The recent proliferation of ransomware attacks has significantly heightened the need for enterprises to be vigilant about the threat. But there’s little need for panic.
For the moment, at least, enterprises are less likely to encounter ransomware than almost any other kind of malware like Trojans, worms and viruses, according to a new Microsoft report.
Telemetry data in the Microsoft Security Intelligence Report, collected from millions of systems running Microsoft real-time security software, shows that ransomware was detected in less than 1% of systems worldwide in the fourth quarter of 2015. That was up slightly from 0.26% in the third quarter and 0.16% in Q2 2015.
Worrying as that growth was, the infection rates for ransomware were still significantly smaller than almost any other type of malware. For instance, the percent of systems reporting Trojans in the second quarter of last year at 4.45% was 28 times higher than the percentage of systems reporting ransomware.
Similarly, nearly seven percent of the systems running Microsoft’s security software reported detecting browser modifiers while more than three percent detected worms. All the numbers were several magnitudes greater than the number of systems that reported detecting ransomware last year.
The message for organizations is, to “keep calm and be vigilant,” says Tim Rains, director of security at Microsoft and author of the report.
“Organizations should prioritize ransomware appropriately with all the other risks they are managing,” he says. “Ransomware has crossed over from a consumer-focused threat into the enterprise.”
The potentially devastating impact of ransomware to businesses will likely move it up the list of priorities for many organizations, he says.
Criminals are using ransomware to launch opportunistic attacks as well as targeted ones so organization should be prepared on both fronts, Rains warns.
Here are some of the other takeaways from the Microsoft report:
Not Every One Feels The Same Hurt
Microsoft’s data shows that the probability of encountering ransomware is much higher in some countries than others. For instance, the number of systems that reported detecting ransomware in Mexico was five times higher than the worldwide average. Similarly, Canada and France had rates that were 4.4 times above the worldwide average, while detection rates in the United States, Turkey, and Russia was about 3.75% higher.
The United Arab Emirates had the dubious honor of being the region most impacted by ransomware in the first half of 2015. But even so, ransomware was one of the least encountered threats among users in the region.
Email, Social Engineering Are Preferred Distribution Methods
Spam, spear-phishing and other email-based attacks, and social engineering, using drive-by download attacks. Word and Excel macros and USB drives are the most common ways to distribute ransomware. In many cases, attackers try to leverage vulnerable Internet-connected servers and user workstations to gain access to an enterprise network.
“Once they have compromised a single system, they use tactics similar to APT-style attacks to traverse the infrastructure looking for more data to encrypt,” the Microsoft report said. Often this lateral movement is carried out using stolen credentials and the goal is to encrypt as many systems as possible. “Attackers will also deny the victim organization access to their backups, if they can, to increase the motivation to pay the ransom,” the report noted.
As ransomware has evolved, malware writers have gotten increasingly better at implementing strong encryption such as AES, which makes it impossible for victims to decrypt data without a valid key. Without a backup, organizations could end up facing severe and potentially irreversible consequences, Microsoft warned.
It Doesn't Take Mad Skills to Get into the Ransomware Biz
The growing availability of ransomware-as-a-service kits has made it easy for every wannabe cybercriminal to launch ransomware attacks. Microsoft identified two ransomware families, Sarento and Enrume, as examples of the trend.
Exacerbating the situation is the fact that malware authors have increasingly begun pairing exploit kits such as Angler with ransomware in order to gain persistence on victim systems. Ransomware is also being distributed to systems via other malware and existing infections.
The fact that ransomware isn’t as prevalent as other types of malware is good news, but enterprises should prepare for the threat all the same.
“Use a holistic protect, detect, respond strategy,” Rains says. “Investing in each of these areas will help mitigate potential exposure.” Some measures, such as backing up critical data, are absolutely critical, he says.
- How Best To Back Up Your Data In Case Of A Ransomware Attack
- 10 Shocking New Facts About Ransomware
- Ransomware Authors Break New Ground With Petya