There Are Many Ways to Repel Ransomware, Only One Way to Defeat It
In our continuing series on the new malware menace known as ransomware, we’ve looked what it’s like to suffer a ransomware attack, why it’s become a weapon of choice for online criminals (they’re making gobs of money off it), and why it has grown so quickly (hackers are copying the SaaS industry’s highly-leveraged distribution model). Given how likely it is that you or someone you know will get hit by a ransomware attack in the coming months, now might be a good time to shore up your anti-ransomware defenses.
How ransomware attacks work: a recap
- The malware gets onto a computer or mobile device in one of several ways. You get an email that looks like it’s from a trusted source, and so you open an attachment or click on a link that infects your machine. Or you click on a legitimate-looking online ad that actually redirects you to a site that automatically infects your machine. Or you plug an infected USB drive into your machine. Or you visit a site you probably shouldn’t (like one that distributes pirated movies and videogames) and you download an infected file.
- The ransomware infection starts quietly encrypting every file it can find on your hard drive. It may also spread to other machines on your network: application servers, backup servers and colleagues’ PCs. When it has finished that work, it freezes your computer and displays a message: “We’ve encrypted all your files; send us several hundreds or thousands of dollars in BitCoin for the decryption key, or you’ll never see those files again.” They’re right: without that key, you will never decrypt them.
The most popular defenses against ransomware attacks
- Anti-virus / anti-malware scanners. This is the IT equivalent of fingerprint matching: the software scans every file that comes onto your machine and compares that file with its database of malware. Find a match? Get rid of it.
- Behavioral anomaly detectors. These work like your local Neighborhood Watch, monitoring your system for normal, expected behaviors and acting to neutralize a process only when it does something suspicious.
- Application sandboxes. These are similar to a communicable-disease quarantine: they will let a new process execute in the safely walled-off environment of a virtual machine inside your system. If nothing bad happens, the process is allowed to run outside of the sandbox.
- Application whitelists. Think of these as the bouncers at the club with a very strict guest list. IT staffers create a list of known, trusted applications and only allow those to run on your machine. Not on the list? No entry.
- Anti-spam and anti-phishing scanners. These measures attempt to filter out messages, links and attachments that could invite malware onto your system. Think of these as airport security officials, scanning the crowd for people who look fidgety and sweaty.
These are all good measures to deploy, part of a proper defense-in-depth strategy for protecting endpoints, though most are deployed only by businesses: few consumers install anything more than anti-virus. However, each has weaknesses that ransomware gangsters are very clever about exploiting.
Common weaknesses of ransomware defenses
- Anti-malware scanners can be fooled two ways. One, there’s always a window between the time a new piece of malware debuts and the time that security researchers discover it and add its signature to their databases. Two, cheap malware obfuscation services now exist: for a small fee, a ransomware author can purchase a “wrapper” that hides known ransomware signatures from scanners.
- Ransomware attackers labor hard to detect and evade behavioral detection software and application sandboxes. If the malware figures it is under the scrutiny of a behavioral detector or sandbox, it will delay its detonation. Even a fast-acting behavioral monitor may not be able to detect a ransomware attack until a large number of valuable files have already been encrypted.
- Application whitelists can be effective, but require significant automation and the ability to handle exceptions intelligently. Without dedicating IT resources to managing them diligently, they can become an obstacle to user productivity.
- Anti-spam and anti-phishing filters are worthwhile but will never be 100% effective. Defeating these measures is another key area of focus by ransomware gangs, or more accurately, the distributors involved in Ransomware-as-a-Service (RaaS) schemes. As long as malicious emails are getting through to end-users, someone will be unwary enough to click on a link or open an attachment they shouldn’t. Once a single machine is breached, ransomware can often spread to nearby endpoints over the network.
Backup — the most reliable method to recover from a ransomware attack
So we’re faced with a tug-of-war between the gangsters and the good guys, and given the statistics (the crooks are projected to earn $1B this year), the bad guys are winning. The good news is that there is one sure-fire method for recovering from a ransomware breach: hybrid backup that combines on-premise (local) backups and also keeps backup copies in a private or public cloud.
In the wake of a ransomware attack, a scrupulous backup regimen makes it possible to virtually travel back in time to the point before the infiltration occurred. Routine backups enable the restoration of any ransomware-infected system to a clean state prior to the breach. To protect against ransomware variants than can spread across the local network, you’ll also have to maintain backups in an offsite location, usually a private or public cloud. The option to perform bare-metal backups – the type that entirely restores the operating system, all applications, and all user data – further ensures that an infected system can be restored to a clean state.
In short, it’s still a good idea to invest in endpoint security measures and user awareness training to defeat ransomware. But in the end, the chances are that something will slip through, and when it does, you’ll have no choice to pay up to recover your files. (Note that paying doesn’t guarantee recovery – some particularly awful thieves will just delete your files after getting their money.) But the simpler, guaranteed, more foolproof approach is data protection that combines local and cloud-based backups. For a real-world example of how a US-based construction company used this strategy, download this case study, “Granite Ridge Builders Protect Their Data from Ransomware”. In future essays in this series, we’ll look at how service providers are building successful offerings based on protecting their customers against ransomware attacks.