Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/22/2016
06:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Microsoft: Keep Calm But Vigilant About Ransomware

Though a growing problem, ransomware is still nowhere as prevalent as other threats, Microsoft says.

The recent proliferation of ransomware attacks has significantly heightened the need for enterprises to be vigilant about the threat. But there’s little need for panic.

For the moment, at least, enterprises are less likely to encounter ransomware than almost any other kind of malware like Trojans, worms and viruses, according to a new Microsoft report.

Telemetry data in the Microsoft Security Intelligence Report, collected from millions of systems running Microsoft real-time security software, shows that ransomware was detected in less than 1% of systems worldwide in the fourth quarter of 2015. That was up slightly from 0.26% in the third quarter and 0.16% in Q2 2015.

Worrying as that growth was, the infection rates for ransomware were still significantly smaller than almost any other type of malware. For instance, the percent of systems reporting Trojans in the second quarter of last year at 4.45% was 28 times higher than the percentage of systems reporting ransomware.

Similarly, nearly seven percent of the systems running Microsoft’s security software reported detecting browser modifiers while more than three percent detected worms. All the numbers were several magnitudes greater than the number of systems that reported detecting ransomware last year.

The message for organizations is, to “keep calm and be vigilant,” says Tim Rains, director of security at Microsoft and author of the report.  

“Organizations should prioritize ransomware appropriately with all the other risks they are managing,” he says. “Ransomware has crossed over from a consumer-focused threat into the enterprise.”  

The potentially devastating impact of ransomware to businesses will likely move it up the list of priorities for many organizations, he says. 

Criminals are using ransomware to launch opportunistic attacks as well as targeted ones so organization should be prepared on both fronts, Rains warns.

Here are some of the other takeaways from the Microsoft report:

Not Every One Feels The Same Hurt

Microsoft’s data shows that the probability of encountering ransomware is much higher in some countries than others. For instance, the number of systems that reported detecting ransomware in Mexico was five times higher than the worldwide average. Similarly, Canada and France had rates that were 4.4 times above the worldwide average, while detection rates in the United States, Turkey, and Russia was about 3.75% higher.

The United Arab Emirates had the dubious honor of being the region most impacted by ransomware in the first half of 2015. But even so, ransomware was one of the least encountered threats among users in the region.

Email, Social Engineering Are Preferred Distribution Methods

Spam, spear-phishing and other email-based attacks, and social engineering, using drive-by download attacks. Word and Excel macros and USB drives are the most common ways to distribute ransomware. In many cases, attackers try to leverage vulnerable Internet-connected servers and user workstations to gain access to an enterprise network.

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

“Once they have compromised a single system, they use tactics similar to APT-style attacks to traverse the infrastructure looking for more data to encrypt,” the Microsoft report said. Often this lateral movement is carried out using stolen credentials and the goal is to encrypt as many systems as possible. “Attackers will also deny the victim organization access to their backups, if they can, to increase the motivation to pay the ransom,” the report noted.

As ransomware has evolved, malware writers have gotten increasingly better at implementing strong encryption such as AES, which makes it impossible for victims to decrypt data without a valid key. Without a backup, organizations could end up facing severe and potentially irreversible consequences, Microsoft warned.

It Doesn't Take Mad Skills to Get into the Ransomware Biz

The growing availability of ransomware-as-a-service kits has made it easy for every wannabe cybercriminal to launch ransomware attacks. Microsoft identified two ransomware families, Sarento and Enrume, as examples of the trend.

Exacerbating the situation is the fact that malware authors have increasingly begun pairing exploit kits such as Angler with ransomware in order to gain persistence on victim systems. Ransomware is also being distributed to systems via other malware and existing infections.

The fact that ransomware isn’t as prevalent as other types of malware is good news, but enterprises should prepare for the threat all the same.

“Use a holistic protect, detect, respond strategy,” Rains says. “Investing in each of these areas will help mitigate potential exposure.” Some measures, such as backing up critical data, are absolutely critical, he says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/5/2016 | 7:24:57 AM
Re: Ransomware on the rise
@Dr.T: One anti-ransomware strategy (other than ad-blockers and disabling Flash, as I alluded to in an earlier comment) is virtualization.  Get ransomware?  No problem if you're running a virtualized instance that can be safely killed!

