Ransomware is probably the most famous type of malware currently in existence. Large scale attacks like WannaCry and headline-worthy attacks against cities and other organizations have put the threat of ransomware into the public consciousness. Ransomware is also an effective bogeyman since it’s easy for anyone to imagine themselves as the victim of a ransomware attack and being forced to deal with the difficult choice of paying the ransom or giving up hope of retrieving any of their lost files.
While a ransomware attack is difficult or impossible to recover from once it occurs, it is possible to detect and block one before the damage is done. Ransomware operates in a specific way, and modern file security solutions can use these behavioral features to detect it while it operates on a system. While it may not be possible to prevent it from encrypting any files on the system, an effective file security solution should be able to catch an attack early in the process and save most of a ransomware victim’s files from being lost.
The Ransomware Threat
Ransomware is one of the biggest cyber threats of 2019, and it is growing. In the first half of 2019, ransomware attacks increased 363% over the same time the previous year. Modern ransomware attacks have also become more targeted, focusing on collecting large ransom payments from certain organizations or governments rather than the more wide-scale approach of WannaCry and other early ransomware attacks.
Ransomware attacks have also become more expensive for the victim. In 2019, ransomware is expected to cost the global economy $11.5 billion, and the average ransomware payment tripled between Q1 and Q2 2019. Many organizations that chose not to pay the ransom ended up taking remediation actions that cost more than the attacker requested. So regardless of how an organization handles a ransomware attack, being a victim of ransomware is expensive.
Understanding how ransomware works and how to detect and protect against it can save an organization a lot of money by dramatically decreasing the probability that it will be a victim of a ransomware attack.
Ransomware: Under the Hood
Ransomware is a threat to organizations and individuals since it is a simple attack that has a massive impact. By denying the victim access to their files, a ransomware attacker puts the victim in a situation where they have to pay or write off a large amount of potentially valuable data. Ransomware works by encrypting files on a user’s computer to deny them access. Since modern cryptography is secure against attack, the victim can only regain access using the encryption key in the attacker’s possession.
This encryption operation can be performed in one of two ways. The first way is to encrypt certain files that the computer requires to access the file system. By encrypting a few files, the victim is no longer able to access their data. However, this can affect the stability of the system, and when the user panics and restarts the system, the computer may not be able to boot. As a result, the attacker never gets their ransom.
Most ransomware works by encrypting files of value to the user on a machine. They ship either with a list of acceptable files extensions to encrypt (.docx, etc.) or extensions to skip while encrypting (.exe, etc.). This version of the attack requires the malware to search through the computer’s file system, access files, and encrypt them.
Protecting Against Ransomware Attacks
While ransomware can be a serious threat to an organization’s productivity and bottom line, it is possible to protect against attacks. A simple solution that works for many variants is to install and maintain a strong antivirus. Since many ransomware variants are well-known, signatures exist for them, and they can be detected and removed before an attack begins. However, this is not the only option for protecting against ransomware attacks. Effective file security systems can detect and block ransomware based upon its behavioral characteristics and through the use of deception.
In order to encrypt all of the files on a computer, ransomware needs to search through the file system, find every applicable file, and encrypt it. Accomplishing this requires a huge number of file opening and editing operations by a single program on a computer, which is unusual behavior. File security systems can monitor for processes exhibiting this sort of behavior and terminate them before they cause too much damage on a target computer.
Another approach to detecting a ransomware attack is the use of deception. Ransomware typically has a fairly simple system for determining whether or not certain files should be encrypted: whether it has a given extension or not. File security systems can create deceptive files that are likely to be targeted by ransomware but would not be accessed by a human user. If a process accesses one of these deceptive files, it is almost certainly part of a malware attack (and probably ransomware), so the security solution can take action against it without worrying about misidentification of malicious processes.
Staying Safe from Ransomware
A successful ransomware attack can be extremely costly to an organization. File security solutions can protect a computer in a number of different ways, including identifying and terminating a ransomware infection before it can do serious damage. By deploying the right security solutions, an organization can dramatically decrease its exposure to this growing threat.