It’s very clear that encrypting ransomware is here to stay. Since it was introduced in 2013 with CryptoLocker, the business model has done nothing but grow. Through constant improvements to the variants and attack vectors, malware authors have been able circumvent and outright defeat most security solutions. Encrypting ransomware infections are some of the most severe in the history of malware and the costs imposed on victims’ businesses can be devastating.
As they grow in prevalence, encrypting ransomware variants are becoming more sophisticated and charging more money. Malware and Potentially Unwanted Applications (PUAs) bypass traditional detection by using polymorphic distribution and rapid variant generation. According to our own research in the Webroot 2016 Threat Brief, 97 percent of today’s threats are unique to the system they infect, and are only seen on that specific endpoint. Contributing to the increase in ransomware, malware advertising- aka malvertising- into exploit kits has also seen exponential growth. Malicious ads rotate with normal ads on legitimate, highly reputable sites, and when users visit the site and click on the infected ad, an invisible iframe redirects to exploit landing pages where malicious payloads are dropped. Web exploit kits are responsible for 80 percent of malware delivery, which deliver ransomware as the payload almost exclusively. Variants are also utilizing thread injections, process hollowing, and position-independent code to become almost invisible to security solutions.
Being the victim of a targeted crypto ransomware attack is very real and very costly. Hollywood Presbyterian Medical Center was hit by crypto ransomware that locked medical records and other essential operational systems. The original ransom was $3.6M, but cybercriminals “settled” for $17K. Paying ransoms becomes an entirely different conversation for organizations when the payment isn’t $30, but five figures.
At Webroot, we believe it is possible for MSPs to effectively protect their clients and end users alike, but only by understanding your adversaries and techniques they use for attacks. Our sophisticated approach reflects an in-depth understanding of the threat landscape and how attackers think, enabling us to provide cutting-edge, proven, next-generation protection and real-time detection of threats as they emerge.
To safeguard their customers against the next-generation of threats, MSPs need to adapt their security practices. Ransomware as a business model only thrives when people pay the ransomware. Here are several ways MSPs can take charge in changing this trend.
- Deploy reputable, multi-layered endpoint security. Having endpoint security that is capable of preventing infections in the first place is vital.
- Deploy backup and business continuity recovery. These services are the only recourse to recover data and minimize business downtime if an encrypting ransomware infection gets through.
- Disable macros in the Microsoft® Office Trust Center. This will help prevent infections, as this is a common attack vector.
- Create strong Windows policies. Obfuscated file extensions are frequently responsible for infections.
- Educate your users. Users are your weakest link. Providing them with even basic education around Internet risks and best practices will protect users both at home and in the office.
The damage a ransomware attack can cause to a business’ reputation and customer trust—not to mention issues of legal liability—is substantial. We have all seen how compromised client data leads to further cybercrime, identity theft and fraud. Adapting security practices and implementing solid mitigation and recovery strategies are the best way for MSPs and their customers to stay ahead of this destructive threat.
To learn more about current malware trends and the threats you may encounter in the year to come, get your copy of the Webroot 2016 Threat Brief, or watch a brief overview video with highlights from our research.
By Lily Teplow
By Brian Downey
By Dave LeClair