Ransomware: What’s in a Name?

Back when I started in cybersecurity in the very early 1990’s, one of the first threats I remember was a Boot Sector virus called Casino. Effectively, when triggered, it would delete the FAT (File Allocation Table)–think of this as the index to all your data.

It displayed a basic jackpot machine that made you think you had the chance to “win” your data back, or get the contact details of the malware author to negotiate getting your data back:

download (2)-1Screengrab from Boot Sector Virus Casino

Sound familiar? It in many ways could be called a very early ransomware attack. And this for me is the issue: talk to most anyone today, and ransomware has become synonymous with the most prolific and impactful of attacks. 

The reality is ransomware has been through multiple evolutions. In the guises most would know, it started as a random attack leveraging poorly secured web sites as the delivery method, and in many instances spammed at numerous potential victims. However, since then we have seen ransomware goes through many changes, including: 

  • Becoming highly targeted, complex ransomware operations–or RansmOps–are using intelligence to go after high value industries and organisations likely to pay ever-greater ransom demands. 
  • Beginning to actually analyze the data it gained access to in order to quantify what the data could be worth for double extortion or other purposes. This shifted the ransomware threat from local data locking to looking at broader data sources such as the network and cloud.
  • Building in deliberate capabilities to disable data resource capabilities provided by the both the operating system and some key third-party tools
  • In many instances copies of the data are also being stolen for resale to drive incremental revenue or for double extortion
  • Evolving to now being firmly integrated into the cybercrime supply chain ecosystem that has become a vast Ransomware Economy as well as being used at a nation-state level.

So, what's the point here? We continue to use the same name to describe a problem that has significantly evolved over time and is significantly more complex today. The danger being that many may think they understand and have solved the problem, but in their own minds will be somewhere in that evolutionary journey, but unprepared to counter the threat as it exists today.

If our understanding of a threat isn’t current, it’s highly likely that the policies and solutions we put in place to counter the threat also won’t be current. 

Historically, many see ransomware as just another threat to defend against, so would rely on the same old legacy antivirus tools, firewalls and other key controls used in their businesses. However, the time to impact and the business costs of ransomware can be much higher than typical threats, so surely ransomware deserves more focus on how we solve the problem. 

At Cybereason, ransomware has been a focus for the company, one that has taken the lessons learned from the Incident Response side of the house to continue an evolution of how we develop new controls specifically to target the evolving ransomware threat. It started a number of years ago with canary files–planted files if you like–that are constantly monitoring for leading indicators that a ransomware attack is underway in order to block the attack before actual files of value to the organisation can be encrypted. 

However, like the ransomware threat itself, the evolution of defensive measures has also continued. Specifically, new rapid recovery capabilities have been developed by Cybereason that autonomously recover encrypted data files without the interaction from the user or administrator. The natural next evolution is our in-memory analysis using our Binary Similarity Engine (BSE) which looks for behaviors like initiating the encryption routine at the kernel level and ending the attack before any encryption can take place, and so on. 

My challenge to you is this: do you and your business track how the ransomware threat is changing, or do you fall into the trap of remaining static whilst the threat continues to evolve? If you are in the latter group, it's likely your ransomware prevention and response controls are as outdated as your perception of the problem. 

Maybe the answer is to call today's ransomware something different, it potentially would help in securing new budget for a new problem, that's not the case, so for now it is key that we educate ourselves and our business leaders on this ongoing evolutionary battle and arm ourselves with the tools required to meet and defeat the threat.

Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about AI-driven Cybereason XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Greg Day
About the Author

Greg Day

Greg Day is a Vice President and Global Field CISO for Cybereason in EMEA. Prior to joining Cybereason, Greg held CSO and CTO positions with Palo Alto Networks, FireEye and Symantec. A respected thought leader and long-time advocate for stronger, more proactive cybersecurity, Greg has helped many law enforcement agencies improve detection of cybercriminal behavior. In addition, he previously taught malware forensics to agencies around the world and has worked in advisory capacities for the Council of Europe on cybercrime and the UK National Crime Agency. He currently serves on the Europol cyber security industry advisory board.