Just as you (hopefully) always keep your doors locked at home, you likely also have your business locked down tightly with a number of security solutions. You have a network firewall with anti-virus and IPS (Intrusion Prevention System) running on it, your servers are secured, and all your endpoints are protected with anti-virus software. Yet John from accounting just opened up an attachment from an email titled “overdue invoice” and infected his desktop with ransomware, not only encrypting all his local data but potentially infecting your entire network.
Thankfully you disconnected him before it spread.
Still, you’ve invested tens of thousands of dollars in security solutions and yet these ransomware attacks are still managing to get in and hold your user data hostage. What are these new kinds of security threats doing differently that allow them to get past your locked doors and into your house? Moreover, how do you stop them?
Mighty Morphing Malware
Today’s normal security software detects “traditional” malware in a variety of ways, one being that known security threats are included in a signature database that is updated when new threats are discovered. Security threats are identified when compared to these signatures. Of course, this doesn’t protect against new unknown threats. To detect these zero-day exploits, standard security software uses heuristics analysis to evaluate if a file contains malware.
Even though this technique has been successful in catching many emerging threats, malware is becoming increasingly sophisticated and evasive, and ransomware attacks are the most sophisticated yet. Modern malware can evolve in almost real-time, using server-side “malware factories” to morph the ransomware payload to generate unique hashes that can defeat signature-based and even heuristic security solutions.
Convincing and Surprisingly Relevant
We’ve long had to deal with phishing emails, those masquerading as legitimate communications that entice you to click on a link that either leads to malware or to provide personal info that can be used for identity theft. However, over the years end users have been educated enough, and the content in those emails stands out enough that in most cases it’s easy to recognize this kind of security threat. Also, current anti-spam security solutions are able to catch and filter out these emails.
However, cybercriminals have moved on from phishing and identity theft. Ransomware is the new easy money for them and the emails they send out are good enough that they can easily fool the careless user. The content often looks legitimate, is well-written and very convincing. The ransomware payload is usually contained in an attachment like a Word doc or PDF (though sometimes it can be a web link) and the email gets users to open it with calls to action like “overdue invoice attached,” or “wedding invitation attached.”
Another important aspect is that cybercriminals are following email marketing strategies and almost sending out their ransomware messages as campaigns that come in waves. So even if a user deletes one threat, a similarly convincing email with perhaps a different subject, or from a different sender, will arrive the following day. Because the emails look legitimate, it is very hard to for traditional security solutions to detect them. Without investing in some kind of next-generation solution that can combat ransomware, you have to hold delivery of all attachments to your user’s inboxes and analyze them for threats in a sandbox environment before releasing them.
Professional Cybercrime with Great Customer Service
Although this point isn’t specifically about how ransomware attacks can get past your security systems, it does point to the fact that cybercriminals have become increasingly professional. Many of them operate in the same way as legitimate IT solutions once your data has been held hostage. An investigation by F-Secure, a cyber-security and privacy company, discovered that the “products” from the leading ransomware groups are very professional applications. For example, the pop-ups asking you to pay up are viewable in multiple languages, and there is an option of a trial decryption of your information to demonstrate that it is still there and accessible once you pay the ransom.
In addition, when you reach out to the attackers to pay up, many of them provide great customer service, such as offering discounts and a willingness to extend payment deadlines. Clearly, these are not fly-by-night organizations but criminal enterprises with large amounts of resources behind them to create threats that are constantly evolving to defeat security measures. The threat from their malware should be taken very seriously.
How to Stop Ransomware in its Tracks
We will be following up with another blog that will go into more detail as to how to combat ransomware, but the first step is educating your users to have some common sense as to what email attachments they open. Still, user error will always be an issue, so investing in a security solution that can stop ransomware is crucial. Although some of the big players in the space will likely eventually update their offerings to combat this new threat, for now, your options are fairly limited and are focused on better securing the endpoint.
One of the solutions we offer is Bromium Endpoint Protection & Endpoint Security, which we wrote about a few months ago. Bromium complements your existing endpoint security solution and with it, you users can “Click on Anything Without Risk of Breach”. For more info on Bromium and how Lanworks can help you combat the threat of ransomware, reach out to our sales team.
