Survival of the fittest: keeping ahead of the evolution of ransomware


Do you remember the key events of 1989? Apart from the small matter of the Berlin Wall coming down, this was also when the first ever ransomware attack was seen.

This was the AIDs Trojan horse, which, upon installation, encrypted users’ files and demanded $189 to be sent to a post office box in Panama to ‘renew the license’.

Since then, ransomware attacks have exploded. They have targeted hospitals, utility companies, police forces, local government organisations as well as business of all size, and are showing no signs of slowing down – simply because they are proven to work and earn cash for the criminals behind them.

So how did we get here? How can organisations protect themselves?

From locked screens to encryption

Like most malware, ransomware can originate from opening a malicious attachment in an email, by clicking on a deceptive pop-up, or simply visiting a compromised website.

It threatens businesses in one of two ways: locking a user’s screen or file encryption.

Lockscreen ransomware, as the name suggests, causes a PC to freeze while displaying a message with the criminal’s ransom demand, rendering the computer useless until the malware is removed.

While this is a nuisance for users, it’s survivable because it typically affects a single PC, and is relatively easy to remove – it is the more ‘primitive’ form of ransomware.

File encryption ransomware, on the other hand, quickly emerged in 2013 as a genuine threat to businesses because of its ability to permanently lock users out of their files and data – on individual PCs, and across organisations’ entire networks.

Cryptolocker was the first truly famous ransomware to be observed ‘in the wild’ this year. Using encryption to scramble data until the ransom is paid, this type of ransomware attack has reached epidemic proportions.

Attack methods have become more diverse as ransomware has evolved.

The SamSam variant, for example, which first came to light in January 2016, is not delivered by email but instead targets unpatched servers to encrypt large amounts of data.

Cerber, which emerged in February, is one of the most widespread ransomware types of the last year, and features an audio ransom message delivered using Microsoft Speech API.

Ransomware has also emerged that acts as a virus and can infect machines through removable storage media, like USB devices.

The new ZCrypt ransomware variant does not stop at encrypting the files on the machine at the moment of infection; it is able to monitor file changes and encrypt any new file that the user creates.

Like any other computer virus, it needs to be completely removed from the infected machine to nullify its impact.

Other, highly specialised forms of ransomware are emerging too.

Some are spread via shared files; others are tailored to target smartphones and tablets.

Ransomware is no longer a ‘one size fits all’ form of cyberattack: it can target almost any device and spread from there.

Ransomware readiness

Perhaps it is unsurprising, therefore, that companies in the UK are reportedly stockpiling bitcoins in an attempt to boost their ransomware readiness.

A June 2016 survey by Citrix* found that 35% of large firms of over 2,000 employees are willing to pay up to £50,000 to regain their critical information in the aftermath of an attack.

It’s unfortunately true that the damage caused by sophisticated ransomware variants is difficult to reverse once they have encrypted an organisations’ data, unless the ransom is paid.

However, paying a ransom can never be recommended, since such successes for cybercriminals only encourages future attacks – and there are no guarantees that the decryption key will actually be supplied.

How then can organisations boost their ransomware readiness?

Basic principles of backing up data are essential; you should both make regular backups and store them separately from the organisation’s main network.

This is the only way to ensure that, if the worst happens and a ransomware attack takes hold, critical files and information can be recovered once the infection is removed.

Employee education is also a powerful weapon.

Attachments and links should only be opened from truly trusted sources. If a user is asked to run macros on a Microsoft Office file then the simple answer is – don’t!

Macros are frequently used as the trigger for downloading ransomware, so being asked to run them on a simple Office file is a typical sign of a ransomware attack. Spreading this type of awareness should be a core part of employee IT training.

While keeping traditional antivirus and other signature-based protections up to date is a critical element in a multi-layered security infrastructure, they can be easily bypassed by modern ransomware, and are no longer sufficient on their own.

Organisations need to block ransomware before it infects their network and starts its malicious activity.

More advanced protections, such as threat extraction and advanced sandboxing, are needed to reinforce existing defences and better equip organisations to defend against the constantly evolving ransomware threat.

Threat extraction works on a simple premise: the vast majority of ransomware and malware is distributed via email, hidden in the common file types used for business – Word documents, PDFs, Excel spreadsheets and so on.

So, from a security standpoint, it’s best to assume that any email attachment is always infected – and to extract any potential threat from it before passing it to the user.

Documents attached to emails are deconstructed at the email gateway, and suspicious content (such as macros and external links) removed.

The document can then be reconstructed with known safe elements, and sent onto the intended user. This can be done in seconds, eliminating the risks from infected files without delaying users’ work.

Advanced sandboxing (threat emulation) provides the second element, working in parallel with threat extraction.

Unlike antivirus and other solutions, it is not signature-based.

Advanced sandboxing inspects an incoming file for suspicious elements at a deeper level using several indicators, including dynamic analysis. In addition, by examining activity with CPU-level detection at the chipset instruction level, below the application or OS layers on the processor, the advanced sandbox can see through any evasion techniques built into the malware by its authors, and block the potential infection before it can take hold.

This is a powerful method for detecting emerging, unknown attacks, and more sophisticated (and much rarer) zero-day exploits.

In conclusion, ransomware has evolved and proliferated since 1989, but the basic principles remain the same: take over victims’ machines or data, and extort payment for their release.

However, our awareness of the ransomware threat has not kept pace: most organisations are still using traditional antivirus tools, which often does not detect the latest ransomware.

To combat this attack evolution, we need to evolve our defences, too.


Sourced by Nathan Shuchami, head of advanced threat prevention at Check Point

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...