Ransomware poses an increasingly prevalent and critical threat to enterprises. In 2015, there were nearly 407,000 attempted ransomware infections and more than $325 million extorted from victims1; these numbers are expected to rise. CyberArk Labs tested ransomware samples from more than 30 prevalent malware families, including Cryptolocker, Petya and Locky, in order to better understand common infection, encryption and removal characteristics. - The typical path to encryption, including specific ransomware behavior upon network infection and different “triggers” or actions that prompt the ransomware to execute;
- Discrepancies and commonalities in ransomware execution, depending on access to local administrator rights, standard user permissions, encryption keys and more;
- Mitigation and protection strategies – including endpoint security, best practice backup protocols and application controls – that can significantly lower the risk that ransomware poses to organisations.
? In one of the key findings, testing done by CyberArk Labs demonstrated that application control, including greylisting, coupled with the removal of local administrator rights was 100 percent effective in preventing ransomware from encrypting files. This approach was compared to the effectiveness of other mitigation strategies, including the use of traditional anti-virus software, which relies on known blacklists.
The research also found that while many strains of modern malware require local administrator rights to properly execute, many strains of ransomware do not require these rights. While 70 percent of ransomware attempted to gain local administrator rights, only 10 percent of ransomware would fail to execute if these rights were not attained. Because ransomware behaves differently, organisations need to combine the removal of local administrator rights with application control to prevent file encryption.
“Ransomware has emerged as a credible and opportunistic tactic for attackers, leaving infected organisations with the difficult choice of abandoning hijacked data or paying cybercriminals for the chance to retrieve their files,” said Chen Bitan, general manager, EMEA & APJ, CyberArk. “By analysing how ransomware typically behaves, we’ve been able to gain critical insight into how to help protect against these attacks. Moving beyond traditional anti-virus solutions, which are not effective in blocking ransomware, and adopting a proactive approach to endpoint and server security is an important step in protecting against this fast-moving and morphing malware.”
