Ah, Ransomware. One of the newest and most insidious forms of attack your network can fall victim to.
Ransomware is a particularly nasty program which, rather than destroying your network and files, simply encrypts them and holds them hostage. A ransom demand is then sent throughout the system, promising to provide you with the key for decrypting the files in exchange for a payment. To take the drama to network TV levels (think NCIS), a time limit is often added to up the psychological stress on the victim and make them more likely to pay rather than lose their files permanently.
One reason this kind of attack is so difficult to prevent is because the old antivirus methods are useless when it comes to ransomware. Antivirus programs are written to detect changes in code (signatures) only after they have been discovered, making them reactive in nature. They can only work against known viruses. But these ransomware programs are often custom made and used for a short period of time, meaning that the antivirus companies can’t keep up with them.
In past posts, I’ve discussed the need for people and organizations (particularly medical centers and hospitals) to back up their data, as a way to give a satisfying one-finger salute to anyone who attempts to hijack your data. This is important, but it does not solve the problem, as the downtime necessary to switch to a backup system can be just as costly as the ransom you would pay, if not more so.
It seems as though the antivirus companies may be adapting their products to help mitigate risks from this new threat. A recent piece on TechCrunch profiles a new approach called Behavioral Analysis, which instead of trying to identify the threat based on specific signatures or coding looks at what kinds of activities are going on in the system. For example, the article cites experts who point out that many ransomware programs do some of the same things when they gain access to a network, such as deleting Windows Shadow Backups or disabling the Startup Repair utilities. This new antivirus program would monitor those specific programs for changes which could signify the presence of ransomware.
Another new method takes advantage of something ransomware does to bypass most antivirus software: remain dormant. When antivirus programs or Intrusion Prevention Systems (IPS) are scanning the network, ransomware is programmed to hide and remain in a dormant state to avoid detection. But, if you can trick the ransomware into thinking that the IPS or antivirus is always running, the ransomware would always remain in a dormant state, unable to activate and cause any damage.
These new methods look very promising, but as the old saying goes, an ounce of prevention is worth a pound of cure. Since many of these ransomware programs are unleashed on a network either via compromised websites or by your own staff clicking a link in an e-mail, the behavior-based approach need to extend to your users as well. Limiting the websites people can access, using a secure mail blocking program and training your staff on the importance of not clicking links or downloading software, even if it appears to come from the IT Department, are all necessary components of a strong cybersecurity program as well.