Microsoft: Keep Calm But Vigilant About Ransomware

Though a growing problem, ransomware is still nowhere as prevalent as other threats, Microsoft says.

4 Min Read

The recent proliferation of ransomware attacks has significantly heightened the need for enterprises to be vigilant about the threat. But there’s little need for panic.

For the moment, at least, enterprises are less likely to encounter ransomware than almost any other kind of malware like Trojans, worms and viruses, according to a new Microsoft report.

Telemetry data in the Microsoft Security Intelligence Report, collected from millions of systems running Microsoft real-time security software, shows that ransomware was detected in less than 1% of systems worldwide in the fourth quarter of 2015. That was up slightly from 0.26% in the third quarter and 0.16% in Q2 2015.

Worrying as that growth was, the infection rates for ransomware were still significantly smaller than almost any other type of malware. For instance, the percent of systems reporting Trojans in the second quarter of last year at 4.45% was 28 times higher than the percentage of systems reporting ransomware.

Similarly, nearly seven percent of the systems running Microsoft’s security software reported detecting browser modifiers while more than three percent detected worms. All the numbers were several magnitudes greater than the number of systems that reported detecting ransomware last year.

The message for organizations is, to “keep calm and be vigilant,” says Tim Rains, director of security at Microsoft and author of the report.  

“Organizations should prioritize ransomware appropriately with all the other risks they are managing,” he says. “Ransomware has crossed over from a consumer-focused threat into the enterprise.”  

The potentially devastating impact of ransomware to businesses will likely move it up the list of priorities for many organizations, he says. 

Criminals are using ransomware to launch opportunistic attacks as well as targeted ones so organization should be prepared on both fronts, Rains warns.

Here are some of the other takeaways from the Microsoft report:

Not Every One Feels The Same Hurt

Microsoft’s data shows that the probability of encountering ransomware is much higher in some countries than others. For instance, the number of systems that reported detecting ransomware in Mexico was five times higher than the worldwide average. Similarly, Canada and France had rates that were 4.4 times above the worldwide average, while detection rates in the United States, Turkey, and Russia was about 3.75% higher.

The United Arab Emirates had the dubious honor of being the region most impacted by ransomware in the first half of 2015. But even so, ransomware was one of the least encountered threats among users in the region.

Email, Social Engineering Are Preferred Distribution Methods

Spam, spear-phishing and other email-based attacks, and social engineering, using drive-by download attacks. Word and Excel macros and USB drives are the most common ways to distribute ransomware. In many cases, attackers try to leverage vulnerable Internet-connected servers and user workstations to gain access to an enterprise network.

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

“Once they have compromised a single system, they use tactics similar to APT-style attacks to traverse the infrastructure looking for more data to encrypt,” the Microsoft report said. Often this lateral movement is carried out using stolen credentials and the goal is to encrypt as many systems as possible. “Attackers will also deny the victim organization access to their backups, if they can, to increase the motivation to pay the ransom,” the report noted.

As ransomware has evolved, malware writers have gotten increasingly better at implementing strong encryption such as AES, which makes it impossible for victims to decrypt data without a valid key. Without a backup, organizations could end up facing severe and potentially irreversible consequences, Microsoft warned.

It Doesn't Take Mad Skills to Get into the Ransomware Biz

The growing availability of ransomware-as-a-service kits has made it easy for every wannabe cybercriminal to launch ransomware attacks. Microsoft identified two ransomware families, Sarento and Enrume, as examples of the trend.

Exacerbating the situation is the fact that malware authors have increasingly begun pairing exploit kits such as Angler with ransomware in order to gain persistence on victim systems. Ransomware is also being distributed to systems via other malware and existing infections.

The fact that ransomware isn’t as prevalent as other types of malware is good news, but enterprises should prepare for the threat all the same.

“Use a holistic protect, detect, respond strategy,” Rains says. “Investing in each of these areas will help mitigate potential exposure.” Some measures, such as backing up critical data, are absolutely critical, he says.

Related Content:


About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights