01 May 2018

Ransomware is building immunity to traditional anti-malware approaches

Ransomware attacks are becoming more frequent, more sophisticated and more expensive for those organisations that fall victim. Protection from the latest virus has long been a priority for the IT manager.

But unlike in the past, when updating to the latest anti-virus and anti-malware versions was enough to keep the wolves at bay, today organisations are having to think and act differently.

“The threat landscape has shifted from ‘known’ to ‘unknown’, making defenders’ jobs harder and harder,” says George Alexandridis, Endpoint Security Specialist, Sophos. “The technology for delivering ransomware is constantly changing which means new approaches are needed.”

The biggest change has been the growing number of malware attacks that have some sort of system ‘exploit’ or vulnerability, hitherto unknown, as the primary vehicle.

In response, the cyber security space is moving to embrace technologies like deep learning and artificial intelligence in the hopes of developing solutions capable of so-called ‘predictive’ security, whereby organisations are protected against certain sorts of attacks yet to even be developed.

Where does Australia sit for Ransomware?

It might surprise you to know the extent to which Australian companies suffered from ransomware attacks in 2017.

That’s likely because such breaches are embarrassing, not to mention potentially very bad for business should they become public knowledge. Understandably, many victims prefer to just keep it to themselves.

According a 2017 report by cyber security specialists Sophos, 54 percent of Australian organisations had been hit by ransomware in the previous 12 months, with 48 percent of companies reported being hit at least twice!

The numbers earned Australia the dubious distinction of being in the top 10 countries in the world for ransomware attacks.

And it’s proving very costly.

Just under a third of local companies reported costs related to ransomware attacks of between $17k and $85k. A similar proportion of companies reported hits of between $170k and $850k, 12 percent from $850k to $8.5 million, with 6 percent of companies reporting losses of between $1.7 and $17 million.

Updating traditional anti-malware software isn’t enough

Prevention strategies are now looking like multi layered security solutions. One of the most sobering findings of the Sophos report was that a full two-thirds of companies were running the most up-to-date version of their IT security solutions when they were breached.

Even just a few years ago, this was the best most companies could do, because ransomware and most other sorts of threats infiltrated organisations via familiar means.

Those could be a poorly-chosen password, a user is duped by a fraudster into providing user name and password details, or someone opens an attachment without thinking.

However, there is a distinct shift away from these sorts of attacks where some sort of social engineering is involved, to attacks that are crafted with a specific ‘exploitation’, or system vulnerability.

The now infamous Petya and Wannacry ransomware viruses exploited vulnerabilities in Windows, some of which were known albeit obscure, while others had never been seen before.

Deep learning, AI and unknown unknowns

The random ‘unknowability’ of today’s attacks is fast outpacing that of most cyber security technologies available on the market.

In fact, Sophos reports that even the latest versions of traditional anti-malware and anti-virus software can only protect organisations from about 12 percent of the threats currently out there in the wild.

“Businesses now need to keep up with the bad guys and complement their traditional protection with exploit mitigation techniques, specific ransomware protection and ‘unknown’ payload blocking,” says George, “file-less attacks don’t get detected by traditional and file-based approaches”.

As a first step, companies should adopt the following three-point check-list.

Delivery – Prevent ransomware installing (anti-exploit)

Execution – Quarantine ransomware before it runs (deep learning)

Encryption – Stop malicious encryption, roll back any changes (Sophos Cryptoguard)

Ideally, every organisation would prefer to block any malicious code from every breaching the firewall. Advanced deep learning techniques such as those embedded in Sophos Intercept X, identifies and categorises executable content before it’s handed over to runtime.

Efficient machine learning models ensure lower false positive rates and higher conviction rates against brand new or unknown malware. It’s also possible to identify and block anything malicious, as well as PUAs (potentially unwanted applications).

But what if the malicious code has already been executed?

Post execution monitoring of malicious mass files result in plain text fields being ‘cryptographically halted’. Not only is all further malicious activity halted, but any files previously affected are returned to their original state.

More Information

Have you read the full report: The State of Endpoint Security Today

This Sophos whitepaper paints a sobering security picture. Of 2,700 IT managers surveyed, 87% believe that cyber-threats are becoming more complex and 60% say their cyber defenses are not enough. Further, more than half (54%) of organisations were hit by ransomware in the 12 months to October 2017. Get the full picture here.

Brennan IT has helped some of Australia’s most successful companies identify their IT security vulnerabilities and address them with expert engineers equipped with the best understanding of cyber security and the latest technologies for threat detection and mitigation.