What “The Exorcist” Teaches Us About Ransomware Attacks

What “The Exorcist” Teaches Us About Ransomware Attacks.jpeg

Guest Post By Rene Kolga

Ransomware has been around since 1989, yet it remains a very effective malware type for today’s cyberattackers. Accenture's ninth annual Cost of Cybercrime Study (opens a PDF), conducted by the Ponemon Institute, found that ransomware attacks on organizations in 2018 increased 15 percent from the previous year. After all these years, ransomware remains so good at being so bad due to two factors: the security industry's history of largely ineffective responses, and because ransomware developers know how to play on our emotions.

Powerful Psychological Attacks

It reminds me of a scene in the horror movie “The Exorcist.” As the two priests prepare for the climactic exorcism scene, the elder priest warns his younger colleague, “the attack is psychological, Damien, and powerful. So don't listen, remember that, do not listen.”

The priest was referring to the demon possessing the girl in the next room, and (spoiler alert!), not listening proved impossible for one of them.

The same holds true for your users. Inevitably, someone will click on a link in an email -- even one from an unknown source. They need to understand the psychology behind these attacks tries to take advantage of their generosity, eagerness to please their superiors, desire to be thrifty, or other emotional triggers.

For example, CryptoMix (or its latest variant DLL CryptoMix) ransomware promises to send money to charities such as the International Children Charity Organization. I assure you, no money actually goes to any children.

The Security Industry’s Failure

There are a number of approaches the security industry has developed to thwart these attacks, including static file analysis, blacklisting the file extensions ransomware typically uses, deploying so-called honey pot files, tracking file data change rate, or monitoring the file system for mass file operations such as rename, write, or delete within a certain period of time.

Unfortunately, none of them have proven to be consistently effective because they all focus on monitoring for known attack methods, looking for anomalies, predicting the “badness”. Even with billions upon billions of dollars invested in cybersecurity, and decades of companies deploying firewalls and antivirus solutions, ransomware still succeeds.

Malware authors often use tactics like packers, crypters and other tools to obfuscate and change their signatures to help their attacks slip past traditional endpoint detection solutions. They also employ the low-and-slow approach to avoid tripping the various “rate of change” thresholds, among other evasive techniques. That’s why the efficacy of modern antivirus and next gen antivirus solutions consistently falls in the 50 to 80 percentage range (opens a PDF).

How to Thwart Ransomware

Hardening your security posture requires staying up to date with all patches. What made the devastating WannaCry ransomware so frustrating was that it was completely preventable. Microsoft released the patch against the underlying vulnerability almost two months prior to the attack.

Don’t just tell employees they need to remember not to click on the links in suspicious emails. Explain how malware authors will try to play on their emotions to get them to react first and think later.

Also, implement a solid backup strategy. You may already have one in place to guard your servers, whether on-premises or in the cloud. However, your endpoints are also at risk because that’s where at least some of your company’s IP may reside.

Complement your existing security layers with an approach that does the exact opposite - ensuring what’s good. Note I use the word “complement.” Do not rip out your existing solutions! Only when you combine your existing tools focusing on the bad with ones that track the good, by applying a whitelisting-like approach, then you create the most effective defense in depth posture.

Finally, don’t underestimate the threat. As Dave Hylender, a senior risk analyst at Verizon and one of the authors of the 2019 Verizon Data Breach Investigations Report told SearchSecurity.com’s Rob Wright and Mekhala Roy:

"There's an impression that ransomware has sort of run its course. It hasn't. I don't think ransomware is 'back' this year, because I don't think it ever left."

Find Rene Kolga on LinkedIn.