Ransomware: Putting a stop to IT’s greatest current challenge
By: Karen Greer, Secure Content Technologies and Matthew Phillion, Sophos
The industry certainly has a talent for naming things: ransomware, the greatest current challenge for IT professionals today, is as ominous as it sounds. The ability to take over a user’s data or entire machine, encrypting irreplaceable documents until a ransom is paid – and sometimes not even then, as there’s no honor among thieves – has the ability to cause catastrophic harm to everyone from billion-dollar, worldwide industries to a grandmother opening up the wrong email at her kitchen table.
2017 was a brutal year for ransomware, with indications trending upward from 2016, which was already the worst year for ransomware on record. Organizations were hit with two headline-making ransomware attacks – May’s catastrophic WannaCry attack followed up by June’s NotPetya attack – but it wasn’t just the worldwide, news-making attacks that were the problem.
No one is immune. Various studies show that healthcare and financial services businesses are most frequently hit, but no industry is immune: 92% of IT firms reported ransomware attacks on their clients. In some ways we don’t know how bad the problem is: despite these numbers, according to the FBI only one in four attacks are actually reported.
And paying off the cybercriminals doesn’t help. The FBI also warns that 70% of businesses who paid the ransom were attacked again later. Experts believe this is because organizations who pay out have identified themselves as businesses both with data of value, and data they are willing to pay for.
What can we do to stop ransomware?
Early on, there was a push toward backing up your data – after all, if you had a backup of encrypted files, you needn’t pay to get those files back, logic dictated. But this wasn’t completely effective, and carried with it additional risks, such as not backing up often enough, or losing your backup files in general. Stopping ransomware needs to be about prevention, proactive rather than reactive.
Traditional antivirus solutions are not without value, but for risks like ransomware attacks, those traditional prevention methods, relying on signatures to detect known malware, fall behind in the current threat landscape. Literally millions of new viruses and other malware are created every day. There’s simply no way a traditional, signature-based prevention solution can ever keep up with the superhuman volume of new threats created. Some experts estimate a new virus is created every four seconds or so.
Fortunately for IT security professionals, while the variations created for ransomware and other attacks are infinite, hackers tend to rely on a small number of exploits to make those attacks effective. What proactive solutions can do, rather than look for known malware, is instead watch for malicious behavior on your machine or system – “tells” that indicate that something is making use of an existing, popular exploit to implement an attack. The vast majority of attacks rely on only a few dozen exploits, so a powerful anti-exploit defense can be an incredibly effective method for preventing ransomware. This allows the solution to not just spot known threats, but prevent zero-day malware no one has ever seen before from taking hold by watching not for a named virus or ransomware attack but the behavior of an attack.
Another solution: a solution that watches for, and puts a stop to, the encryption activities that ransomware relies on. Top tier anti-ransomware solutions will take notice when a file or files are encrypted without the user’s permission and, as preventative measure, take a copy of the encrypted file and stop all further encryption until an analysis is done. If the encryption is, in fact, an attack, all encryption ceases on the computer or system, the files are rolled back to their original state, and the machine is scrubbed clean.
Something to consider when looking at ransomware solutions: even when you successfully prevent an attack, having forensic level intelligence about how the attack happened and where it came from can be a powerful tool for preventing the next attack as well. Having some sort of root cause analysis tool to tease out details of the how, when, what, and where of an attack will help you educate yourself for the next time.
Deep learning’s impact on ransomware prevention
As we’ve said, there are millions of new attack variations appearing every single day. It is almost unfathomable for the human mind to comprehend these numbers.
That’s where artificial intelligence comes in.
A quick primer on machine learning versus deep learning: machine learning is, at its core, the ability by a program to become more and more accurate at predicting outcomes without being explicitly programmed to do so. Most simply put: the program has the ability to learn.
For example, you might program an AI to draw a circle. That circle may start out imperfect – oblong, or the beginning and end don’t match up. With machine learning, the program will improve based on data it receives from its programmers. It’s like the human brain – you keep repeating a task, and you get better at it.
Deep learning goes a step further. With standard machine learning, humans have to intervene, in essence feeding and curating the data so the AI can learn. With deep learning, that human intervention isn’t required. The AI learns from the data it takes in to become increasingly more accurate. Deep learning is used for complex tasks like security threat detection, fraud detection, spam filtering, and even for more mundane tasks like curating news feeds on social media or targeting online shopping trends.
Deep learning mimics the human brain, using what is often called an “artificial neural network.” We often say the human brain is more powerful than we know. The AI of deep learning grants the ability to assess and learn from incredible amounts of data. In terms of its impact on ransomware, deep learning opens up the ability to actually keep up with the blitz of new attacks and variants appearing every day by moving and analyzing online threats faster than the human mind can.
Deep learning solutions also tend to be lighter and faster than existing solutions, and given the speed and agility of the ransomware threat landscape, the quicker and more dexterous the response the better.
A note on automation
A ransomware attack can cripple a business with incredible speed, so the more automated the security response, the better. An attack can happen at any time, to any end user. Having solutions that can identify malicious, unusual, or questionable behavior and stop it, preventing further damage until the humans charged with keeping the organization and its users safe can be alerted, is pivotal in a threat landscape that evolves in seconds, not weeks.
Not only that, but having technology that works on multiple levels – watching for unapproved encryption, the use of exploits, and more, without the need of a human hand to command those preventative measures, means IT administrators can actually sleep at night knowing their users and their data are protected under automated, ever-vigilant protection.
The human error factor can’t be discounted here, as well. The smartest end user in the world is still capable of falling victim to an attack. Research has shown that users open phishing emails and other fake messages at a higher rate than they do actual marketing or advertising emails – and this isn’t indicative of the intelligence of the end user, but rather shows just how skilled the bad guys have become at crafting messages users will believe. This adds to the pressure to have automated, intelligent protection.
Educating your end users on what to look for and what to do, or more importantly, not to do, in the case of a malware attack can narrow your organization’s largest attack vector. Solid end user education side by side with powerful, automated, next-gen ransomware prevention can truly build up a powerful suit of armor against the ever-changing online threat landscape.