Ransomware Infection to Encryption in Three Seconds

Ransomware: The Digital Plague

Ransomware is a type of malware that encrypts the files on machines and demands a ransom from the user in exchange for the encryption key to make the files accessible. Ransomware is a booming business for cybercriminals, and right now it’s quite lucrative. In 2016 ransomware struck in a major way, with victims like MedStar, Hollywood Presbyterian Medical Center and Michigan Utility BWL just to name a few. It’s clear that organizations of all kinds, from hospitals to large corporations to government entities have fallen victim to ransomware schemes, but small businesses in particular are even more at risk.

Arctic Wolf Networks has seen a 433 percent increase in ransomware attacks this year among our SMB customers and other leading security experts are reporting dramatic increases as well. Kaspersky Labs reported that ransomware attacks have increased fivefold in the course of one year, going from 131,111 infection attempts in 2014-2015 to 718,536 in 2015-2016. Further, the FBI’s Internet Crime Complaint Center reported that a total of 2,453 ransomware complaints were received in 2015, costing victims more than $24 million dollars.

The numbers show that ransomware is on the rise, and businesses should be paying attention. Any cyber hack presents a threat to an organization, but ransomware does so by making it impossible to conduct business. Without access to servers, devices and files, an organization is crippled, losing money with every minute that passes. The impact extends beyond a one-time financial loss since a ransomware incident is highly disruptive and can damage a company’s relationship with its customers.

From Infection to Encryption in Three Seconds

Like most malware, the majority of ransomware enters the organization through email. User error creates an entry point: an unsuspecting employee opens an email that looks legitimate,  clicks on a suggested link, and inadvertently installs the malware onto the system. But, what makes ransomware so unique, so dangerous, are the actions it takes once installed on the system. Unlike malware that lies dormant and often undetected for a while before stealthily combing through and encrypting files, ransomware takes action as quickly as possible. Within just a few seconds, the ransomware unpacks and executes itself and then reaches out to a command and control server to retrieve a key, which it will use to encrypt the files. It is only a matter of seconds from infection to encryption.

Then it becomes a race against time. Unlike other malware, ransomware typically does not spread to other computers on its own. It is designed to “infect and encrypt” quickly, creating as many incidents as possible before being shut down. However, infections do commonly spread when a user forwards an email with a malware attachment to others within their own organization. Since the recipient recognizes the sender, they often open it, click on the infected attachment and infect the new computer. The above timeline then starts all over again.

Ransomware for Sale

Ransomware has become a business, and has evolved to the point where anybody can purchase a ransomware kit and begin extorting money. Malware expert Lawrence Abrams discovered a site on the Dark Web called Hall of Ransomware that is selling infections and unlocking services. The site sells the Locky ransomware for $3,000 and Goliath for $2,100, a next generation ransomware created to make carrying out an attack easier for beginner hackers. Features include the ability to download the contents of the infected computer and the ability to lock or unlock a computer with a single click.

There are a number of sites like the Hall of Ransomware, and they continue to multiply. Some even offer a commission-based pricing structure that give criminals the ransomware for free, but require them to pay a percentage of the ransom. Ransomware is quickly starting to resemble an industry of independent software vendors, and the number of attacks and variants will only get worse.

Ransomware Detection and Remediation

Stopping ransomware is nearly impossible, so the best defense today is rapid detection, response and remediation. You only have three seconds from the time of infection to save your business critical data. The ransomware aims to encrypt as much as possible, making restoring efforts such a daunting task that organizations will opt to make the ransom payment in exchange for the data. Once a threat is detected, the best course of immediate action is to turn off your computer to limit the number of files the ransomware has time to encrypt. Aside from the last resort action of paying the ransom, the only option an organization has once they’ve been hit by ransomware is to wipe the machine of all programs and files in order to start fresh. For this reason, having a trusted and tested backup and disaster recovery plan in place is the most critical component of successfully recovering from a ransomware attack. Without a proper backup and disaster recovery strategy, businesses will be left with no option but to pay the ransom. Whenever possible, it is advised NOT to pay the ransom, but to wipe hard drives clean. From there, businesses can re-install base operating systems like Windows and Linux, and begin recovery from the latest backup of files.

Best Practices and Protection

Below is a series of everyday best practices that organizations should embrace including:

  • Backup your data/files. Perform system backups regularly and often to ensure any data held transom can be recovered internally.
  • Carefully monitor your network. It is possible to detect when ransomware dispatches if you’re carefully monitoring your network. When that initiation is quickly detected, disabling the workstation immediately can take recovery time from 24 hours to as little as 5 minutes.
  • Regularly train all of your users. User error is the key to ransomware’s success, so educating users on the basics of security such as not opening emails from unknown senders and downloading attachments is key. You can also train your users on how to spot security threat warnings, and how to deal with them properly.
  • Keep your perimeter defenses up to date. A sound security strategy comes down to discipline. Most organizations make investments in antivirus or email scanning systems, but if these are not updated regularly to ensure the latest signatures and patches are in place, they become less effective at blocking and flagging suspicious activity.

Ransomware is a digital plague that is costing businesses billions of dollars every year. All indicators point to a continued increase in the number of ransomware attacks, particularly at SMBs. While there is no foolproof vaccine to this plague, rapid detection, response and remediation can greatly reduce the damage it brings

000-017   000-080   000-089   000-104   000-105   000-106   070-461   100-101   100-105  , 100-105  , 101   101-400   102-400   1V0-601   1Y0-201   1Z0-051   1Z0-060   1Z0-061   1Z0-144   1z0-434   1Z0-803   1Z0-804   1z0-808   200-101   200-120   200-125  , 200-125  , 200-310   200-355   210-060   210-065   210-260   220-801   220-802   220-901   220-902   2V0-620   2V0-621   2V0-621D   300-070   300-075   300-101   300-115   300-135   3002   300-206   300-208   300-209   300-320   350-001   350-018   350-029   350-030   350-050   350-060   350-080   352-001   400-051   400-101   400-201   500-260   640-692   640-911   640-916   642-732   642-999   700-501   70-177   70-178   70-243   70-246   70-270   70-346   70-347   70-410   70-411   70-412   70-413   70-417   70-461   70-462   70-463   70-480   70-483   70-486   70-487   70-488   70-532   70-533   70-534   70-980   74-678   810-403   9A0-385   9L0-012   9L0-066   ADM-201   AWS-SYSOPS   C_TFIN52_66   c2010-652   c2010-657   CAP   CAS-002   CCA-500   CISM   CISSP   CRISC   EX200   EX300   HP0-S42   ICBB   ICGB   ITILFND   JK0-022   JN0-102   JN0-360   LX0-103   LX0-104   M70-101   MB2-704   MB2-707   MB5-705   MB6-703   N10-006   NS0-157   NSE4   OG0-091   OG0-093   PEGACPBA71V1   PMP   PR000041   SSCP   SY0-401   VCP550   352-001   101   102-400   MB2-707   70-178   JN0-102   640-911   ICGB   350-001   70-246   000-089   300-135   9A0-385   1V0-601   70-412   70-347   300-070   000-104   350-060   200-310