Ransomware: How To Deal With It - And Defeat It

malware, ransomware

One of the more devastating new forms of malware is ransomware, which infects a user’s system and encrypts the files beyond use unless the user pays a ransom for the key. In a January 2014 study, Internet security vendor Webroot found that 88 percent of IT professionals said they were somewhat to very concerned about ransomware, and 66 percent predicted their organization could be the victim of an attack within the next year. In a conversation with ITbestofbreed.com, SentinelOne's chief security officer, Udi Shamir, and Chief Marketing Officer Scott Gainey walked through the challenges ransomware poses, and talked about how a new feature the company added to its endpoint security solution could help solve the problem.

Can you give an overview of ransomware and some of the trends you’re seeing?

Shamir: The phenomenon is fairly new. We’re talking about three years, mainly. It’s very effective because it’s very easy to conduct and encrypt your files on your personal hard drive and it’s almost impossible to overcome. The ransomware family is divided … in some cases we can recover the key and can recover data. But, on the more sophisticated software, like Cryptowall, all of these are encrypted in a very good manner, using a better encryption algorithm like elliptic curve. That is impossible to recover.

Walk me through a ransomware attack. How does it progress and what can you do?

Shamir: Essentially a ransomware is a malware. Usually the most successful attack vector is via email, using social engineering or spear phishing … The user is being fooled to execute and then it is game over. That means, once a user clicks the link and downloads the executable (file), the moment it executes it is a matter of milliseconds before the ransomware starts to encrypt your files. From that moment, you are a hostage. You will be asked for ransom … In some variants of ransomware, we were able to recover the secret key that allows them to decrypt the files. But, in most cases it won’t work and the victim will need to pay a ransom to recover their data. That makes the ransomware phenomena pretty hectic and hard to deal with. You can see, for instance, that the Cryptowall family, the author made more than $30 million in revenue just last year. It’s an astonishing number. Usually, they are not that sophisticated. They are using existing libraries to encrypt files. They are not that sophisticated – that’s what makes them very efficient.

If it’s pretty easy to do and efficient, do you have a sense for how much this is growing compared to other threats?

Shamir: The ransomware phenomenon is going up more rapidly and the reason is economics. This is not associated with any nation state attack, usually … Most of the groups that are writing these malware are financially motivated actors. They are Russian and more Eastern European groups and their main aim is to get money. Of course, we will see a growth in the attack vectors.

I’ve seen mixed opinions. Should people pay the ransom? Or should they just accept the loss of their files?

Shamir: In some cases people are forced to pay because, if you think about, for example, a lawyer being hit and he doesn’t have a backup – usually the small businesses with less resources – some of these groups will end up paying for the ransomware.

Gainey: I would just add that this is a big part of what we were trying to highlight in the latest product announcement – there is an alternative. You can prevent the threat outright by having a viable endpoint protection solution. I think that’s the message that we’re trying to get across right now: Paying a ransom doesn’t have to be your last-ditch effort.

Walk me through the solution – what’s different?

Shamir: If you look at the traditional defense and how they work, I’m talking about AVs and other vendors, they are working in a static fashion, which means they see that if they have seen a file structure before and if it was malicious, they will try to block it. The problem is, they change every second … This presents a very big challenge to the traditional software companies, like anti-virus and network vendors. We, on the other hand, don’t care. We look at how the malware or the binary is behaving in real time on the machine … When we detect something that is violating the normal behavior, we will kill the activity. We are not just securing it; we can restore the file that has been encrypted because of ransomware … When we think that there is an active encryption, we can copy or think about neutralizing and backing up the files in real time.

Gainey: It’s also restoring system files that are often, over the course of a ransomware attack, ... either outright deleted or altered significantly. It’s not the personal files that you want to gain access to, but it’s also restoring the system back to a normal operating state that it was in pre-attack.

Is this something we can expect to be a bigger issue in 2016?

Shamir: Of course it will continue. We see more platform coming into consideration of ransomware – we see Mac and even a line of servers…We will see more numbers, I’m sure of it. Unfortunately.