Texture Top Right Grey 03

Ransomware: The Attacker’s Choice for Cyber Extortion

Blackmail over the Internet

Ransomware is malware that typically enables cyber extortion for financial gain. Criminals can hide links to ransomware in seemingly normal emails or web pages. Once activated, ransomware prevents users from interacting with their files, applications or systems until a ransom is paid, typically in the form of an anonymous currency such as Bitcoin. Ransomware is a serious and growing cyber threat that often affects individuals and has recently made headlines for broader attacks on businesses. Payment demands vary based on targeted organizations, and can range from hundreds to millions of dollars.

A multitude of ransomware variants exist. In recent years, there has been a significant increase in the brazenness, prominence, frequency and number of ransomware attacks. They include Cryptolocker and its variants such as Kriptovor and Teslacrypt, Cerber, Dridex and Locky and most recently, WannaCry.

Once infected, a victim has little recourse. If they do not pay the ransom, they suffer business down time, loss of sensitive information or any other penalty specified by the attacker. And even when they do pay the ransom, they remain vulnerable to attack from the same attacker or a new one, and reward attackers for their successful tactics.

Usually, if you have to choose whether to pay a cyber ransom, it’s too late.


See How to Stop the WannaCry Ransomware

Dangers of ransomware

Once ransomware infects a user’s system, it either encrypts critical files or locks a user out of their computer. It then displays a ransom message that usually demands virtual currency payment in exchange for a cryptographic key to decrypt or unlock those resources. The message may also threaten to publicly release compromised data if the payment demand is not met.

Some ransomware can travel from one infected system to a connected file server or other network hub, and then infect that system.

The impact of ransomware is immediate, compared to stealthier malware such as those used in an advanced threat attack. As evidenced from recent headlines, there is growing concern among individuals, businesses and governments about the complex effects of ransomware, which include monetary damage and business downtime.

Types of Damage Caused by Ransomware

How to combat ransomware

Ransomware often uses the web or email to reach victim systems, so those are vectors that security teams must monitor for signs of attack.

Web-based attacks tend to use drive-by exploits that target browser, platform or system vulnerabilities, or rely on malicious URLs or malvertising that may redirect users to sites that host exploit kits. Once it takes hold of a system, it can travel to other connected systems or servers on the network. Email-based ransomware is generally used in targeted attacks, and relies on a variety of methods, including phishing, spear phishing, malicious attachments and URLs.

To properly defend against ransomware, three things need to happen:

  • The infection process must be thoroughly analyzed to determine the path of attack and system vulnerabilities
  • The malicious code must be analyzed to determine its purpose and signs of activity (behavior-based analysis)
  • Access from infected machines to command and control servers (used for data exfiltration or to download additional malware) must be blocked

This defensive approach relies on connecting warning signs across different vectors that are often overlooked by traditional security solutions. Advanced security solutions, such as FireEye Network Security (NX Series), FireEye Email Security (EX Series), or FireEye Email Threat Prevention Cloud (ETP) stop ransomware from taking control by blocking exploit kits, malware downloads and callback communications to the command and control servers. They can also minimize the overall impact of ransomware by tracing its attack path and methodology and sharing threat details to stop future attacks.


FE Diagram-FireEye Email Blocks Ransomware


FE Diagram-FireEye Blocks Ransomware

Criteria for choosing a cyber security defense against ransomware

Not all cyber security defenses are equal. Security providers are markedly different, in both offerings and results. Here are a few things the ideal cyber security vendor should offer to protect against ransomware threats:

  • The defense should provide real-time protection to prevent or interfere with the activation of ransomware. This is of paramount importance, and far easier said than done. If a user sees a ransom demand, their data or system files have already been encrypted, and it's too late to address potentially serious damage.
  • The defense should provide inline protection. In the case of email, it must act as a mail transfer agent (MTA). This serves two purposes. The first is to ensure that all email is routed through email defenses. The second is to reduce any lag in detecting threats, which is a risk with offline analysis or out-of-band solutions.
  • The defense should be updated with actionable threat intelligence as quickly as possible. Security systems that allow days or weeks between updates give cyber attackers that much more time to successfully target different systems in your organizations with the same ransomware. Contextual intelligence can provide critical potential warning signs associated with ransomware to help prevent future attacks. Attacker intelligence and a thorough understanding of indicators of intent can even help predict, prepare for and block future threats.
  • The defense should look for threats across all critical attack vectors. Because ransomware attacks use malicious URLs to lead users to malware or rely on communication with a command-and-control server to decide when to activate, protecting email is not enough. The best solutions will follow multi-stage attacks across multiple vectors to clearly identify seemingly harmless emails that contain links to sites that host ransomware.

FireEye products and services offer all of these capabilities to stop ransomware threats. Read the solutions brief.

Detect and Prevent Ransomware

Email Security

Detect and block phishing emails and malware attachments that lead to ransomware attacks.

Network Security

Detect, identify and block web-based ransomware attacks.

Analyze Ransomware Threats

Endpoint Forensics

Analyze web, email and other system activity at the endpoint to detail the mechanisms of ransomware attacks.

Get Expert Services

Managed Defense

Rely on expert monitoring to detect, validate and help respond to the latest ransomware threats.

Consulting and Assessment Services

Use assessment services to test and improve how well you detect and respond to ransomware threats.

Automate Detection to Response

Security Orchestration

Automates detection-to-response workflow to reduce the duration and scope of exposure, optimize resources, and limit impact.