The best way to avert ransomware is to institute preventive mechanisms. This cannot be only through the antivirus software. The approach needs to be multi-dimensional.
By Ravi Raman
Viruses and malwares have become an integral part of the internet. We are aware that an antivirus software will help us ward off these treats. We also believe that malware can be disinfected to restore order. However consider this. What if new threats do not conform to such known beliefs?
What if the malware is designed to frequently change and thus browbeat antivirus software? What if once infected the damage to your computer cannot be undone by merely removing the malware? What if you are asked to pay ransom to restore normalcy? What if the malware is designed to move stealthily from the end points through your networks to other sensitive data servers to cause maximum damage?
Welcome to the world of Ransomware that is taking the internet by storm. Ransomware is definitely a game changer for the security services industry, organisations, and individuals.
Ransomware, as the name suggests is a type of malware that encrypts data on your system and demands ransom for decrypting it. Advanced 128 to 256–bit encryption algorithms are used. Decryption without the key is not possible. Affected parties are paying up – the data for such organisations and individuals is very valuable and losing it is not an option.
The Ransomware malware has gone through several improvisations over the past year or so – each variety of Ransomware designed to be more dangerous than the previous one. In the beginning the malware was modelled around a Fake AV – it attempted to extract money by intentionally misrepresenting the security status of a computer. The user was enticed to purchase software in order to remove non-existing malware or security risk from the computer. Then the Ransomware changed to extracting money by locking ones PC screen. To unlock the screen people had to pay up. These are referred to as “Locker” Ransomware. The current wave of Ransomware extracts money by encrypting the files of the PC / server. One has to pay up for decrypting the files. Each wave is thus more lethal than the previous one and this upward trend in terms of ruthlessness is what is making this variety most talked about in the industry.
The concept of extracting money from affected people or organisations has worked since data is important and is a lifeline. Once the actors have tasted “blood” it can always be assumed that there would be no let up.
Motivation apart, the malware actors also have open source technology on their side. Using such components they are able to execute their nefarious designs and still escape capture. They use several free technology pieces to execute their plans and to get paid, with minimal risk of getting traced or caught at any stage. They propagate the malware through the anonymous Tor (The Onion Router) service, create havoc for extracting the money by using advanced encryption technology, and get paid through bitcoins completely circumventing the regular banking channels, thus preventing traceability.
In addition to this, Ransomware is morphing ever so often by changing its signature to escape detection by antivirus software. Typically antivirus solutions rely on malware signatures to detect them. By changing their signatures regularly, malwares attempt to overcome such detection.
A third dimension that is looming large is that after infecting the users PCs, they have started to move through the corporate networks to other critical information assets. This staged attack through the cyber kill chain is something that is happening and we need to be cognizant of.
The only way a disaster can be averted – unless you are willing to pay up – is to institute preventive mechanisms. This cannot be only through the antivirus software. The approach needs to be multi-dimensional.
An organisation has to invest on tools that will enable it to run data science and machine learning models that can detect patterns from the network data to determine if a staged attack is underway; tools that rely not just on malware signatures but on other concepts such as Indicator of Compromises (IOCs) to detect them; tools that can quickly scan your network / end points for any typical compromises that you suspect may have occurred; tools that can scan for rouge browser plugins; tools that can detect C&C user accounts that could be used by malwares to piggybank on; and tools that can check for unused services that the malwares can morph into.
The good news is that such tools are available. You will need such tools to prevent Ransomware attacks. We need to be geared to protect ourselves from such threats when the stakes are high. Game changing threats need a robust multi-pronged strategy for effective protection.
The writer is SVP & head of engineering – security intelligence & analytics, Paladion Networks