This past year, ransomware has extorted vast sums of money from enterprises. Ransomware is a form of malware that encrypts data and then demands a ransom payment to decrypt it. The most common ransomware encrypts files likely to contain work product, cherished memories, or user-created content such as documents, spreadsheets, source code, pictures, music, and videos. Such files are of high importance to users. Other ransomware encrypts entire hard drives or targets database files for Oracle, MySQL, Microsoft SQL Server and email databases.
The results have been disastrous for companies without backups. Those companies had to cope with lost data or pay the ransom and not all companies that paid, received their data back. Even those with backups were affected, albeit to a lesser extent, by exerting time and effort restoring systems and eradicating the ransomware. Ransomware by its nature cannot be ignored. Ransomware hits home; it hits our pocketbook, and its impact is wide-reaching.
Fortunately, there are some advanced technologies available to prevent ransomware from infecting your business. I had the pleasure of interviewing Liviu Arsene (@LiviuArsene), Senior E-Threat Analyst at Bitdefender, on ransomware and he had some great insights.
Vanderburg: How do you differentiate ransomware from other malware?
Arsene: If other malware’s purpose is to covertly collect and broadcast sensitive data from a victim’s computer, ransomware is all about restricting access to that data and demanding payment to restore access to it. Ransomware is a strictly financial type of malware with a huge conversion rate, causing hundreds of millions – potentially close to one billion – dollars in financial losses. Another difference is that while other malware may try to elevate it’s privileges in order to gain persistency on a victim’s computer, ransomware is all about encrypting specific files or databases with little regard about persistency. Ransomware’s goal is simple, to the point, and strictly financially driven.
Vanderburg: How is ransomware currently circumventing security controls?
Arsene: While the actual payload that starts the file-encrypting process is relatively simple to detect, ransomware comes packed in various layers that shield the malicious payload. Using highly obfuscated packers that alter the original binary’s data and then restore it (more or less) before execution, their goal is to compress the file-encrypting payload to the point where a traditional security solution won’t be able to recognize the malicious code.
Ransomware developers also employ polymorphism techniques for altering the malicious code for each infected victim, but keeping the original function (its semantics) the same. This way, the malicious code will always look different, but it will perform the same – file encrypting – functions.
Vanderburg: How does Bitdefender detect and eradicate ransomware before it begins encryption?
Arsene: Machine learning is a really powerful tool in Bitdefender’s arsenal for fighting ransomware. We’ve been relying on patented machine learning algorithms since 2009 to identifying new and unknown threats. Properly training them to accurately identify even unknown ransomware sample was only natural, as traditional security mechanisms cannot cope with the new techniques employed by cybercriminals. Reverse engineering is also important, as analyzing ransomware samples security researchers are able to either reverse engineer encryption algorithms and provide decryption keys to victims, or create generic heuristics capable of even identifying unknown malware that belongs to the same family.
Vanderburg: Where do enterprises need to focus to combat the ransomware threat?
Arsene: Ransomware has become a nuisance for enterprises because cybercriminals have figured out that organizations have much more to lose if their data is lost, rather than the average users. Consequently, an organization would be willing to pay a great deal more than $300 to regain access to its data. Considering that two healthcare institutions (Hollywood Presbyterian and MedStar Health) have admitted to paying $17,000 and respectively $18,000 to get the decryption key to their ransomware-encrypted files, it’s safe to say that cybercriminals have made a lot of money just by infecting two victims.
To that end, organizations need to focus on making sure that critical data is constantly backed up offsite or in a segregated network, security and email-filtering solutions are deployed across the entire organization, and that employees are trained into spotting phishing emails with malicious attachments. The weakest link in the security chain is usually the individual behind the computer, so it’s vital they’re not tricked into executing malicious attachments or downloading ransomware-infected applications from untrusted websites.
Vanderburg: What is Bitdefender doing to protect against tomorrow’s threats?
Arsene: Bitdefender has been employing anti-ransomware technologies, such as machine learning and ransomware-specific heuristics, for accurately identifying new and even unknown ransomware. We’ve even developed an anti-ransomware vaccine, whose purpose is to immunize computers from known ransomware families and prevent infection from similarly-behaving ransomware.
As always, thoughts and ideas are my own. This insight wouldn’t be possible without the help of my associates at Bitdefender.