In fact, researchers are seeing more modern ransomware in the wild that is programmed to detect virtualized instances running -- and will decline to install if it so detects one.  The reason?  Other than the fact that it could be easily defeated, installing on a virtualized instance would allow it to be poked and prodded safely for reverse engineering.
drgary
50%
50%
drgary,
User Rank: Apprentice
4/29/2016 | 6:01:23 PM
Effective DMARC, DNSSEC, and User training Controls to avoid Phishing and hence Ransomware
I am not very surprised how ransomware like LOCKY and others are spreading so fast. Even after years, most of the organizations have not paid attention to DMARC, DNSSEC, and User traning on Phishing, Vishing, Smishing. Email providers like gmail have spent whole lot in imlplementing DMARC, but most corprate email are not doing much in this field. It definitely is one of the techniques to reduce phishing.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/25/2016 | 2:46:37 PM
Re: Success and Ease of Execution
 "... Although it can be protected against, even beyond backups. ..."

Backups is always good. For me one of the easiest ways to protect from encryptions is to have higher level of privilege to encrypt specific folders. At least regular users would not be trapped into this.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/25/2016 | 2:41:32 PM
Re: Success and Ease of Execution
"Ransomware is very appealing due to its ease of execution ..."

Exactly. I just mentioned in the other post. This is like cheating whole system and security. Using security back to against the users.  :--))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/25/2016 | 2:39:20 PM
Re: Social Engineering
" ... Social engineering, and from my experience phishing, has been how ransomware has become so prolific ..."

Agree. We have been discussion that social engineering (and reverse social engineering) is a very effective way of executing an attack, obviously nobody listens to it, ransomware is easy a quick way of making money out of it.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/25/2016 | 2:35:27 PM
Re: Ransomware on the rise
"... For some, the solution has been ransomware. ..."

Exactly agree with this. At one point they need to make money directly over the efforts they put.  This is becoming growing problem, we need to start working on anti-ransomware strategies. :--))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/25/2016 | 2:31:33 PM
Ransomware big impact
 

One of the problem with Ransomware it is not easy recovery, if the data is encrypted you have to pay to get it back. In case of a visor you just need to download last definitions to recover. :--))
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/25/2016 | 11:53:02 AM
Re: Social Engineering
@RyanSepe: Well, that and Flash.  So much of ransomware could be defeated if people just didn't run Flash.  :/
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/25/2016 | 11:51:54 AM
Re: Success and Ease of Execution
@RyanSepe: Although it can be protected against, even beyond backups.  Modern ransomware often detects for virtualization -- and declines to install if it detects so.  Obviously, if it did install, not only could it be easily defeated (all you'd have to do is kill the instance and you're fine), but also you'd be able to isolate it in a virtual sandbox and then reverse engineer it, threatening the entire business model.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/25/2016 | 8:20:45 AM
Success and Ease of Execution
Ransomware is very appealing due to its ease of execution. Dropping a package that encrypts files is on the lower level of complexity and it has had a very high rate of success. If an efficient backup process is not in place then you risk losing your files forever. These files may hold sentimental value to people and they are willing to pay to retrieve them.
Page 1 / 2   >   >>
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19750
PUBLISHED: 2019-12-12
minerstat msOS before 2019-10-23 does not have a unique SSH key for each instance of the product.
CVE-2019-4606
PUBLISHED: 2019-12-12
IBM DB2 High Performance Unload load for LUW 6.1 and 6.5 could allow a local attacker to execute arbitrary code on the system, caused by an untrusted search path vulnerability. By using a executable file, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-For...
CVE-2019-16246
PUBLISHED: 2019-12-12
Intesync Solismed 3.3sp1 allows Local File Inclusion (LFI), a different vulnerability than CVE-2019-15931. This leads to unauthenticated code execution.
CVE-2019-17358
PUBLISHED: 2019-12-12
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP ...
CVE-2019-17428
PUBLISHED: 2019-12-12
An issue was discovered in Intesync Solismed 3.3sp1. An flaw in the encryption implementation exists, allowing for all encrypted data stored within the database to be decrypted.