Ransomware has emerged as a major epidemic for business and consumers. Every day we are encountering thousands of malicious samples that are related to ransomware, ranging from executable files, script downloaders and malicious documents with macros.
Threat actors use different techniques to infect victims from the simplest way like attached executable file in email message to the most difficult like drive-by attack with exploits (even with zero-days!).
We found something new emerging in 2016: several targeted attacks with one main goal – to execute ransomware in the victim’s network and encrypt as much resources as possible. In such cases, payment for decryption depends on the number of affected workstations, servers and victim type (small company or a big market player). Very often, as a result of such attacks, the victim cannot use data from workstation and servers to continue normal functions because the ransomware used the full disk encryption method.
This leaves victim companies in a state of desperation, leading to demands for huge payments for decryption keys. We have encountered cases where the payment demand was more than half a million dollars! In that case, the threat actor used a vulnerability in one popular application server to infect a victim’s network and then used several public tools to get necessary privileges to install ransomware to all workstations and servers. As a result, more than 1000 workstations were encrypted.
37Security Analyst Summit 2017
• Targeted attacks with ransomware will be the main ransomware trend in 2017
• Protect the perimeter
• In the event of an attack, good IR could help
• DO NOT PAY
• Use security solutions with a behavioral detection component