Ransomware is a computer program designed to encrypt files and then demand a Bitcoin ransom for their release. These malware attacks continue to affect many individuals and businesses. In fact, studies show that in the first quarter of 2017, 60% of all malware attacks were ransomware. Unfortunately, given the success rate of recent outbreaks, ransomware shows no signs of slowing down.
In late June, Australian operations were halted by Petya, a strain of ransomware similar to WannaCry. Companies affected included global law firm DLA Piper, Cadbury, TNT Express, and dozens of other small and medium-sized businesses. While these organisations did not suffer the same damages as businesses in Ukraine (the main target of Petya); the impact of ransomware is still significant. Besides the ransomware fee, companies can lose more than $20,000 per day because employees can’t access their files.
Apart from data backups, there’s usually no other way to recover your files. This means your focus should be finding ransomware early and preventing it. With that in mind, here’s how you can detect ransomware before it encrypts all your files.
Use email security solutions
One way to detect ransomware is by implementing good email security. Considering that a majority of ransomware attacks are delivered via email; it’s important to secure your inboxes with email threat scanners like the ones offered by Barracuda. These tools search for security threats that have bypassed perimeter security and now reside in your inbox. This will help you find and avoid phishing emails with ransomware disguised as seemingly innocuous file attachments. Unsolicited messages or spam mail are flagged and quarantined right away to reduce the chances of encountering ransomware-ridden file attachments.
Run intrusion prevention systems
On top of email threat scanners, high-end intrusion prevention systems (IPS) stop users from downloading current and new ransomware strains using two detection methods. The first is signature-based detection; whereby the IPS inspects network traffic for any known ransomware strains like WannaCry.
Secondly, anomaly-based detection scans incoming and outgoing web traffic and looks for patterns (or abnormalities) that could indicate a ransomware intrusion. This helps you block ransomware strains that have yet to be catalogued; for example, CryptoLocker and its variant CryptoWall.
Check for suspicious file behaviour
Ransomware, in any iteration, behaves in somewhat similar ways. For starters, if you notice files are quickly being renamed or are receiving new file extensions (.locky or .wncry); then ransomware could be at work. Also, if files are being deleted automatically; this is another way to detect ransomware as it is attempting to create new, encrypted versions of your data.
Monitoring this behaviour is fairly simple. First, enable “file audit” logs (in Windows) to get a full account of any changes made to specific files. Then, create a rule in your Security Information and Event Management (SIEM) software to flag processes that are renaming or deleting files once a certain threshold is reached.
For example, the rule might state: “If there are more than 300 file modification events in less than 4 minutes for the same folder, flag this process.” If your SIEM software points you to any programs that meet these conditions; you can choose to quarantine them for further inspection.
Monitor file entropy values
Observing changes in file entropy values can also help you identify ‘ransomwared’ files. In IT, a file’s entropy refers to the ‘randomness’ of the data within it; measured on a scale from one to eight. Entropy values close to eight typically indicate the file is encrypted or compressed; and because ransomware uses advanced encryption algorithms, infected files will likely have higher entropy values as well.
To assess whether a file is infected; advanced endpoint security software can be used to calculate and monitor file entropy values. You can even set your security software to flag any programs that change a file’s entropy and give you the option to either terminate the suspected ransomware or turn off the system to contain the infection.
Test software in a controlled environment
Another way you can improve ransomware detection is with “sandboxing” features available in next-generation antivirus software. The idea is to execute untested or untrusted programs in an isolated virtual machine to protect the rest of your files from possible infection. In other words; it’s a safe space to test software and check whether it’s safe to use or if it contains ransomware.
Never forget security best practices
While all the above mentioned tools and strategies help you discover and limit the impact of ransomware; don’t forget the essentials. Always make sure to update your operating systems and security software, get in the habit of maintaining your backup files, and practice caution with every email, website, or link. These simple practices can save you a lifetime in lost productivity, non-compliance issues, and loss of customer reputation.
Not only are ransomware attacks growing in frequency, they’re also growing in sophistication. To avoid infection; you need powerful anti-ransomware solutions. When you partner with Empower IT; we can help you avoid and detect ransomware with a multi-layered security system and expert support from our team.