Ransomware infections have fallen 30% over the past 12 months according to a research conducted by Kaspersky (Ransomware and Malicious Cryptominers 2016-2018 report), The decline correlates with the crashing price of popular cryptocurrencies,  

This, however, does not mean that corporate security engineers and CISOs can sit back and relax.  Ransomware still remains one of the most popular attack campaigns, and most damaging. Ransomware attacks are especially damaging to small to medium sized business according to a report from Datto.  Datto surveyed over 2,400 MSSPs and over 500,000 managed service clients. The stats show 79% of MSSPs had customers who were affected by Ransomware during the period from Q2 2016 to Q2 2018. Those small to medium size business typically do not have enough security budget and staff to implement sophisticated layers of prevention and detection solutions to fight Ransomware attacks.

Traditionally, most organizations rely on signature-based inspection or Sandbox-based heuristic solutions to detect and defend against Ransomware. While these remain an important component in a best-practices corporate security architecture, they also have major drawbacks which render them ineffective in detecting some of the latest and most sophisticated Ransomware. For starters, there are just way too many new ransomware variants emerging on a daily basis for signature-based solutions to keep up. (According to Kaspersky’s report, there were over 32,000 new ransomware variants in Q3 2016) Sandbox-based solutions are typically deployed on the edge and monitor traffic coming from the internet. However, the perimeter could be completely bypassed using social engineering techniques like phishing and sandbox evasion techniques. Also, it is not effective to deal with zero-day Ransomware attacks, not to mention many times the internet traffic is encrypted makes it even harder to see the actual payloads inside.

Deception can truly be a game changer in terms of detecting Ransomware. The way Ransomware Detection typically works is that some hidden files are deployed as part of the breadcrumbs to endpoint and servers throughout the enterprise environment. When Ransomware infects a host, it will perform a certain set of actions, such as encrypting the files on the infected host,  deleting the shadow backup, creating a registry entry for persistence, encrypting the mapped drive alphabetically or in the reverse order, setting up command and control communication channel back to the mothership, etc.

Different security solutions employ different detection methods. In the case of Acalvio’s ShadowPlex, these malicious activities immediately trigger events on the management console, indicating that  ransomware has detonated. Integrated 3rd party tools can be leveraged to do automated incident response, for example, to quarantine the infected host to prevent the Ransomware from spreading throughout your environment.  

Obviously, ransomware moves fast, so detecting the activity quickly and with enough confidence to act in an autonomous fashion is optimal. Waiting for a human to review and respond could be the difference between minimal impact and complete disaster. Some victims have taken months to recover from these types of devastating attacks. Atlanta’s traffic citation system was offline for six months (if you’re a questionable driver in Atlanta you may not be so sad about that – ).

Compared to other traditional detection solutions, deception-based detection has some unique advantages:

  • Comprehensive protection in your entire environment no matter where the Ransomware attack originates or where it is detonated. Detection is independent of the OS type, file format, delivery methods, encryption algorithm, etc.
  • No need to use signatures or threat intel updates.
  • Detecting the malicious behavior works on zero-day attacks and new variants.
  • High fidelity and low-false positive alerts. Very fast and accurate detection.

In addition, Ransomware detection should  typically be a built-in feature of the deception platform. Not all vendors will offer the same capabilities, so check with your vendor. Deception can also detect many other malicious activities on your internal network, such as lateral movement, pass the hash attacks, data exfiltration, etc. Acalvio ShadowPlex is a leading deception platform which offers all those features mentioned above, and can be delivered from the public cloud or on-prem in a very scalable and flexible manner. It is the most effective way to fight Ransomware on the market.