Block 100% of ransomware by managing admin rights, applications: researchers

Analysis of 23,000 ransomware strains finds that infections are easy to avoid if you plan ahead

The removal of administrator rights and imposition of application control policies can stop ransomware dead in its tracks, new research from CyberArk Labs has found as a number of security players become more confident in their ability to block ransomware infections before they cause damage.

With nearly 407,000 attempted ransomware infections and an estimated $US325m in ransom paid during 2015 alone, CyberArk Labs researchers noted, the escalating profile of the attacks has delivered significant consequences for a broad range of companies.

As described in a white paper published this week, the firm's engineers tested 23,000 samples of ransomware from 30 families and found some characteristic behaviours that helped identify potential points to block their activity.

Once triggered, 90 percent of the samples tried to communicate back to an attacker-managed key server, which manages the public key used to encrypt the victim's files. Blocking this connection caused the ransomware to fail in 20 percent of cases; the other 70 percent of samples were still able to encrypt using a default public key – potentially allowing the files to be decrypted using the same key acquired after ransom was paid by a previous victim.

The other 10 percent relied on keys embedded in the ransomware itself, allowing them to operate in an offline mode that could not be stopped by blocking the ransomware's connection to the outside world.

CyberArk Labs researchers also explored the way ransomware evaluated which files to encrypt: some variants just encrypted one file after another, exploiting the permissions granted to the user to reach files on network shares. Others took minutes to build lists of files to encrypt before they began the actual process – often using surreptitious methods to avoid detection.

Exploration of the propagation process led the team to find that businesses could block file encryption by ransomware in 100 percent of cases if they blocked read, write and modify privileges from unknown applications – and also modified user accounts with a least-privilege strategy that includes removing the local administrator rights sought by 70 percent of the tested ransomware samples.

The team also flagged the importance of continuous file backup in facilitating recovery after a ransomware attack. “Unlike some strains of sophisticated malware that can be difficult to locate and remove, the ransomware samples analyzed were easy to locate and remove once they were detected,” the report noted.

“This means that victim organizations who proactively backup files can dramatically reduce the impact of ransomware and avoid having to make a choice between paying a costly ransom or losing data forever. Instead, victim organizations can locate the ransomware files on infected machines, remove them from the system and then restore the affected files from backup.”

Ransomware, which has come to dominate malware traffic as victims – including a growing number in Australia – increasingly yield to its demands despite the ethical and governance conundrums such an action raises.

There have been few alternatives for companies that find their data encrypted without a suitable backup, but some security firms feel they have finally cracked the way to block ransomware from spreading. Earlier this week, for example, SentinelOne promised to pay up to $US1 million ($A1.3m) if a company is hit by a ransomware attack while using the firm's security products.

With ransomware-busting capabilities held by one vendor to be the deciding factor between whether security vendors remain relevant or not, security experts have been slowly catching up with ransomware authors by deconstructing their attack strategies and offering alternatives. Some argue that big-data techniques offer a great way to identify and stop ransomware early on,

One ransomware group released the decryption keys to a rival group's code, while researchers have been at work reverse-engineering many of the ransomware strains out there and releasing free tools to counter them.


Upcoming Events:

Event | CloudSec 2016 | Hear from internationals Rik Ferguson and Timothy Wallach (FBI) Register your seat today

Webinar | Get real about metadata to avoid a false sense of security | Register Today

Webinar | Ransomware with Jeff Lanza (former FBI agent), Ty Miller, Mark Gregory and Andy Solterbeck | Register Today



Join the CSO newsletter!

Error: Please check your email address.

Tags CyberArk labsapplicationsethicalmalware trafficattacksSentinelOneCSO Australiadecryption keysgovernancesecurity playersCyberArkResearchersadministrator rightsencryptionransomware

More about CSOCyberArkFBI

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place