Stop Ransomware with Network Detection and Response
In 2018, cryptomining malware infected organizations roughly 10 times more than ransomware. However, since then, ransomware has climbed back to the top of the cybercrime landscape. Europol witnessed this resurgence, prompting the law enforcement agency to name ransomware as the top threat in 2019. Although Europol reports overall ransomware attacks are declining, its impact is increasing:
“Even though law enforcement has witnessed a decline in the overall volume of ransomware attacks, those that do take place are more targeted, more profitable and cause greater economic damage. As long as ransomware provides relatively easy income for cybercriminals and continues to cause significant damage and financial losses, it is likely to remain the top cybercrime threat.”
Putting the Dominance of Ransomware into Perspective
Targeted attacks aren’t the only factor behind the ongoing prevalence of ransomware. Several other forces are also at play. Here are just a few of them.
The Rising Costs of Ransomware Infections
Higher ransomware amounts are common. In its Q3 Ransomware Marketplace report, Coveware found that the average ransom payment increased by 13 percent to $41,198 from $36,295. The Wall Street Journal reported that claims managers at cyber insurance providers are regularly dealing with ransom demands that exceed $1 million.
Ransom payments aren’t the only cost associated with ransomware. Coveware found that downtime resulting from a successful ransomware infection increased from 9.6 days in Q2 2019 to 12.1 days in the third quarter. These recovery efforts might be even more complicated in attacks involving the Ryuk and Sodinokibi ransomware families. These attacks increase downtime because they corrupt domain controllers and SQL databases.
Diverse Industries Impacted
Healthcare is one of the industries most targeted by cybercriminals. In its review of ransomware activity between Q1 and Q3 2019, for instance, Emsisoft counted at least 491 ransomware attacks that targeted healthcare organizations—approximately 79 percent of the total number of campaigns observed.
But ransomware actors have other industries in their sights, as well. Barracuda Networks found that at least 50 U.S. cities and towns had been the target of attacks between January and September 2019. In fact, the security firm determined that nearly two-thirds of ransomware attacks for the first half of the year had targeted local, county and state government entities including schools, libraries and courts.
These attacks have sometimes come with a significant price tag for affected governments. For example, WIRED wrote that the City of Atlanta spent at least $2.6 million recovering from a ransomware attack that occurred back in 2018. Meanwhile, the Baltimore Sun reported that the total cost of a recent ransomware attack against Baltimore was expected to exceed $18 million.
The Ease of Setting up a Ransomware Campaign
Another reason why ransomware is still popular is that it’s extremely easy for cybercriminals to set up ransomware campaigns. The 2019 SonicWall Cyber Threat Report, for example, found that activity associated with ransomware-as-a-service (RaaS) platforms and open-source crypto-malware kits escalated in H1 2019. The popularity of these attacks reflects a growing underground marketplace where novice criminals can buy a subscription to use a malware author’s ransomware and keep a share of the ransom payments. To help bad actors use their products, many RaaS organizers even offer ticketing systems and step-by-step instructions to provide support to buyers.
How Organizations Can Protect Themselves
Ransomware is often spread through websites or drive-by downloads to infect an endpoint and penetrate the network. In an ideal world, organizations would be able to block ransomware at the perimeter using firewalls and antivirus software. But this is increasingly difficult, as cyber criminals are increasingly using packers and polymorphic malware to evade detection.
Organizations have found that relying solely on prevention to stop threats doesn’t work. Instead, detection and response technology is a more effective strategy, especially if it combines several technologies into a single platform.
Lastline’s Network Detection and Response (NDR) uses a combination of Network Traffic Analysis (NTA), Intrusion Detection and Prevention Systems (IDPS) and File Analysis to detect and contain the delivery of ransomware before it cripples an organization’s assets:
|● Provides anomaly detection of certificates when traffic is encrypted
● Uses artificial intelligence and machine learning to detect beaconing, anomalous internal file transfers and unusual traffic patterns
|● Detects Command and Control (C&C) traffic
● Uses threat intelligence to identify malicious IPs, domains, etc.
|● Dynamically analyzes file behaviors
● Uses artificial intelligence to detect malicious code