The removal of administrator rights and imposition of application control policies can stop ransomware dead in its tracks, new research from CyberArk Labs has found as a number of security players become more confident in their ability to block ransomware infections before they cause damage.
With nearly 407,000 attempted ransomware infections and an estimated $US325m in ransom paid during 2015 alone, CyberArk Labs researchers noted, the escalating profile of the attacks has delivered significant consequences for a broad range of companies.
As described in a white paper published this week, the firm's engineers tested 23,000 samples of ransomware from 30 families and found some characteristic behaviours that helped identify potential points to block their activity.
Once triggered, 90 percent of the samples tried to communicate back to an attacker-managed key server, which manages the public key used to encrypt the victim's files. Blocking this connection caused the ransomware to fail in 20 percent of cases; the other 70 percent of samples were still able to encrypt using a default public key – potentially allowing the files to be decrypted using the same key acquired after ransom was paid by a previous victim.
The other 10 percent relied on keys embedded in the ransomware itself, allowing them to operate in an offline mode that could not be stopped by blocking the ransomware's connection to the outside world.
CyberArk Labs researchers also explored the way ransomware evaluated which files to encrypt: some variants just encrypted one file after another, exploiting the permissions granted to the user to reach files on network shares. Others took minutes to build lists of files to encrypt before they began the actual process – often using surreptitious methods to avoid detection.
Exploration of the propagation process led the team to find that businesses could block file encryption by ransomware in 100 percent of cases if they blocked read, write and modify privileges from unknown applications – and also modified user accounts with a least-privilege strategy that includes removing the local administrator rights sought by 70 percent of the tested ransomware samples.
The team also flagged the importance of continuous file backup in facilitating recovery after a ransomware attack. “Unlike some strains of sophisticated malware that can be difficult to locate and remove, the ransomware samples analyzed were easy to locate and remove once they were detected,” the report noted.
“This means that victim organizations who proactively backup files can dramatically reduce the impact of ransomware and avoid having to make a choice between paying a costly ransom or losing data forever. Instead, victim organizations can locate the ransomware files on infected machines, remove them from the system and then restore the affected files from backup.”
Ransomware, which has come to dominate malware traffic as victims – including a growing number in Australia – increasingly yield to its demands despite the ethical and governance conundrums such an action raises.
There have been few alternatives for companies that find their data encrypted without a suitable backup, but some security firms feel they have finally cracked the way to block ransomware from spreading. Earlier this week, for example, SentinelOne promised to pay up to $US1 million ($A1.3m) if a company is hit by a ransomware attack while using the firm's security products.
With ransomware-busting capabilities held by one vendor to be the deciding factor between whether security vendors remain relevant or not, security experts have been slowly catching up with ransomware authors by deconstructing their attack strategies and offering alternatives. Some argue that big-data techniques offer a great way to identify and stop ransomware early on,
One ransomware group released the decryption keys to a rival group's code, while researchers have been at work reverse-engineering many of the ransomware strains out there and releasing free tools to counter them.
Event | CloudSec 2016 | Hear from internationals Rik Ferguson and Timothy Wallach (FBI) Register your seat today
Webinar | Get real about metadata to avoid a false sense of security | Register Today
Webinar | Ransomware with Jeff Lanza (former FBI agent), Ty Miller, Mark Gregory and Andy Solterbeck | Register Today