How to Detect and Mitigate Ransomware

Ransomware on the Rise

What was once primarily a nasty consumer problem has now turned into a major corporate threat. That’s because cybercriminals have discovered that holding business data and corporate systems for ransom—using ransomware such as CryptoLocker, Cryptowall, Locky, and newer, emerging strains—is a lucrative venture. In fact, ransomware is the most profitable type of malware attack in history.
The Imperva Defense Center recently investigated three CryptoWall campaigns and discovered a payoff of more than $300,000 over a three-month period. Imperva believes that the sum represents only a fraction of the total payments. The FBI has stated that it expects losses from ransomware to reach $1 billion in 2016.
Read the eBook, Insider’s Guide to Defeating Ransomware

Bringing business to a halt

Ransomware’s biggest impact to the business is downtime, which can easily stretch from hours to days or even weeks depending on the extent of the attack. Productivity and revenue losses alone can be substantial, not to mention the damage to brand or reputation that can occur during a prolonged business outage or interruption.
An architecture firm suffered a loss of more than $500,000 in billable hours after two ransomware attacks rendered the firm’s files unusable for days at a time while the attack was being mitigated and the data restored.

Why standard responses aren’t enough

Many companies have inadequate protection against ransomware—despite expending significant cost and effort to implement layers of security solutions that can help prevent and detect malware infections.

Standard defenses and after-the-fact remediation simply aren’t enough because:

  • Malware code is changed constantly to evade signature-based detection.
  • Modern malware has incorporated methods to evade technologies such as sandboxing.
  • Analysis of event and traffic data can miss the signs of ransomware infection.
  • The sheer volume of alerts generated means that even when anomalous traffic or behavior is detected, it can go uninvestigated.
  • Data recovery processes may have gaps, such as infrequent backups or critical files missing from the backup plan.

Taking corporate file shares hostage

ransomware before

How Ransomware Infects a File Share

The big problem for businesses with ransomware is that its impact reaches far beyond one user, as is the case with consumers. That’s because even if only one endpoint is infected, ransomware can encrypt files both locally and on corporate file shares, rendering critical business data unusable.

Any data that is accessible to the endpoint or user is fair game for encryption by ransomware, including backup files and folders. This not only holds data hostage for the infected user, but also for all other users that need to access compromised file stores. It’s easy to see how an active ransomware attack can bring business operations to a halt until systems and files are restored.

Imperva securesphere file security protects your data

ransomware after

How SecureSphere File Firewall Protects File Shares

Monitoring access and modifications to data on your file servers in real time can help you stop a ransomware attack and contain the damage before it results in massive productivity and business losses.

Imperva SecureSphere File Security products deliver real-time file monitoring, detailed auditing, and security for files stored on file servers and network attached storage (NAS) devices. Imperva SecureSphere File Firewalloffers a unique solution to combat ransomware by detecting and blocking infected users or devices based on file access behavior. It uses a combination of real-time capabilities to help security teams detect, block, investigate, and report on ransomware infections:


Real-time alerting and blocking:

  • Policy-based detection identifies ransomware-specific read/write behavior and blocks users and endpoints from further file access.
  • Deception-based detection uses strategically planted, hidden files on file storage systems to identify ransomware at the earliest stage of the attack. Any write/rename actions on these hidden files trigger automatic blocking of the infected user or endpoint.

Granular reporting and analysis:

  • A detailed audit trail supports immediate forensic investigation to answer who, what, where, when, and how users access files.
  • Interactive audit analytics accelerate investigations, letting you quickly drill down into the audit trail.
  • Easy reporting helps you document any security incidents.