Cybereason Blog | Cybersecurity News and Analysis

Turn to behavioral analysis to combat the influx of ransomware

Written by Lital Asher-Dotan | Apr 21, 2016 7:03:56 PM

Although we’re only four months into the new year, 2016 is shaping up to be the year of ransomware. In March, the first ransomware targeting Macs, KeRanger, was discovered. Meanwhile, the health-care industry has been struggling with how to prevent ransomware infections. So far, at least three hospitals have suffered major ransomware attacks that left their electronic health records and computer systems encrypted.

With ransomware attacks making headlines, you shouldn’t be surprised to learn that Symantec found an uptick in the number of ransomware programs hackers have at their disposal, especially during the first quarter of 2016. During that period, 15 new types of ransomware were discovered, according to an infographic in Symantec’s recently released 2016 Internet Security Threat Report. To put that figure in context, 27 new ransomware programs were reported in all of 2015, including 11 in the fourth quarter. In 2014, only nine instances of ransomware were discovered, according to the report. Given this data, you can see why I think ransomware will be one of 2016’s top tactical security challenges.

 

Image credit:
Symantec Internet Security Threat Report

 

I’d argue that ransomware has evolved during this time, with each new program more refined and advanced than its predecessors. And attackers have matured as well. Now they’re highly organized and mature groups that function like a business instead of small operators looking to make money from schemes like spamming.

Unfortunately, the methods companies use to protect themselves from ransomware haven’t developed at the same pace as the malware. The tactics organizations relied on three years ago are now dated. Back then, the companies used their antivirus program to detect the threat, assuming that ransomware had fixed attributes. In 2016, though, ransomware has many variants and programs that rely on static attributes like name, hash, IP addresses and signature will fail to detect these variants, which appear frequently.

A better option for detecting ransomware would be to use behavioral analysis to look for suspicious behavior across a company’s entire IT environment. While there are many ransomware variants, they all have common behavioral aspects in addition to their unique properties. By continuously monitoring all activities and processes, companies can detect ransomware after its infiltrated their defenses.

Some behaviors to watch for include connecting to command and control servers for instructions, deleting recovery files, scanning for files like Word documents, PDFs and PowerPoint presentations and tampering with Windows configurations by disabling functions like recovery mode and system restore. Monitoring the use of scripting programs like PowerShell, VBScript and Windows Management Instrumentation is also helpful since they can be used to carry out fileless malware attacks, an emerging threat our security team has identified.

Individually, none of these activities would indicate a ransomware infection so blocking PowerShell from executing, for example, wouldn’t necessarily keep a business safe. Malicious behavior can only be identified by monitoring behavior in the context of what’s occurring in a company’s entire ecosystem.

While constantly backing up data should be a standard part of any company’s IT operations, this influx of ransomware makes this process even more critical. Once ransomware encrypts the files on your computers, the only way to get your data back is to re-image the machines or pay the ransom. Incident response plans should also include guidelines on what procedures to follow if a company is infected by ransomware.