Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/22/2016
06:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Microsoft: Keep Calm But Vigilant About Ransomware

Though a growing problem, ransomware is still nowhere as prevalent as other threats, Microsoft says.

The recent proliferation of ransomware attacks has significantly heightened the need for enterprises to be vigilant about the threat. But there’s little need for panic.

For the moment, at least, enterprises are less likely to encounter ransomware than almost any other kind of malware like Trojans, worms and viruses, according to a new Microsoft report.

Telemetry data in the Microsoft Security Intelligence Report, collected from millions of systems running Microsoft real-time security software, shows that ransomware was detected in less than 1% of systems worldwide in the fourth quarter of 2015. That was up slightly from 0.26% in the third quarter and 0.16% in Q2 2015.

Worrying as that growth was, the infection rates for ransomware were still significantly smaller than almost any other type of malware. For instance, the percent of systems reporting Trojans in the second quarter of last year at 4.45% was 28 times higher than the percentage of systems reporting ransomware.

Similarly, nearly seven percent of the systems running Microsoft’s security software reported detecting browser modifiers while more than three percent detected worms. All the numbers were several magnitudes greater than the number of systems that reported detecting ransomware last year.

The message for organizations is, to “keep calm and be vigilant,” says Tim Rains, director of security at Microsoft and author of the report.  

“Organizations should prioritize ransomware appropriately with all the other risks they are managing,” he says. “Ransomware has crossed over from a consumer-focused threat into the enterprise.”  

The potentially devastating impact of ransomware to businesses will likely move it up the list of priorities for many organizations, he says. 

Criminals are using ransomware to launch opportunistic attacks as well as targeted ones so organization should be prepared on both fronts, Rains warns.

Here are some of the other takeaways from the Microsoft report:

Not Every One Feels The Same Hurt

Microsoft’s data shows that the probability of encountering ransomware is much higher in some countries than others. For instance, the number of systems that reported detecting ransomware in Mexico was five times higher than the worldwide average. Similarly, Canada and France had rates that were 4.4 times above the worldwide average, while detection rates in the United States, Turkey, and Russia was about 3.75% higher.

The United Arab Emirates had the dubious honor of being the region most impacted by ransomware in the first half of 2015. But even so, ransomware was one of the least encountered threats among users in the region.

Email, Social Engineering Are Preferred Distribution Methods

Spam, spear-phishing and other email-based attacks, and social engineering, using drive-by download attacks. Word and Excel macros and USB drives are the most common ways to distribute ransomware. In many cases, attackers try to leverage vulnerable Internet-connected servers and user workstations to gain access to an enterprise network.

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

“Once they have compromised a single system, they use tactics similar to APT-style attacks to traverse the infrastructure looking for more data to encrypt,” the Microsoft report said. Often this lateral movement is carried out using stolen credentials and the goal is to encrypt as many systems as possible. “Attackers will also deny the victim organization access to their backups, if they can, to increase the motivation to pay the ransom,” the report noted.

As ransomware has evolved, malware writers have gotten increasingly better at implementing strong encryption such as AES, which makes it impossible for victims to decrypt data without a valid key. Without a backup, organizations could end up facing severe and potentially irreversible consequences, Microsoft warned.

It Doesn't Take Mad Skills to Get into the Ransomware Biz

The growing availability of ransomware-as-a-service kits has made it easy for every wannabe cybercriminal to launch ransomware attacks. Microsoft identified two ransomware families, Sarento and Enrume, as examples of the trend.

Exacerbating the situation is the fact that malware authors have increasingly begun pairing exploit kits such as Angler with ransomware in order to gain persistence on victim systems. Ransomware is also being distributed to systems via other malware and existing infections.

The fact that ransomware isn’t as prevalent as other types of malware is good news, but enterprises should prepare for the threat all the same.

“Use a holistic protect, detect, respond strategy,” Rains says. “Investing in each of these areas will help mitigate potential exposure.” Some measures, such as backing up critical data, are absolutely critical, he says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/5/2016 | 7:24:57 AM
Re: Ransomware on the rise
@Dr.T: One anti-ransomware strategy (other than ad-blockers and disabling Flash, as I alluded to in an earlier comment) is virtualization.  Get ransomware?  No problem if you're running a virtualized instance that can be safely killed!

In fact, researchers are seeing more modern ransomware in the wild that is programmed to detect virtualized instances running -- and will decline to install if it so detects one.  The reason?  Other than the fact that it could be easily defeated, installing on a virtualized instance would allow it to be poked and prodded safely for reverse engineering.
drgary
50%
50%
drgary,
User Rank: Apprentice
4/29/2016 | 6:01:23 PM
Effective DMARC, DNSSEC, and User training Controls to avoid Phishing and hence Ransomware
I am not very surprised how ransomware like LOCKY and others are spreading so fast. Even after years, most of the organizations have not paid attention to DMARC, DNSSEC, and User traning on Phishing, Vishing, Smishing. Email providers like gmail have spent whole lot in imlplementing DMARC, but most corprate email are not doing much in this field. It definitely is one of the techniques to reduce phishing.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/25/2016 | 2:46:37 PM
Re: Success and Ease of Execution
 "... Although it can be protected against, even beyond backups. ..."

Backups is always good. For me one of the easiest ways to protect from encryptions is to have higher level of privilege to encrypt specific folders. At least regular users would not be trapped into this.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/25/2016 | 2:41:32 PM
Re: Success and Ease of Execution
"Ransomware is very appealing due to its ease of execution ..."

Exactly. I just mentioned in the other post. This is like cheating whole system and security. Using security back to against the users.  :--))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/25/2016 | 2:39:20 PM
Re: Social Engineering
" ... Social engineering, and from my experience phishing, has been how ransomware has become so prolific ..."

Agree. We have been discussion that social engineering (and reverse social engineering) is a very effective way of executing an attack, obviously nobody listens to it, ransomware is easy a quick way of making money out of it.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/25/2016 | 2:35:27 PM
Re: Ransomware on the rise
"... For some, the solution has been ransomware. ..."

Exactly agree with this. At one point they need to make money directly over the efforts they put.  This is becoming growing problem, we need to start working on anti-ransomware strategies. :--))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/25/2016 | 2:31:33 PM
Ransomware big impact
 

One of the problem with Ransomware it is not easy recovery, if the data is encrypted you have to pay to get it back. In case of a visor you just need to download last definitions to recover. :--))
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/25/2016 | 11:53:02 AM
Re: Social Engineering
@RyanSepe: Well, that and Flash.  So much of ransomware could be defeated if people just didn't run Flash.  :/
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/25/2016 | 11:51:54 AM
Re: Success and Ease of Execution
@RyanSepe: Although it can be protected against, even beyond backups.  Modern ransomware often detects for virtualization -- and declines to install if it detects so.  Obviously, if it did install, not only could it be easily defeated (all you'd have to do is kill the instance and you're fine), but also you'd be able to isolate it in a virtual sandbox and then reverse engineer it, threatening the entire business model.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/25/2016 | 8:20:45 AM
Success and Ease of Execution
Ransomware is very appealing due to its ease of execution. Dropping a package that encrypts files is on the lower level of complexity and it has had a very high rate of success. If an efficient backup process is not in place then you risk losing your files forever. These files may hold sentimental value to people and they are willing to pay to retrieve them.
Page 1 / 2   >   >>
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31476
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 10.1.3.37598. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
CVE-2021-31477
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
CVE-2021-32690
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
CVE-2021-32691
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
CVE-2021-32243
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).