A recent analysis from email-filtering vendor PhishMe found that by the end of March 93 percent of all phishing emails contained ransomware payloads, up from 56 percent in December and just 10 percent during the rest of 2015. Vendors like FireEye and Symantec have joined the chorus of security specialists that have noted an explosion in ransomware this year, making Australia the top ransomware target in the APAC region and, indeed, among the top targets in the world.
While there's no guarantee that a specific company will be targeted with a specific APT, the sheer volume of ransomware - and its tendency to be spread via social-engineering strategies that continue to be frighteningly effective at tricking employees to running malicious attachments - make it inevitable that businesses will eventually face this threat. Business and IT executives must be prepared with a policy about how they would deal with a ransomware attack, which can sometimes be circumvented using fastidious backup procedures that many businesses still lack.
However, says Smith, the right monitoring infrastructure can pick out the telltale signs of ransomware as it's executed for the first time - and stop it dead in its tracks. This becomes possible when a security-analytics tool has had a chance to establish itself long enough to determine a range of baseline characteristics over time.
When the baselining is done correctly, the telltale signs of new ransomware executing stand out like a sore thumb: new system processes will be launched; a surge in disk activity will be obvious as the ransomware looks for files to encrypt; the ransomware may 'phone home' to get an encryption key for its work; new libraries will be run to handle the actual encryption of the files.
Each of these activities has telltale signs that can be easily picked out of a stream of network activity traffic by a security-analytics platform with sensitive enough algorithms. By combining detection with policies to control what is and isn't allowable, it's possible to pick up on the activity of even previously unknown ransomware.
"There are many places along the chain of activities - some at the network level, some at the server level, some at the user end - where ransomware can be interrupted," says Smith. "It's really important to look at all the attack surfaces. And we find more bad things happening by looking at network behaviour anomalies than anything else."
Network anomalies are only one of several telltale signs of ransomware activity, however: even user behaviour can become a key indicator of attack if monitoring systems detect activity that doesn't fit in with previously observed behaviour - for example, if a user's account is suddenly trying repeatedly to access a server that the user is not authorised to access.
Sign up for Computerworld eNewsletters.