Deception-based Ransomware Detection: What It Is and Why You Need it

ransomwaremousetraps_LG

The FBI deemed criminal ransomware a $1 billion industry in 2016. And the ransomware trend is expected to continue in 2017 as incentives increase and the hacking software spreads. The problem is it’s getting easier for cybercriminals to execute these shakedowns with new Ransomware-as-a-Service (RaaS) tools, BYOD user vulnerabilities, improved encryption methods and untraceable bitcoin payoffs.

This only proves the need for better, and faster, ransomware protection methods. Of course you want to block ransomware before it has a chance to encrypt your network data stores and the mission critical data stored in them. But keeping up with the pace of ransomware innovation can be a challenge. It demands equally innovative protection. One new approach to consider is the use of deception technology.

In this post, we take a look at the financial impact of ransomware and how Imperva uses deception technology to prevent it.

The Real Cost of Ransomware

Nonproductive downtime is the greatest cost to organizations when they experience a ransomware attack. Even if an organization does pay, the downtime is still significant (and can end up costing an organization even more than the ransom).

A recent example can be found with the San Francisco public transportation system. During the 2016 Thanksgiving holiday they were hit by a ransomware attack and forced to offer free rides to their customers for two days. Even if you extrapolate the cost from their 2014 average daily ridership of 702,000, at $2.50 a ticket, that’s A LOT of lost revenue. In comparison, attackers demanded $73,000.

And in L.A. last year, the Hollywood Presbyterian Medical Center was attacked, preventing doctors from accessing patient records for more than a week. Prescription information, treatment histories, X-ray and CT records, and medical tests were all inaccessible. The hospital’s fallback position? Faxes and in-person re-evaluations as some critical patients were transferred to other nearby hospitals. They ended up paying $17,000 in bitcoin ransom to regain control of their data. Costs for productivity losses, legal exposure and patient risks were inestimable.

The real costs, including productivity losses, have been estimated at $75 billion based on Aberdeen Group’s small business inactivity cost estimates at $8,581 per hour. Here are some other disturbing stats associated with the trend:

  • 72% of companies affected by ransomware could not access data for at least two days following an attack (Intermedia)
  • 93% of phishing emails contain ransomware (PhishMe)
  • 30% of phishing emails are opened (Verizon)
  • Nearly 40% of businesses got hit by ransomware in 2015 (Osterman Research)

Whether companies choose to pay the ransom or rely on backups, there will be downtime following a successful ransomware attack. Paying a ransom involves many steps, and each one can take several hours, or even days, to complete.

Prevent Attacks Before They Take Hold

Ideally, you want to immediately detect ransomware file access behaviors and quarantine the impacted users before ransomware spreads to your network file servers. That’s where deception technology comes in.

The Imperva approach consists of using strategically planted, hidden (decoy) files to identify ransomware at the earliest stage of the attack. The decoy files need to be planted at carefully planned file system locations in order to identify ransomware encryption behaviors before they can touch legitimate files.  Imperva SecureSphere File Firewall Automates deception technology deployment across critical file stores so that ransomware will encounter the decoy files before it touches the organization’s data. Any write/rename actions on these hidden files trigger automatic blocking of the infected user or endpoint. This ensures users who are not infected can continue to access their files uninterrupted and only infected users are blocked from accessing the file share (Figure 1).


Ransomware_diagram

Figure 1: Uninfected users continue to access files uninterrupted while infected users are blocked from accessing the file share

In addition, having monitoring and blocking measures in place—in addition to admin alert features granular activity logging—help minimize the disruption to your core business processes when a ransomware attack occurs (Figure 2 and Figure 3).

Ransomware_granularsecuritypolicies

Figure 2: Granular security policies ensure infected users are selectively quarantined from network file shares.


Ransomware_useraccess

Figure 3: Users infected by ransomware are blocked from accessing files while uninfected users can continue to use the file system, preventing costly downtime.

Unless organizations implement more effective security measures, the number of attacks and payoff amounts will escalate this year. Real costs will skyrocket as operations halt.

Learn more about Imperva’s deception-based ransomware detection, specific vulnerabilities, ransomware variants and malware trends in our report: Insider’s Guide to Defeating Ransomware.