Guest Column | November 18, 2016

How To Keep Your Customers Protected From Constantly Changing Ransomware

By Nathan Shuchami, Head of Advanced Threat Prevention, Check Point Software Technologies

If you’re old enough to remember 1989, you might recall two key events: the Berlin Wall came down, and the first ransomware attack appeared on the scene. This was the AIDs Trojan horse, which, upon installation, encrypted users’ files and demanded $189 be sent to a post office box in Panama to “renew the license.”

Since then, ransomware attacks have exploded, targeting businesses and organizations of all sizes. In fact, according to a Herjavec Group report, the total cost of damages related to ransomware attacks is estimated to reach $1 billion by the end of 2016. Worse, it’s showing no signs of slowing down as ransomware attacks are proven to work and earn cash for the criminals behind them. Understanding how they succeed is critical to helping you protect your client’s business.

Ransomware Is No Longer ‘One Size Fits All’

Like most malware, ransomware can originate from opening a malicious attachment in an email, clicking on a deceptive pop-up, or visiting a compromised website. It threatens businesses in one of two ways by locking a user’s screen or encrypting files. With lock-screen ransomware, a PC will freeze while displaying a message with the criminal’s ransom demand. Until it’s removed, the computer remains useless. While this is a nuisance for users, it’s manageable because it typically affects a single PC and is relatively easy to remove. File encryption ransomware, on the other hand, emerged in 2013 as a genuine threat to businesses because it can permanently lock users out of their files and data by using encryption to scramble data — on individual PCs and across entire networks. This type of ransomware attack has now reached epidemic proportions.

Ransomware’s attack methods have also become more diverse. The more recent SamSam ransomware, for example, is not delivered by email. Instead, it targets unpatched servers to encrypt large amounts of data. Cerber, which debuted in February of this year, is one of 2016’s the most widespread ransomware. It delivers an audio ransom message using Microsoft Speech API. We’ve also seen ransomware that acts as a virus and can infect machines through removable storage media, like USB devices or spread via shared files. Some specialized forms of ransomware are even spread via shared files, while others are tailored to target smartphones and tablets. Ransomware is no longer a one size fits al’ form of cyberattack — it can target almost any device, including smartphones and tablets, and spread from there.

Ensure Your Clients Stay Protected

It is unsurprising some businesses are reportedly stockpiling bitcoins, ransomware’s only currency, in an attempt to boost their ransomware readiness. A June 2016 Citric survey found 35 percent of businesses of over 2,000 employees in the U.K. are willing to pay up to £50,000, or roughly $67,000 U.S. dollars, to regain their critical information in the aftermath of an attack.

Unfortunately, the damage caused by sophisticated ransomware is difficult to reverse once an organization’s data is encrypted, unless the ransom is paid. However, paying the ransom is not recommended as this only encourages future attacks and there are no guarantees the decryption key will actually be supplied by the criminals.

To safeguard your clients from these attacks, make sure backups are performed regularly and stored separately from their main network. If the worst happens and a ransomware attack takes hold, critical files and information can be recovered from backup once the infection is removed. Reminding clients about the importance of employee education is also a key and should be part of their employee IT training. Two important concepts that should be covered include:

  • Attachments and links should only be opened from trusted sources.
  • If an employee is asked to run macros on a Microsoft Office file, the simple answer is — don’t! Macros are frequently used as the trigger for downloading ransomware.

Keeping their traditional antivirus and other signature-based solutions up-to-date is also essential, however these solutions are not a catchall because modern ransomware is constantly adapting, allowing it to easily bypass these protections. To block ransomware before it infects your client’s network, it’s recommended businesses use more sophisticated protections such as advanced sandboxing and document sanitizations solutions.

Advanced sandboxing, unlike antivirus and other solutions, it is not signature-based. Instead, it inspects an incoming file for suspicious elements at a deeper level on the computer’s central processing unit (CPU). By examining activity at the CPU-level, evasion techniques built into the malware can be blocked before a potential infection can take hold.

Document sanitization works on a simple premise: the vast majority of ransomware and malware is distributed via email, hidden in the common file types used for business — Word documents, PDFs, Excel spreadsheets, and so on. From a security standpoint, it’s best to assume any email attachment is infected and to extract any potential threat before passing it to the user. By deconstructing attached documents at the email gateway, suspicious content (like external links and macros) is removed. The document can then be reconstructed with known safe elements, and sent to the user. This takes only seconds and eliminates the risks from infected files without delaying workflow.

Given its success, there is little doubt that ransomware will continue to transform and proliferate, targeting organizations of all sizes. To ensure your clients are protected, make sure their defenses evolve too.