In his youth, Julius Caesar was taken hostage by Sicilian pirates and held for a ransom of 20 talents of silver (about 0.5 tons). He managed to convince the pirates that he was more important than that and encouraged them to demand 50 talents of silver instead.
They obliged and in doing so bought into a view of Caesar as superior to them. Caesar exploited this to good effect: he acted as the leader of the pirates, he practiced combat exercises with them and even read them poetry.
Eventually, Caesar’s associates returned with the silver and he was let go. He vowed to return to collect his money and kill the pirates and he went to great lengths to make good on his promise.
Caesar kept his cool, survived the hostage situation, and recovered his belongings because he had a plan and a strategy.
Cybercriminals have taken on the role of modern day pirates using ransomware to hold the valuable data of organizations and people hostage. However, with the proper strategies, plans and tools in place, it is possible to survive and recover from a ransomware attack.
A Goodfella’s guide to cybercrime evolution
Ransomware is everywhere and no industry is immune: Police departments, hospitals, nonprofit organizations, banks, and many others have been hit.
It allows the cybercriminal to cut out the steps between a heist of valuable information, such as credit card records and the monetization of that information. It simplifies the demand for the attacker: “Pay me directly!”
It is not surprising that when faced with the choice of losing their files forever or paying a few hundred dollars, organizations without recourse (e.g., up-to-date backups) have been paying up to the tune of more than $25 million in 2015, according to the Departments of Justice and Homeland Security.
By targeting shared files, databases, and other valuable corporate information, attackers can demand larger ransom payments. As such, attacks on high-value shared assets can cause enough pain to coerce payment and in some cases can bring business to a grinding halt.
Basic ransomware survival kit: Data backup and incident response strategies
A solid backup and recovery mechanism is excellent insurance against ransomware. There are merits to having hot backups, cold storage (periodically connected backups), and even offsite cloud backups with version control.
Proper incident response is also key. Once active ransomware has been flagged on a host or is actively encrypting files on a share, every second of response time is critical to limiting damage. Using canary file shares to help spot suspicious file-share activity that could be ransomware is also an effective countermeasure.
Detecting a ransomware attack in progress that has started to hit file shares or a host that is signaling through other means that it is compromised is a major leg up on confronting the ransomware threat. The truth is in the packets.
Detecting ransomware from the comfort of your own network
Ransomware seeks to encrypt as much information – files, directories, shares and other assets – as quickly as possible until it runs out of things of value to hold hostage or is halted by an IT security team. This relentless behavior indicates the presence of ransomware, but only if you know where and how to look.
At Vectra, we have developed an algorithmic method for analyzing network traffic that looks for ransomware behaviors and is able to pick out and recognize this type of activity with extremely high efficacy.
This new Ransomware File Activity detection is included as part of the Vectra X-series platform software, Version 2.5 and later, and has already successfully caught ransomware in the act for several customers.
Ransomware in the real world
A recent ransomware incident at a large healthcare customer highlights the value of making judgments based on attacker behaviors on the network. The behaviors Vectra detected and correlated are illustrated in the user interface shown in Figure 1. What follows is a recap of the events.
Figure 1. The Vectra host page from an actual ransomware attack on a customer site. Vectra triggered three detections based on three attacker behaviors on this host, starting with command and control and culminating with the initiation of encryption of file shares 50 minutes later.
11:01 a.m. – Locky ransomware has been downloaded to a host. Locky reaches out to its command-and-control server and connects successfully.
Vectra triggers a Suspect Domain detection on the connection to an algorithmically generated domain.
11:16 a.m. – The infected host initiates an internal IP scan doing reconnaissance on the network over Port 445 (a port commonly used for SMB file sharing). Locky is on the hunt for high-value targets to encrypt.
Vectra triggers a Darknet Scan detection when it sees the host looking for IP addresses that it knows from experience are not live.
11:53 a.m. – Locky begins encrypting files on a network file share.
Vectra fires a Ransomware File Activity detection that pinpoints the event and affected shares.
12:30 p.m. – The customer confirms that the affected host has been pulled from the network and is being re-imaged.
In this case, Vectra triggered two detections 52 minutes prior to the first encryption of shared network files. In a situation where time is critical and every second counts, this 52-minute advanced warning is crucial to heading off a ransomware attack.
This occurrence is not unique. Vectra has flagged ransomware-infected hosts for other customers by detecting command and control and other malicious behaviors that are precursors to ransomware attacks.
Ransomware isn’t going away and enterprises must prepare. Having solid backup and recovery mechanisms and plans are important. Detecting suspicious activity that is a precursor to a ransomware attack or an indication that the first few files have been hit are crucial to stopping the attack before permanent damage is done.
For more information on Vectra’s new ransomware detection capabilities, please visit our resource page
Jacob Sendowski, Ph.D., is the director of product management at Vectra. Before joining Vectra, he was CEO and co-founder at Souper Products LLC and was a product manager at Intel Security prior to that. He received a undergraduate in electrical engineering from University of California, San Diego as well as a graduate in electrical engineering and doctorate in electrical engineering from the California Institute of Technology.