Ransomware is everywhere on the news these days because it’s such a successful attack strategy: offshore hackers encrypt your data and demand a ransom for its return. Formerly relegated to home users and small sub-$1000 payouts, the criminals are moving up-market: targeting businesses. Until agencies find ways to catch and prosecute these bad actors, ransomware will continue to grow as a problem.
The idea behind ransomware is to encrypt someone’s files, and then charge a ransom to decrypt them. It’s a far more direct revenue model than most hacking schemes, which require pulling data and then reselling it on the black market. Attacks like Cryptowall have themselves have gotten sophisticated – there are hundreds of thousands of variants, and basic anti-virus tools simply can’t keep up as new forms are created every day. But these attacks share some common similarities, and that is where you can begin to combat them.
Cryptowall and all its variants typically rely on phishing – i.e., getting the user to take an action, either opening an infected email attachment or visiting an infected website. These are called social engineering attacks. The email attachment attack is far more common, and Windows hidden extension feature allows attackers to simply append a seemingly-benign file type such as a PDF to the email. Once the attachment is opened, the file does its work, silently in the background until the infection is complete and the ransom note is delivered.
This is where Advanced Threat Detection (ATD) plays a crucial role. ATD relies on something called a sandbox – it’s a secure area, generally in a private cloud, where the suspicious file can be opened or “detonated” and checked for malware. It generally works quite well – except that first generation sandboxes didn’t have full system emulation capabilities, so malware was created that looked for system capabilities and wouldn’t detonate in these very constricted sandboxes.
ATD that includes a full system emulation sandbox is ideal for tricking malware into exposing itself. Once exposed, the file can be quarantined and the attack is stopped in its tracks.