Blog :: Security Operations

2017: The Year of Ransomware


In the digital era we live in, almost everyone is aware of malware in one form or another. ‘Malware’ is an umbrella term that encompasses many different attack methods. This includes everything from the annoying pop up ads trying to sell you a product (adware), to more targeted attacks that capture a user’s input (spyware). But in the last 2-3 years, we’ve seen one attack method move to the front of the stage: ransomware.

Ransomware note

Rise of Ransomware

Ransomware’s popularity has risen steady since roughly 2014. Now it’s the most preferred and profitable attack method for cyber criminals to use. According to SonicWALL, their Global Intelligence Grid saw roughly 3.8 million ransomware attacks in 2015, a rise from the 3.2 million attacks in 2014. 2016 saw an astonishing 638 million ransomware attacks! That’s over 16,000% increase. Imagine if everyone in the U.S. was hit with ransomware, twice!

It’s no surprise, given the amount of success that cyber criminals have had turning a profit. The average ransom demand in 2016 was $679, more than double the average ransom of $294 in 2015. SonicWALL reports that nearly $209 million was paid in the first quarter of 2016 alone. With the increase in volume of attacks as well as the elevated ransom demands, no one is shocked by estimates from the FBI that put ransomware on track to be a $1 billion dollar source of income for cyber criminals annually.

Ransomware Variations

Due to the continued success of ransomware attacks, more and more ransomware variants are being released. According to Trend Micro, 50 new ransomware variants were discovered in the first 5 months of 2016 alone. The infographic below, provided by security company Symantec, shows the many ransomware variations uncovered between 2014 and 2016.

Symantec: Ransomware Variations

Among the new variants of ransomware, a growing concern for 2017 is Ransomware-as-a-service. This is exemplified in variants such as Spora. ‘Script-Kiddies’ can now sign up, create their own payload and simply agree to pay a 30% commission of all ransoms paid. To make things worse, Spora and other variants have the ability to encrypt files offline. As we saw with DDoS-as-a-service from groups like LizardSquad, giving this ability to the public is a very slippery slope. DDoS-as-a-service has gradually become the ‘new age’ fire alarm pranks for students. If Ransomware-as-a-Service follows the same path, school systems may be in a lot of trouble.

Ransomware Incident Response

With a majority of IT professionals surveyed stating they would never consider paying the ransom, and less than 50% of all ransomware victims ever fully recovering their data we need to turn our focus to post-incident response. Most IT professionals have accepted the sobering truth that attacks will happen and having a solid incident response protocol is more crucial than ever.

While backups are going to be our friend here (especially backups stored off-site), only 42% of surveyed professionals were able to fully recover their data from backups. This was most commonly due to incomplete backups either unmonitored or failed backups, a loss of accessible drives that also were encrypted or a loss of 1-24 hours of data from where the last incremental backup was taken.

We’re unable to fully rely on our backups, and of course we can’t trust the criminals to actually follow through on their ‘promise’ to decrypt our data. We have to be more proactive in protecting our data. In most cases this will mean training our end users to be more security conscious! According to an Osterman Research survey, users are twice as likely to be infected via phishing emails than by visiting an infected site.

Protecting Your Network

A colleague of mine wrote a great blog on helping to protect your corporate networks against ransomware here. Even with good security controls in place, having additional layers to help catch possible infections is a good best practice. Additional measures should include practices like limiting what file systems our end users have access to, and restricting end users to read-only access to file share.

Having complete visibility into your network traffic is almost standard practice today. Scrutinizer can provide users with the visibility they need to monitor all conversations taking place on their network. This provides security teams with the forensic data they need to analyze where the attack came in, and more importantly determine whether any other users communicated to the known bad host.

Of course, it never hurts to go the extra mile. Plixer offers a network probe that can help alert you to infected machines BEFORE they can communicate to a C2 server, allowing you to catch and prevent the infected machine from pulling down a payload that may encrypt you entire file share. It’s unrealistic to believe you can stop every attack before it happens. More realistic is being able to prevent additional damage and attribute the Who, What, and When. This way, if other affected machines were in communication with the same host, you can take immediate action.

I encourage every user to trial Plixer’s FlowPro Defender for free. This provides you with detailed layered-7 analysis of all of your DNS traffic and will immediately alert you when malware uses DNS for exfiltration or C2 communications.