Malware - Ransomware

Ransomware Protection | Protecting Against Ransomware with Email Security

Dimitri Perret

April 03, 2017

4 min

Ransomware Protection

Ransomware is an increasingly hot topic for security and IT teams. Organizations are attempting to fight back against this malicious software, but it is a battle that is hard to win. 

Just last year, ransomware cost businesses $1 billion. And it’s more than just monetary costs -- organizations lose significant operational time and take a negative hit on their reputation with every breach. Less than half of all organizations who are ransomware victims ever fully recover their data, whether they pay up or try to restore from a backup. Effective ransomware protection especially in the form of email security is necessary for defending your organization.

In 2016, ransomware cost businesses $1 billion.

Ransomware Definition

Ransomware is malicious software, or malware, that infiltrates a victim’s computer or device and encrypts all the files on the device that it can access. Until the ransom is paid the files are inaccessible. Sometimes, hackers will add an additional blackmail threat of publicly releasing sensitive data. The vector for ransomware is overwhelmingly an email that convinces users to click on a malicious link or a malicious attachment.

Although there are many ransomware variants, the two most popular are Locky and CryptoLocker. Both types of ransomware are distributed through malicious email attachments and booby-trapped URLs (also usually emailed). Once the ransomware is activated, it quickly encrypts all files it can find on the device and renders them inaccessible. With the encryption complete, hackers request ransom payments for the files to be unencrypted. If victims refuse to pay the ransom or let the deadline pass, many cybercriminals threaten to delete the decryption key or raise the ransom significantly.

Shocking Statistics

Looking back at ransomware statistics from 2016, it is no wonder that ransomware is the number one security concern for organizations.

  • In 2016, ransomware became the most popular form of malware in the US
  • 97% of all phishing emails with malware payloads contained ransomware versus other types of malware
  • There has been 600% growth in new ransomware families since December 2015
  • There were more than 4,000 ransomware attacks each day in 2016
  • At the beginning of 2016, businesses were hit with a ransomware attack every two minutes, but by the end of 2016 that increased to a new attack every 40 seconds

Ding – You’ve got malware!

Ransomware is primarily delivered through email masqueraded as innocent attachments and URLs. Therefore, upping your email security to defend against this type of malware is critical. Unfortunately, standard email filters and anti-virus scanners can’t protect against these sophisticated dangers. Standard filtering systems are signature-based so they can only protect against known attacks.

Cybercriminals know this and adjust their software accordingly. Ransomware is constantly changing and evolving to evade these types of signature-based systems. Subtle variations make it easy for malicious software to slip by filtering systems. Eventually variants are blacklisted, but that usually occurs after they have already claimed a few victims. Just as one variant is blacklisted a new and possibly more dangerous one will be created. So if your organization is only defending against known attacks without security that can detect zero-day variants, you are leaving your proprietary data vulnerable.

Popular Ransomware Variants

  • Locky: A crypto ransomware that often gets delivered through legitimate-looking .doc files. These .doc files contain macros, which is a single coding instruction that automatically expands to perform a specific task. Victims initially receive some type of scrambled invoice document and are instructed to enable macros – allowing the software to infiltrate their device instantly.
  • CryptoLocker: targets Windows computers and is generally delivered by email as a ZIP file which contains an executable file with the filename and the icon disguised as a PDF file. When first run, the payload installs itself in the user profile folder, and adds a key to the registry that causes it to run on startup. It then attempts to contact command and control servers which generate a 2048-bit RSA key pair, and sends the public key back to the infected computer. Local and accessible network files with certain key extension like office documents, CAD files, etc are then encrypted.
  • Philadelphia ransomware: A popular type of ransomware utilized in multiple Ransomware-as-a-Service (RaaS) models. It has many variations as the RaaS model enables non-coders to become cybercriminals through easily customizable and buildable software.
  • TeslaCrypt: This crypto ransomware encrypts files using AES encryption and typically targets Adobe vulnerabilities. This was one of the most popular ransomware variants in early 2016 until the master decryption key was publically released.
  • Cerber: Delivered through malicious links in phishing emails, this crypto ransomware targets Office 365 users and is also used in RaaS scams.
  • Crysis: This crypto ransomware encrypts files not only on the device it is installed on, but also removable drives and network drives, allowing it to easily spread through organizations.
  • Jigsaw: This ransomware encrypts files and then continuously deletes them until the ransom is paid. Initially, file deletion starts slowly but then speeds up until the 72-hour mark when all remaining files are deleted.
  • KeRanger: A newer type of locker ransomware that is receiving attention as one of the first ransomware variants to successfully lock users out of Mac OS applications.

Of course, there are many variants of each variant—which makes it harder for security staff and signature-based email security systems to identify and isolate every attack.

What can you do to defend your organization when you can’t rely on standard email filters?

Advanced Ransomware Protection with Vade Secure

Your organization needs advanced ransomware protection that can detect new variants of ransomware.

Vade Secure’s advanced email protection solution uses artificial intelligence to defend against ransomware, spear phishing, and zero-day attacks. Our multi-layered approach ensures protection by keeping dangerous emails away from employee inboxes.

Our solution uses:

  • Technical analysis
  • Fingerprint analysis
  • Behavioral analysis
  • Comprehensive file analysis

All of these processes work in conjunction to ensure that emails are legitimate. We make sure that emails are really coming from who they say they are, have legitimate attachments, and that URLs don’t lead to counterfeit phishing webpages.

Our solution has successfully detected every variant of Locky and CryptoLocker over the past several years with 100% accuracy.

Want to learn about how are AI-backed software can protect your organization from all types of cyber threats? Contact us today.