Strengthening the Defense Against Ransomware Attacks

Our second article in our two-part series on this growing threat.

In a recent post, we discussed the emergence of ransomware – a cyberattack in which hackers remotely lock files, in order to extort ransom payments – as perhaps the fastest-growing form of cybercrime.

Here, we’ll share Observable’s perspective on why ransomware attacks are flourishing, and detail some innovative capabilities that Observable has introduced to help combat the threat.

If you think about ransomware as a business undertaking, it enjoys several structural advantages that other forms of cybercrime may not. The barriers to entry are minimal: experts say that one can mount a major ransomware operation for as little as $20,000-$40,000, most of it spent on email addresses (for targeting) and server hardware. The rewards are exponential, because the owners of business-critical data that has been locked (via encryption) can’t do business without it, and may conclude that they have no choice but to pay up. What’s more, most victims don’t want to report their misfortune, for fear of unnerving their customers, clients, or constituents.

Small wonder, then, that IT and security professionals are anxiously looking to security solution vendors for help. Most ransomware enters the target organization’s network as a virus. But antivirus software has been hard-pressed to keep up with this threat, as the volume of attacks increases, and newer variants of malware have emerged that can access files that are shared on an internal network.

One clear sign that a ransomware attack may be imminent is spikes in network activity. Observable’s Dynamic Endpoint Modeling solution has always been good at detecting spikes in traffic that might indicate ransomware is damaging network-hosted files. Since ransomware can do a lot of damage in a short amount of time, though, it’s essential to take additional steps in order to shorten the time-to-detection of any attack.

Keeping Ahead of the Adversary

Recently, Observable has been working with customers to add a powerful “early warning” capability to their defense. Many IT administrators have set up sentinel files, which – when watched continually for changes – can give an early warning of malware activity.

The Observable sensor can now host a shared directory with a monitored sentinel file. When the sensor detects changes, it immediately reports the modifier’s (potential attacker’s) IP address and hostname, and an alert is generated. The Observable sensor can also monitor an existing network share, though in this case, the IP address and hostname of a modifier (/attacker) would be inferred from network activity.

Meanwhile, tracking of the command-and-control servers that criminals use for their ransomware operations has improved significantly in recent months. “Ransomware tracking” analysts monitor the status of domain names, IP addresses, and URLs that are associated with ransomware, and offer blocklists to enterprises, antivirus vendors, and security solution providers. We have incorporated this ransomware-server tracking capability into Observable’s standard watchlist alerting mechanism.

As the threat from ransomware grows and changes, the need for innovative response grows apace. Observable’s Dynamic Endpoint Modeling solution is continuously evolving, to help you stay ahead of the data hostage-takers.

Experience Dynamic Endpoint Modeling on Your Own Network

Getting better visibility into your network and improving your security couldn’t be easier. Sign up for a free, no-risk trial of Observable’s Endpoint Modeling solution, and change the way you see security.

Detect Threats Faster – Start Your Free, No-Risk Trial