By Frédéric Dohen, Territory Manager Luxembourg.Trend Micro published our mid-year security roundup report where we covered the biggest threat stories and trends we observed in the first half of 2016. Not surprising if you’ve been following the threat landscape that ransomware was by far the biggest story, with many organizations around the world in the news affected by this threat.

We have been doing extensive research into this threat over the years and I want to dive a bit deeper into the most recent trends we’ve seen and how you can protect yourself and your organization from being a victim.

 

In my 10 years working in cybersecurity I have not seen any specific threat be picked up and used as much as I’ve seen ransomware. In the first half of the year, we saw threat actors develop close to 80 new families of ransomware, which is a 172 percent increase from what we saw in all of 2015. We’re also seeing these cybercriminals adopt and adapt their creations to continually prevent organizations from detecting their malware. We are even seeing now Ransomware as a Service (RaaS) within the criminal undergrounds to make it even easier for threat actors of any level to deliver attacks. Why are we seeing such a marked increase in this activity? Because it seems to be working, but also this is a threat that is very visible. Most threats try to stay under the radar and be invisible, but ransomware uses fear and very visual effects to entice the victim into paying their ransom demands. You will know you are infected with ransomware if it happens. We do recommend contacting your local law enforcement or the IC3 if infected as the most effective way to stop ransomware is to stop making it profitable and put the criminals behind it behind bars.

 

Below is an example of some recent ransomware families we investigated and the different capabilities each has. You’ll notice, as mentioned above, the actors behind these are trying many different techniques.

 

 

Note the different arrival techniques (infection vectors) and the different ransom amounts being served up to the victims. You also can see numerous different types of data being encrypted by the ransomware families. The encryption process is similar, as there are not a lot of different encryption technologies out there, and the criminals use the same methods used by the good guys. One thing we have seen as the predominate infection vector is email, whether spam or phishing.

 

But also notice that exploits and exploit kits are becoming more utilized. In fact, we’ve seen the actors behind most of the exploit kits are now serving up ransomware within their kits, again showing that ransomware is becoming the defacto threat used by many actors today.

 

One other trend we’ve seen with ransomware is who the threat actors are targeting. This was mostly a consumer targeted threat in the past, but recently we’ve seen businesses being targeted predominately by these actors. This is likely due to the ability for a business to pay the ransom versus a consumer, but also in many cases we’re seeing much higher ransom demands against businesses that are in industries where any downtime is critical to them – i.e. healthcare, manufacturing.

 

We do expect ransomware to continue to be utilized by cybercriminals around the world for the foreseeable future as it has been effective and profitable for them so far. Besides law enforcement activity in curbing this threat, you and your organization can take steps to help prevent becoming a victim of ransomware.

 

The key is developing a broad strategy that includes the following:

 

Education about how this attack works. A good, short video explaining ransomware and basic security can be found here. Our ransomware definition page will give you a lot of information on what it is and the latest trends

Implement a good backup strategy that includes a 3-2-1 model (3 backup copies on 2 different media with 1 backup in a separate location)

 

Develop a layered security approach that includes the following:

 

1. - Block the threat at its source using advanced email and web gateway solutions. At Trend Micro we are blocking more than 98 percent of ransomware affecting our customers at this layer, keeping this threat completely off of endpoint devices

   - Boost your endpoint security with purpose built ransomware features to prevent ransomware from infecting the device. Trend Micro OfficeScan and Worry-Free Security solutions have been adding new features designed from our in-depth analysis of ransomware trends over the past two years

   - Add in a network defense layer that can identify and block ransomware related behavior, including Command & Control communications

   - Ensure you’ve included server security, as recently we’ve seen threat actors targeting servers in their activities. Trend Micro Deep Security can provide protection for your critical servers, especially web servers, which are being targeted

   - Finally, make sure you have visibility and control across your security solutions to provide you immediate exposure when a threat has been discovered within your network

 

While we cannot guarantee 100 percent detection of all ransomware, implementing the approach above can minimize your risk of becoming a victim. If, unfortunately you do become infected, we have been developing a free tool to decrypt as many ransomware families as possible

 

Source: Trend Micro