Ransomware is a generic name for a family of computer bugs programmed to lock up endpoints, such as PCs, servers or mobile devices, in various ways. Ransomware encrypts data on the endpoint or revokes access to the endpoint itself, then asks the victim to pay a ransom to regain control of the endpoint. A ransomware attack can affect an individual or organisation anywhere in the world.
Most malware silently persists in the network, carefully surveying the network surroundings, awaiting instructions or the right opportunity to attack your systems. These programs mask their actions to evade detection and attempt to gain elevated privileges.
Ransomware, on the other hand, wants to be discovered. As soon as the program starts encrypting files, it reveals itself to the victim and demands a hefty ransom, many times along with various threats.
Our research into ransomware strains show that while there are some very sophisticated, many are crude and poorly written. But just like an improvised weapon, the less refined strains are easy to produce and can be extremely effective. A piece of malicious code that promotes its existence upends the way most traditional anti-malware and anti-virus products work. You may think that lacking intricate malicious mechanisms makes ransomware easier to detect. But often times malicious behaviours and techniques are malware’s weak spots and make these programs stand out.
Ransomware, just wants to cause as much damage as possible. It doesn’t need to encrypt all of your files to be successful – it just needs to scramble enough important ones. Ransomware grabs and encrypts anything: quarterly revenue spreadsheets, Word documents, PowerPoint presentations, family photos. And the list goes on. Ransomware fires in all directions and hopes to hit something important. This lack of specificity makes ransomware more difficult to detect. You can’t concentrate on defending only certain locations or applications. You have to monitor everything, all the time.
Ransomware takes between 5 and 20 minutes to encrypt every relevant file on the average hard drive. That means that even the slowest, single-threaded ransomware can encrypt several potentially important files in seconds. Since Ransomware works quickly, detection and response time is of the utmost importance, which may be problematic for certain behavioural-detection solutions. Unlike detection based on what the code is, detecting what the code does is prone to false positives and requires collecting additional evidence before a verdict is reached. This leads to originations being compromised with Ransomware on a daily basis.
Northdoor and its partner CyberReason researched more than 40 Ransomware strains, including Locky, Cryptowall, TeslaCrypt, Jigsaw and Cerber and identified the behavioural patterns that distinguish ransomware from legitimate applications.
Whether a criminal group or nation created the program, all ransomware functions the same way and encrypts as many files as possible. These programs can’t determine what files are important so they encrypt everything based on file extensions.
Northdoor has developed a solution that takes all these challenges into consideration. Our solution detects Ransomware as soon as encryption occurs either on a computer or network drive. Once encryption is detected, we suspend it, warn the IT department and displays a popup that warns users their files are at risk and enables them to stop the attack. Our solution will also educate your users on the signs of to watch out for when they are under a ransomware attack. Both of these things together ensure that you have the best defences possible against Ransomware attacks.
Remember, it only takes only one employee on the network to execute ransomware and affect the entire company and stop your business in its tracks!