What We’re Learning about Ransomware, and How Security Is Stepping Up to the Task

Tuesday, November 08, 2016

Hatem Naguib


If anything is certain about the latest ransomware trends we’ve been tracking, it’s that no one is immune to an attack. Ransomware attackers don’t discriminate, and they have been successful at extorting money from all types of people and organizations, and as long as there’s a way for them to find you – there’s a risk. Victims range from hospitals and police stations with confidential records, to grandparents who are simply online to see photos of their grand kids. Attackers know that the more people they attempt to swindle, the better their chances are of finding someone who isn’t prepared and might be willing to pay a ransom for their files to be returned.

The good news is that the more we learn about these attacks, the better suited we are to identify and protect against them. We now know that ransomware is delivered primarily through email, with a few exceptions like compromised websites, file sharing sites or infected thumb drives. If we look at the characteristics of ransomware attacks that use email as a threat vector, we’re seeing some commonalities that everyone can use to help keep themselves and their organizations safe. Here’s what we’re finding about email-born ransomware and how these modern threats are causing the security landscape to adjust:

Mailbox Protection in the Age of Advanced Threats

Email security is nothing new, however, traditional approaches based on identifying bad senders, scanning messages for keyword patterns and doing signature-based virus detection are no longer sufficient in the face of advanced threats. In order to stop attackers who are adept at evading basic techniques, organizations should be looking to evaluate email security solutions with deep learning systems capabilities, multilevel intent analysis, advanced threat detection and real-time link protection. Simply scanning email to ensure that it’s free of spam and malware – just isn’t enough.

Let’s take a deeper look at the some of the security technology present for protection against today’s advanced threats.

Deep Machine Learning

Over the last five years, tremendous progress has been made in the field of artificial intelligence (AI) – more progress than in the fifty years prior. The progress is driven by the availability of computing power and advanced algorithms that enable machines to beat contestants in Jeopardy, find medical cures and drive our cars. It stands to reason that the same approach could be used to assure that we do not receive bad email.

Deep learning is only as effective as the data used to train it. The more diverse the training set, the more likely it is that malicious messages are caught, while still allowing the good ones to get delivered.  Deep learning is responsible for assuring that some of the most nefarious messages never reach a users’ inbox.

Multi-Level Intent Analysis

Sometimes the true intent of the message can only be discovered by following the links embedded in the email, and then following links on the resulting websites. The nefarious content could be buried pretty deep to avoid detection.  Security engines must be capable of discovering it, and making sure that the message linking to the bad external content is properly blocked.

Advanced Threat Detection

Malicious email attachments are a primary means of spreading ransomware. The classic way of detecting bad files was based on comparing the signature of the known malware file to the attachment. This process worked very well when malware writers developed a single program and tried to distribute it to millions of computers. It was the race between the malware distributor and security companies to discover the malware, analyze it, develop signature and publish it to all systems that needed protection.  In order to detect today’s threats, files should be checked against a cryptographic hash database that is constantly updated. When a file is unknown, it should be emulated in a virtual sandbox where malicious behavior can be discovered. Administrators need granular, file-type based control including automatic quarantine and blacklisting features to maintain the highest level of protection.

Real-Time Link Protection

Often at the time a message is scanned and delivered, the included links point to perfectly safe websites. Minutes, hours or even days after sending the message, attackers modify the site to carry malicious content. To protect the user from accessing such sites, original links present in the message could be re-written to ensure that click requests are always re-directed through the site operated by your security vendor in order to make a real-time determination of the target website veracity. If the site turned bad, the user receives a warning and is stopped from proceeding any further.

There’s no denying that ransomware and other advanced threats have quickly become a mainstream security issue, but it’s encouraging to see that the security industry is taking on the challenge with some of their own advanced security technologies. Like we’ve mentioned in the past, if advanced threats are a concern – you always have the option to work with your security providers for an assessment to ensure your level of protection is up to date. 

Possibly Related Articles:
Viruses & Malware Enterprise Security Security Awareness
Ransomware Advanced Threat Detection Protection Machine Learning real-time protection
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked