptoWall/Cryptolocker being the most prolific), but these core capabilities are often “resold” to numerous actors, who customize the malware to their own liking and requirements.  Additionally, reseller hierarchies are very well established and run in a startlingly corporate-like manner.  Based on the effectiveness of these operations and availability of the fundamental ransomware technology, the number of ransomware variants and infection events will certainly continue to increase.  Quite simply, this business model works, so more criminal actors will start using it.

Sadly, the notion of “preventing” ransomware is not technically feasible – the primary infection vectors are humans using the web and opening email attachments…  With dedicated human adversaries, preventing ransomware at any realistic scale is a difficult task.  In fact, most variants don’t even require administrative access to run – they simply encrypt and hold all of the unwitting user’s files for ransom.  Perhaps the best prevention method would be to implement application whitelisting to stop execution of any unknown binary.  While this method is extremely effective, we have found that many organizations lack the expertise and resources to implement application whitelisting correctly. 

Practical defense against ransomware for organizations of any size or sophistication centers around two concepts: detect infection events faster, and prepare to recover from them.

To detect them faster, we need to turn away from traditional non-solutions like Antivirus, which some studies have shown provide as little as 20% effectiveness.  Instead, we must look to the next generation of endpoint-based solutions that hamper typical ransomware’s execution via advanced technology, but that also use human analysts to vet and validate events.  The name of the game is to detect quickly so victims can quickly recover their data from backups without severely impacting business operations.

By that note, data recovery is something that every user must plan for.  Ransomware simply won’t hinder anyone that has good and current backups of their data.  (Note that these backups must be independent of on-system solutions such as Volume Shadow copies, which any major ransomware deletes upon detonation.)  Current, tested backups and a clear plan on how to recover from data loss will completely thwart the perpetrators’  business plans as you will have no issue disregarding the ransom and just re-imaging your machine (you might even feel a tinge of happiness that you were so well prepared that the criminals are not getting a cent from you).

As a last resort, if you become compromised with ransomware and don’t have backups, just pay the fee.  You simply can’t “break into” a system held hostage by well-implemented ransomware, so paying fast will get your data back with minimal cost and disruption. 

As anyone who has suffered an incident like this will tell you, it is really frustrating to deal with – both in terms of the potential data loss itself and the virtual sucker-punch you feel from a perpetrator that’s going to be successful in their shake-down.  However, if you prepare for action and monitor your endpoints, you can drastically slash the financial, business, and psychological impact from the continuing trend of ransomware schemes.